Martin Casado, Pei Cao, Neils Provos
Flow-cookies extends SYN cookies by placing a secure, limited lifetime cookie within the TCP timestamp of every outgoing data packet from the protected server. The router verifies that all incoming packets have valid cookies (are part of an established flow) before passing them on to the server. Flow-cookies does not require modification to clients, is resistant to source spoofing, and leverages existing client-provider relationships on the Internet. We have implemented flow-cookies within an existing software router and verified its compatibility with popular client operating systems and widely used public web sites.
The paper in PDF is here.
The PowerPoint presentation is here.