Detecting a SYN-Flood Attack

After the target system has tried to send a SYN/ACK packet to the client, and while it is waiting to receive an ACK packet, the existing connection is said to be half open, or the host is said to be in the SYN_RECEIVED state. If your system is in this state, it may well be experiencing a SYN-flood attack. To determine whether connections on your system are half open, type the netstat command; the parameters passed and the results displayed will vary from system to system. Here's an example:

C:\windows>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP Dushyant 201.xx.34.23 SYN_RECEIVED
TCP Dushyant 201.xx.34.23 SYN_RECEIVED
TCP Dushyant 201.xx.34.23 SYN_RECEIVED
TCP Dushyant 201.xx.34.23 SYN_RECEIVED
TCP Dushyant 201.xx.34.23 SYN_RECEIVED
TCP Dushyant 201.xx.34.23 SYN_RECEIVED
TCP Dushyant 201.xx.34.23 SYN_RECEIVED
TCP Dushyant *:* ESTABLISHED

In this example, several connections are cited as being in the SYN_RECEIVED state, most likely indicating that this system is under a SYN-flood attack. Note, however, that the preceding output also contains connections cited as being in the ESTABLISHED state; these are legitimate connections, which remain unaffected even after the SYN-flood attack on the target system. 

NOTE :- SYN packets are used in conjunction with half-open connections for stealth port scanning, also called half-open port scanning. For more details, read "Port Scanning

Countermeasure
There is no single countermeasure you can take to protect your system against SYM-flood attacks. There are, however, certain steps you can take to minimize the risk of damage caused by such attacks:

• Reduce the duration of time require for a connection to time out. This will ensure that if numerous spoofed connection requests are sent to the target system, these requests will be discarded more quickly, thus minimizing memory consumption and thereby mitigating the risk of such attacks. Although this will minimize the hogging of system resources, it is not a very good countermeasure against SYN attacks because sometimes even legitimate users might be disconnected by the target system.
• Increase the number of connection requests that can be accepted by the host at one time. One downside to this is that more memory and system resources will be consumed. 
• Install vendor-specific updates and patches. Whenever a new type of attack becomes prevalent on the Internet, each vendor usually comes out with its own version of a countermeasure for its software. For this reason, it is sometimes a good idea to turn to the company whose software you have installed on your system for a countermeasure to a particular type of an attack.
• Use a firewall. They detect SYN attacks, respond with fake replies, and try to trace the spoofed source address to the actual attacker. It is also important to ensure that the firewall has been updated. For more details, read TCP SYN Flooding and IP Spoofing Attacks.

-------------------------------------------------------------------------------------------------------
Next Post   ------>>>   Land Attacks
-------------------------------------------------------------------------------------------------------

Posted in: