Which statement is true about SYN cookies?
A.
The state is kept on the server machine TCP stack.
B.
A system has to check every incoming ACK against state tables.
C.
SYN cookies do not help to protect against SYM flood attacks.
D.
No state is kept on the server machine state but is embedded in the initial
sequence number.
Explanation:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_zbf/configuration/xe-
3s/sec-data-zbf-xe-book/conf-fw-tcp-syn-cookie.html
The Firewall TCP SYN Cookie feature helps prevent SYN-flooding attacks by intercepting
and validating TCP connection requests. The firewall intercepts TCP SYN packets that are
sent from clients to servers. When the TCP SYN cookie is triggered, it acts on all SYN
packets that are destined to the configured VPN Routing and Forwarding (VRF) or zone.
The TCP SYN cookie establishes a connection with the client on behalf of the destination
server and another connection with the server on behalf of the client and knits together
the two half-connections transparently. Thus, connection attempts from unreachable
hosts will never reach the server. The TCP SYN cookie intercepts and forwards packets
throughout the duration of the connection.