SYN Flooding: A Denial of Service AttackShivani HashiaAbstractINTRODUCTIONDenial of Service attacksTCP/IPThree-way HandshakeSYN FLOODING ATTACKDifferent Attack ModesSOLUTIONSSystem Configuration ImprovementsUsing firewallsSequence number conversionFigure 4: Legitimate connection with relay firewall protectionSource: [1]SYN CacheSummaryReferencesSYN Flooding: A Denial of Service AttackbyShivani HashiaAbstractIn this paper, I will be briefly explaining denial of service attacks. In particular, I will be discussing about the SYN Flooding denial of service attack, which is one of the most common denial of service attacks.INTRODUCTIONDenial of Service attacksIn these attacks, the main aim of the attacker is to stop the victim’s machine from doing it’s required job. Thus, the server is unable to provide its service to the legitimate clients. The damagedone by these attacks can vary from a minor inconvenience to major financial losses. Some companies like ebay, amazon etc depend on the online services for their business. If their websites are attacked, it affects their transactions and they lose millions of dollars. The attacks arebroadly classified into three major categories: 1) Bandwidth Consumption: All available bandwidth is used by the attacker leaving no bandwidthfor the actual clients. E.g., ICMP ECHO attack2) Other Resource consumption: In this type of attack, resources like web server, print or mail server if flooded with useless requests, prevent the actual serving software from handling the traffic. E.g., mail bomb3) Network Connectivity: The attacker forces the server to stop communicating on the network.E.g., SYN Flooding. [2]SYN Flooding attack is one of the most common network-based denial of service attack that exploits the limitations in the Transmission Control Protocol/Internet Protocol (TCP/IP) suite. It requires a little amount of work on the part of the attacker and is very difficult to trace it back to the attacker. I will briefly describe some of the features of TCP/IP protocol that make this attack possible.TCP/IPIP is the network layer protocol that acts as a packet delivery service. It is unreliable (delivery of packets is not guaranteed) and connection-less (each packet can take its own path independent of other packets). TCP is flanked by the application layer on one side and IP on the other side. It ensures that a reliable communication takes place between the applications and the different services. TCP enables reliable delivery of data packets in order without any repetition and errors.Three-way HandshakeAs we know, a connection needs to be established between the source S and destination D to facilitate the communication between them. This process is referred as the three-way handshake. The process starts with the source sending a SYN packet (TCP header with SYN bit set) to D whoresponds by sending back packet with both SYN and ACK bits set. If the source finally responds with ACK bit set, connection is established else D sends RST signal after timeout period. Three-way handshake is also used for initializing the sequence numbers, which are needed to provide reliable delivery of packets. Three memory structures namely socket structure (socket), internet protocol control block structure (inpcb) and the TCP control block structure (tcpcb) are allocated by both S and D for every connection. These structures contain all the information required forthe connection like state information, buffers, address information, flags, timer information, port numbers, sequence number information etc.The three-way handshake can be explained by the figure 1. SYNx LISTENSYN_RECVDSYNy, ACK x+1ACK y+1CONNECTEDS DFigure 1: Three-way Handshake Source:[1]SYN FLOODING ATTACKAs it is explained above, whenever a SYN message arrives at the server that is in LISTEN state, the three memory structures are allocated by the server. It goes in SYN_RECVD state and sends back SYN, ACK message to the source. This is called half open connection state. There is limit on the number of half-open connections per port that any system can have concurrently. When thelimit has reached, the machine will no longer accept any new connection until its queue goes below the limit. It is this limitation the attacker takes advantage to attack the victim. An attacker A starts the attack by sending different connection requests with spoofed/illegitimate source addresses to the victim D. D not knowing it is an attack, allocates its memory resources to these connections and sends SYN, ACK to these requests. D is now in the state of half open connections. The attacker does not send any ACK messages back. When the limit of half-open connections is reached, the victim no longer accepts any more connection requests. So all the legitimate connection requests are also denied. This denial of service to its actual clients exists until timer expires (usually 75s) or if some connections are reset or completed. Non-existent spoofed SYN LISTENSYN_RECVDPort Flooding occursFigure 2: System under attack Source: [1]The attacker has to continuously keep sending SYN packets to the victim requesting new connections. This is important if he wants the denial of service condition to exist for longer period than the timeout period. After timeout period, the connections are reset and resources are reallocated enabling the new connection requests to be accepted. It is necessary for the attacker touse source addresses that are not accessible from victim D. If this is not done, then when the victim sends SYN, ACK to the actual source address S. S does not expect this message so it sendsRST packet to D and the connection is reset. This will be a loss for the attacker.Different Attack ModesUsually there are different parameters by which the SYN flood attack can vary. These include batch-size (number of packets sent from the source address in a batch), delay (time interval between two batches of packets) and mode of source address. There are mainly three modes of source address allocation:Single address: A single forged source address is used as the source for all packets.Short list: An attacker uses a small list to pick the source address. These source addresses are thenused to send the SYN packetsNo list: An attacker can use a different, randomly created source address for sending out the packets every time he sends a new batch of packets.SOLUTIONSSeveral solutions have been provided to prevent this attack. None of them provides
View Full Document
Unlocking...