"
An attack would still need to know our random secret in order to
spoof a connection without seeing any of our outgoing traffic.
If an attacker can see our outgoing traffic, then they will be
able to spoof a connection, but they could have done that anyway,
even under the secure sequence number scheme we currently use.
"
and here: http://it.slashdot.org/it/08/10/01/0127245.shtml
"
Sockstress computes and stores so-called client-side SYN cookies and enables Lee and Louis to specify a destination port and IP address. The method allows them to complete the TCP handshake without having to store any values, which takes time and resources. "We can then say that we want to establish X number of TCP connections on that address and that we want to use this attack type, and it does it," Lee said.
"
we have the implication(?) that the exploit samples the target server
for a number of SYN cookies that will allow them to crack the 24-bit
'secret' hash that the server is using. Once that is done, they
can then forge a large number of packets from random IP addressess
that look like correct client acks of the server's syn cookie.
A server might counter by using a new secret hash for each session
request (leaving it open to a resource-hog attack) or use a sequential
mod of it's hash for each new request made...
