Abstract
In October 2000, the specification of SCTP (Stream Control
Transmission Protocol, a new transport layer protocol) was
published by the Internet Engineering Task Force (IETF).
SCTP uses a cryptographic cookie mechanism to protect
itself against denial-of-service attacks aiming at the
association startup procedure. However, the basic idea of
the cookie mechanism is not new. A similar mechanism for
the TCP protocol has been proposed back in 1996 and has
been implemented in the TCP protocol engines of several
operating systems. The TCP SYN cookie mechanism has not
been published as an RFC, probably because it does not
require any changes to the existing TCP specification.
This paper gives an introduction to the problem of DoS
attacks against transport layer protocols and presents the
basic idea of the cookie approach. The specific
implementations of this idea both for TCP and SCTP are
explained and compared, especially with respect to the
fact that for TCP, the mechanism had to fit into the
existing protocol specification, whereas for SCTP, the
protocol has been designed from scratch with the cookie
mechanism in mind.
Users
Please
log in to take part in the discussion (add own reviews or comments).