Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Valentine's Day Patch Tuesday: Microsoft to issue 9 patches, 4 critical
Mobile World Congress sneak peek: Quad-core smartphones, Ice Cream Sandwich & more
Microsoft details 'Windows on ARM' program
March debut of 'iPad 3' a sure bet, says analyst
FBI unbolts Steve Jobs 1991 investigation file
Cisco boosted profit, sales in Q2 while cutting costs
Macs take on the enterprise
Four crazy tech ideas from Google's Solve for X project
Obama 2012 campaign playlist revealed courtesy of Spotify
Oracle buying Taleo for US$1.9 billion in direct hit at SAP
Amazon attacks Apple: You get 3 Kindle products for price of iPad 2
Pre-rendered pages highlight latest Google Chrome release
Microsoft exec: Lync-Skype integration a 'compelling opportunity'
The future of hypervisors
/

After the SYN flood

Gibbs archive By Mark Gibbs
Network World, 11/20/00

In last week's Gearhead about how ports work, our fingers got a little overzealous and we typed www.isi.edu/in-notes/iana/assignments/portnumbers when we meant ftp://www.isi.edu/in-notes /iana/assignments/portnumbers (thanks to Bill Verzal, who was the first to spot our faux pas.)

As we said last week, a computer responds with a SYN-ACK when it receives a SYN packet from another machine. The SYN request is the first part of the TCP three-way handshake we discussed, and the SYN-ACK response is the second. Most computers will generate the SYN-ACK response whether or not a service is available on the port.

The third part of the three-way handshake is an ACK from the original machine that first sent the SYN request.

Now one of the big problems with this protocol sequence is that in many implementations of the TCP/IP stack, the receiving machine will accept the SYN request for an "open" port, create a data structure to handle the attempted request, and reply with a SYN-ACK. If the machine that sent the original SYN request doesn't follow up with an ACK response, then the receiving machine has to timeout on waiting for a reply.

Once the timeout occurs, the receiving machine safely disposes of the data structure that was set up to handle the possible connection. But if multiple SYN requests are received within the timeout period, the TCP/IP stack must simultaneously create multiple data structures.

If enough SYN requests are received, the receiving machine can't accept new SYN requests due to a lack of data storage (that will be a limitation of the TCP/ IP stack or simply running out of local operating system resources). It may also be that the receiving machine becomes so busy servicing SYN requests that other TCP/IP activity is significantly decreased or stopped altogether.

This is the nature of your classic SYN flood attack, a technique favored by discerning hackers over the past few years. It is considered to be a denial-of-service attack and can effectively block even a large pipe to the Internet, not by exhausting the pipe's capacity but by exhausting the resources of the machines using the pipe.

A SYN flood attack is difficult to counter because the source of the attack may not be obvious. This is because software found on the 'Net can be run on a machine that creates SYN requests such that the source address is a fake and changes with each SYN request sent.

There are several approaches to defending against SYN flood attacks that involve filtering and patches to operating systems. A discussion of an interesting technique called GENESIS (Gibson's Encryption-Enhanced Spoofing Immunity System) can be found at http://grc.com/r&d/nomoredos.htm.

See the CERT Advisory (from 1996), "TCP SYN Flooding and IP Spoofing Attacks" (www.cert.org/advisories/CA-1996-21.html) and Microsoft article "Internet Server Unavailable Because of Malicious SYN Attacks" for more information.

Finally, check out the Hack FAQ "Denial of Service Basics", which discusses SYN flooding as well as smurf attacks and Ping o' Death.

Next week, sockets and hacking. Message on the sly to gearhead@gibbs.com.

RELATED LINKS


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.