number is the cookie value plus one. Because the cookie uses a hash involving
the server’s secret key, attackers should not be able to guess the correct cookie
values. However, because of performance concerns and some incompatibilities
with TCP extensions, such as large windows, operating systems generally do
not activate the SYN cookie mechanism until the host’s SYN queue fills up. An
attacker sending spoofing traffic at a low rate may avoid triggering the SYN
cookie mechanism. Administrators may be able to forcibly enable SYN cookies
for all connections, but should be aware of the side effects