syncookies


typically pretty bad ISNs

trading tcp stream protection for better tcp service protection

tcp streams can live for a very long time
and no way to "fix" a bad ISN

syncookies implemented in FreeBSD