HOME

TheInfoList



Click Here for Items Related To - TCP Cookie Transactions
OR:
TCP Cookie Transactions on:   [Wikipedia]   [Google]   [Amazon]

TCP Cookie Transactions (TCPCT) is specified in RFC 6013 (historic status, formerly experimental) as an extension of
Transmission Control Protocol The Transmission Control Protocol (TCP) is one of the main communications protocol, protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, th ...
(TCP) intended to secure it against
denial-of-service attack In computing, a denial-of-service attack (DoS attack) is a cyberattack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host co ...
s, such as resource exhaustion by
SYN flood A SYN flood is a form of denial-of-service attack on data communications in which an attacker rapidly initiates a connection to a server without finalizing the connection. The server has to spend resources waiting for half-opened connections, wh ...
ing and malicious connection termination by third parties. Unlike the original SYN cookies approach, TCPCT does not conflict with other TCP extensions, but requires TCPCT support in the client (initiator) as well as the server (responder) TCP stack. The immediate reason for the TCPCT extension is deployment of the
DNSSEC The Domain Name System Security Extensions (DNSSEC) is a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System ( DNS) in Internet Protocol ( IP) networks. The protoco ...
protocol. Prior to DNSSEC,
DNS The Domain Name System (DNS) is a hierarchical and distributed name service that provides a naming system for computers, services, and other resources on the Internet or other Internet Protocol (IP) networks. It associates various informatio ...
requests primarily used short UDP packets, but due to the size of DNSSEC exchanges, and shortcomings of
IP fragmentation 400px, An example of the fragmentation of a protocol data unit in a given layer into smaller fragments IP fragmentation is an Internet Protocol (IP) process that breaks packets into smaller pieces (fragments), so that the resulting pieces can p ...
, UDP is less practical for DNSSEC. Thus DNSSEC-enabled requests create a large number of short-lived TCP connections. TCPCT avoids resource exhaustion on server-side by not allocating ''any'' resources until the completion of the
three-way handshake The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is common ...
. Additionally, TCPCT allows the server to release memory immediately after the connection closes, while it persists in the TIME-WAIT state. TCPCT support was partly merged into the
Linux kernel The Linux kernel is a Free and open-source software, free and open source Unix-like kernel (operating system), kernel that is used in many computer systems worldwide. The kernel was created by Linus Torvalds in 1991 and was soon adopted as the k ...
in December 2009, but was removed in May 2013 because it was never fully implemented and had a performance cost. TCPCT was deprecated in 2016 in favor of TCP Fast Open. Status of the original RFC was changed to "historic".


See also

* SYN cookies * T/TCP (Transactional TCP) * TCP Fast Open


References

Cookie Transactions Computer network security {{network-stub