SYN cookies refers to a well-known method of protection against a SYN attack.

SYN cookies protect against SYN attacks by employing the following strategies:

• Not maintaining any state for half-open inbound TCP sessions, thus preventing the SYN attack from depleting memory resources.

  SYN cookies can maintain no state for half-open connections by responding to SYN requests with a SYN-ACK that contains a specially crafted initial sequence number (ISN), called a cookie. The value of the cookie is not a pseudo-random number generated by the system, but the result of a hash function. The hash result is generated from the source IP, source port, destination IP, destination port, and some secret values. The cookie can be verified when receiving a valid third ACK that establishes the connection. The verification ensures that the connection is a legitimate connection and that the source IP address was not spoofed.

• Employing the SYN cookies method at a lower point in the network stack then regular TCP handling, closer to the start point of packet handling. This reduces the chances that a SYN attack will fill up the internal queues.

• Performing SYN attack fingerprinting and alerting an administrator about a SYN attack as it occurs. This is implemented by keeping track of the rate at which half-open TCP connections are created, and sending an alert when the rate exceeds a certain threshold.

In addition, when the SYN cookies mechanism is active, a hostile port scan might be misled into concluding that all TCP ports are open.