[openssl-dev] [openssl.org #4271] Enhancement Request: Support TCP Fast Open

Wed Jan 27 19:20:04 UTC 2016

> Please explain.  The traffic can only come from the party who initially obtains
> the cookie in a full round-trip.  How does the botnet DoS some third party
> with this?

Attacker wants to bring down an akamai host.  They connect to one of our servers with the fast-open option and get the cookie.  They then spread that cookie all over the internet and zillions of bots connect.  Our server spawns zillions of threads and starts to do some work, or the TCP queue fills up.  I can't filter on IP address to stop the attack because the client IP address is bogus.

It's just like a DNS/UDP attack, except at the TCP layer which much software is not prepared to handle.