SYN Attacks and Countermeasures

Because SYN attacks revolve around an attacker exploiting the use of the buffer space during the Transmission Control Protocol (TCP) session initialization three-way handshake let us have a quick look at the TCP session initialization and the three-way handshake.

Passive Open

The first thing that a server must do prior to accepting a connection establishment request from a client is to bind to a port to open it up ready to accept a connection. This process is known as a “passive open”.

Active Open

Once the passive open has been established the server is ready to accept a client initiated active open. It is the establishment of the active open that is known as the three-way hand shake and the process goes as follows:

1. SYN – The client sends a SYN packet to the server
2. SYN-ACK - The server replies with a SYN-ACK packet
3. ACK - The client responds with an ACK packet

At this point both the client and the server have received acknowledgement of the connection (the SYN-ACK & ACK packets respectively) and the connection is open and fully active. Conversation data transmissions can now occur.

Traditionally the receiving end of a conversation has only required a small “in-process” buffer to satisfy correct functioning of the TCP session initialization. Once the connection has been successfully established the small amount of buffer used by each TCP connection establishment request is returned to the “in-processing” buffer pool ready for reuse by the next conversation’s TCP establishment request. Note that the receiving machine can maintain multiple concurrent conversations all established using the same small “in-process” buffer pool.

SYN Attack Denial of Service

To instigate a Denial of Service (DoS) attack that exploits this behavior an attacker simply floods the target system’s small “in-process” queue with connection requests, but does not send an acknowledgement response that the target is expecting after the target system has replied to those requests. This causes the target system to “time out” while waiting for the proper response.

With enough “in limbo” “in-process” buffer cached requests the target system will become unstable, hang, crash or become unusable. This means the target system will need to be rebooted. Once rebooted; the attack will continue anew for as long as the attacker desires or until the network administrator becomes aware that they are under this type of attack and takes appropriate measures to counteract it.

SYN Attack Countermeasures

The use of SYN cookies is the most powerful defense against SYN attacks of all kinds.

Identifying the source IP Addresses of the attack packets and then using a firewall or router to block all traffic from this source is often the first reactive port of call response implemented by network administrators but it does have its drawbacks. Both the Distributed Denial of Service (DDoS) attack and the Distributed Reflected Denial of Service (DRDoS) attack are considerably harder to counter in this way.

• Tags:
• SYN attack
• SYN-ACK
• SYN
• ACK
• firewall
• Denial of Service
• IP Address
• buffer
• router
• port
• DDoS
• DoS
• TCP/IP
• TCP
• attack
• IP