TCP Cookie Transactions
Encyclopedia
In computer networking, TCP Cookie Transactions (TCPCT) is an extension of Transmission Control Protocol
(TCP) intended to secure it against denial-of-service attack
s, such as resource exhaustion by SYN flood
ing and malicious connection termination by third parties. Unlike the original SYN cookies
approach, TCPCT does not conflict with other TCP extensions, but requires TCPCT support in the client (initiator) as well as the server (responder) TCP stack.
The immediate reason for the TCPCT extension is deployment of the DNSSEC
protocol. Prior to DNSSEC, DNS
requests primarily used short UDP
packets, but due to the size of DNSSEC exchanges, and shortcomings of IP fragmentation
, UDP is no more applicable. Thus DNSSEC-enabled requests create a large number of short-lived TCP connections.
TCPCT avoids resource exhaustion on server-side by not allocating any resources until the completion of the three-way handshake. Additionally, TCPCT allows the server to release memory immediately after the connection closes, while it persists in the TIME-WAIT state.
TCPCT support was partly merged into the Linux kernel
in December 2009, and is included in the 2.6.33 release.
Transmission Control Protocol
The Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
(TCP) intended to secure it against denial-of-service attack
Denial-of-service attack
A denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
s, such as resource exhaustion by SYN flood
SYN flood
A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.-Technical details:...
ing and malicious connection termination by third parties. Unlike the original SYN cookies
SYN cookies
SYN Cookies are the key element of a technique used to guard against SYN flood attacks. Daniel J. Bernstein, the technique's primary inventor, defines SYN Cookies as "particular choices of initial TCP sequence numbers by TCP servers." In particular, the use of SYN Cookies allows a server to avoid...
approach, TCPCT does not conflict with other TCP extensions, but requires TCPCT support in the client (initiator) as well as the server (responder) TCP stack.
The immediate reason for the TCPCT extension is deployment of the DNSSEC
DNSSEC
The Domain Name System Security Extensions is a suite of Internet Engineering Task Force specifications for securing certain kinds of information provided by the Domain Name System as used on Internet Protocol networks...
protocol. Prior to DNSSEC, DNS
Domain name system
The Domain Name System is a hierarchical distributed naming system for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities...
requests primarily used short UDP
User Datagram Protocol
The User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
packets, but due to the size of DNSSEC exchanges, and shortcomings of IP fragmentation
IP fragmentation
The Internet Protocol implements datagram fragmentation, so that packets may be formed that can pass through a link with a smaller maximum transmission unit than the original datagram size....
, UDP is no more applicable. Thus DNSSEC-enabled requests create a large number of short-lived TCP connections.
TCPCT avoids resource exhaustion on server-side by not allocating any resources until the completion of the three-way handshake. Additionally, TCPCT allows the server to release memory immediately after the connection closes, while it persists in the TIME-WAIT state.
TCPCT support was partly merged into the Linux kernel
Linux kernel
The Linux kernel is an operating system kernel used by the Linux family of Unix-like operating systems. It is one of the most prominent examples of free and open source software....
in December 2009, and is included in the 2.6.33 release.