SYN-Flood Attacks

This post focuses on one of the most common and easiest to execute DOS attacks, known as SYN flooding. The idea behind SYN flooding is to flood the target system with connection requests from spoofed source addresses. As the target system tries to establish full connections with all these requests, its memory is hogged. As a result, the target system is unable to provide services to legitimate users or clients.

The further clarify, suppose you have a single telephone connection with 10 parallel lines --- that is, 10 lines with the same telephone number. If you use 10 different telephones to simultaneously dial this number, then all 10 parallel lines of the target connection will be used to answer your 10 calls. Even if a legitimate client is trying to call the number (which is under attack by you), he will not be able to get through. SYN flooding is like this, but even better; in the case of SYN flooding, the "calls" are made from a spoof source address, making it difficult (but not impossible) to trace.

How It Works

 SYN flooding works by exploiting the three-way handshake that occurs any time two systems across the network initiate a TCP/IP connection. Here's what happens in a tpical three-way handshake:

1. The source system (client) sends a SYN packet to the destination system (host).
2. The destination system replies with a SYN packet and acknowledges the source system's SYN packet by sending an ACK packet by sending an ACK packet.
3. The source system sends an ACK packet to acknowledge the SYN/ACK packet sent by the host.

 Only when these three steps are completed is a TCP/IP connection established between the  source system and the host.

More about SYN/ACK Packets

In a SYN-flooding attack, several SYN packets are sent to the target host, all with an invalid source IP address. When the target system receives these SYN packets, it tries to respond to each one with SYN/ACK packet, but because the source IP address in the original SYN packet is invalid, these SYN/ACK packets are simply sent into the void. Even so, the target host waits in vain for an ACK message from the source system, and as it does, additional requests with invalid IP addresses queue up behind the original once, and the whole cycle starts again. Eventually, due to the large number of connection requests, the target system's memory is consumed, and that system is therefore unable to cater to requests for information made by legitimate users.

In accordance with the rules of TCP/IP, the system will time out after a certain period of time has passed. when this happens, the connections requests queued up on the target system are discarded, thereby freeing a large part of the hogged-up memory. In a typical SYN-flood attack, however, the attacker sends connection requests from spoofed addresses more quickly than the earlier connection requests can be timed out. Because the attacker continuously sends more and more connection requests, the target system's memory is continuously consumed.

Countermeasure  1 :- In order to actually affect the target system, a large number of SYN packets with invalid IP addresses must be sent.

Countermeasure  2 :- SYN flooding is commonly used in the process of IP spoofing. IP spoofing is discussed later in this chapter in the section titled  "IP spoofing Attacks"

-------------------------------------------------------------------------------------------------------

-------->>      Detecting a SYN-Flood Attack

-------------------------------------------------------------------------------------------------------

Posted in: DOS attacks