+5 votes
215 views
in Security by (242k points)
reopened
SYN flood: variants and defensive measures

1 Answer

+3 votes
by (1.6m points)
edited
 
Best answer

What is a SYN flood attack?
How SYN flood attacks work
Variants of the SYN flood attack
Protective measures against SYN flood attacks
Normal TCP connection establishment using 3-step negotiation
SYN flood attack mechanism
Direct SYN flood attacks
SYN flood attacks with spoofed IP address
SYN flood attacks with denial of service (DDoS) attack
SYN flood attacks by reflex
SYN queue boost
Recycling the oldest semi-open TCP connection
SYN cache and cookies
Cloud-based mitigation service

image

SYN flood: variants and defensive measures

As a denial of service (DoS) attack, SYN flood aims to knock out legitimate traffic from an online system. Conceptually, a denial of service attack can be compared to the mass mailing of fake letters to an agency. When mailboxes become saturated, the agency will not be able to receive or process legitimate mail. The attacker will have reached his objective, that is, to prevent the normal functioning of the organism..

Index
  1. What is a SYN flood attack?
  2. How SYN flood attacks work
    1. Normal TCP connection establishment using 3-step negotiation
    2. SYN flood attack mechanism
  3. Variants of the SYN flood attack
    1. Direct SYN flood attacks
    2. SYN flood attacks with spoofed IP address
    3. SYN flood attacks with denial of service (DDoS) attack
    4. SYN flood attacks by reflex
  4. Protective measures against SYN flood attacks
    1. SYN queue boost
    2. Recycling the oldest semi-open TCP connection
    3. SYN cache and cookies
    4. Cloud-based mitigation service

What is a SYN flood attack?

When we speak of SYN flood or SYN flood , we refer to a denial of service attack . In it, the attacker sends a stream of malicious data packets to a target system with the intention of overloading the target and thus preventing its legitimate use.

Like ping of death, SYN flood is a protocol attack . These attacks aim to exploit a vulnerability in network communications to put the target system at its feet. In this it differs from the mechanics of volumetric ping flood, UDP flood and HTTP flood attacks. In these, the attackers focus on saturating the target's bandwidth on the network..

How SYN flood attacks work

Also known as a "semi-open attack", the SYN flood is a cyber attack directed against the network connection. The attacker manipulates the three-step transmission control protocol (TCP) negotiation, and instead of negotiating a connection between client and server as expected, many semi-open connections are created on the server. This takes up server resources that are no longer available for actual use.

Let's take a look at how a normal TCP connection is established and how a SYN flood attack interferes on this principle ..

Normal TCP connection establishment using 3-step negotiation

Along with the Internet Protocol (IP), the Transmission Control Protocol (TCP) is one of the cornerstones of the Internet. Since TCP is a connection protocol, both the client and the server must negotiate the connection before exchanging data. To do this, three-step negotiation is used:

  1. The client sends a SYN (? Sync?) Packet to the server:? Hello, I'd like to establish a connection with you ?.
  2. The server responds with a SYN / ACK packet (ACK =? Acknowledge?) And creates in the SYN backlog a data structure known as a transmission control block (TCB) for the connection:? , in agreement. So, use the following connection parameters?
  3. The client responds to the SYN / ACK packet with an ACK packet and the negotiation is completed. At that point, the connection is established and data can be sent in both directions. On the server side, the transmission control block is removed from the SYN list:? Great, thanks. Let's get started !?

This process runs in the background every time we connect to a server to visit a web page or check our emails.

SYN flood attack mechanism

During a SYN flood attack there is a massive outage of the TCP connection :

  1. The attacker sends a SYN packet to the server with a spoofed IP address.
  2. The server creates a transmission control block for the semi-open connection in the SYN queue (connection incomplete queue). The TCB occupies storage on the server. Also, the size of the SYN queue is limited.
  3. The server sends a SYN / ACK packet to the spoofed IP address of the attacker.
  4. Since the attacker does not receive any ACK packets confirming the connection, the server sends more SYN / ACK packets to the supposed client and keeps the connection semi-open.
  5. While the server is still waiting for a response, new SYN packets from the attacker keep coming in and need to be registered on the SYN queue.
  6. From a certain point on, there is no space available in the SYN queue for further incomplete connections. Subsequently, the server rejects the incoming SYN packets and is no longer accessible from the outside.
image
The attacker saturates the server with the massive sending of SYN data packets

To initiate a SYN flood , the attacker uses special software . An example of this is the well-known hping tool , used to do penetration tests , which allows simulating different attacks on the network. For security reasons, we only show an approximate pattern of the hping code for a SYN flood with a fake IP address:

  hping --syn --flood --rand-source -p <Port> <IP-Adresse>  

The command options are interesting:

  • The --syn option instructs the tool to use TCP as the protocol and to send SYN packets.
  • The --flood option is important . According to the documentation, this makes the hping command send the packets as soon as possible.
  • With the --rand-source option , the attacker spoofs his IP address. Instead of the actual sender's address, a random IP address is entered.

Variants of the SYN flood attack

There are several methods to carry out a SYN flood attack . They all have in common the attacker's goal: to keep the server busy for as long as possible . To do this, you must ensure that SYN / ACK packets sent by the server get no response. If the attacker's computer responds with an ACK packet, as a result, the corresponding entry is removed from the SYN list from the server.

If the attacker spoofs his IP address, the server's SYN / ACK packets never arrive. If a computer receives a SYN / ACK packet from a server without first sending a SYN packet, the device sends an RST packet (RST stands for? Reset?) And thus ends the connection. This is what a smart attacker would also want to avoid in order to keep the maximum number of half-open connections on the server .

Direct SYN flood attacks

A direct attack starts from the hacker's own IP address . To make sure that incoming SYN / ACK packets are discarded, configure a firewall on your computer. Another method is to limit network traffic to outgoing SYN packets.

Since you direct the attack from your own IP address and are therefore relatively easy to trace , this type of attack is rarely used.

SYN flood attacks with spoofed IP address

The attack with a fake IP address is more popular. In this case, the attacker enters a spoofed IP address in the sender field of the SYN packet and thus hides its true origin. In this case, the attacker prefers to use IP addresses that are not busy at the time of the attack. This ensures that randomly affected systems do not react to SYN / ACK responses from the attacked server with an RST packet and thus terminate the connection.

SYN flood attacks with denial of service (DDoS) attack

In this attack method? Distributed? SYN flood , attacks occur simultaneously from multiple computers . In general, it is a set of hijacked computers, that is, what is called a botnet or robot network. The attacker controls the? Zombie? Computers from the robot network, ordering them to send SYN packets to the target.

SYN flood attacks by reflex

A server typically responds to a single SYN packet with multiple SYN / ACK packets. An attacker can take advantage of this circumstance to launch a reflex SYN flood attack . Thus, the attacker spoofs the victim's IP address and initiates a SYN flood DDoS attack against one or more third-party servers. Each of the servers responds to each incoming SYN packet with multiple SYN / ACK packets that are sent to the victim. There is a multiplication of network traffic . The victim's computer receives a bombardment of SYN / ACK packets and ends up crashing.

Protective measures against SYN flood attacks

The general working principle of SYN flood attacks has been known since approximately 1994. Therefore, today there are a number of very effective defensive measures. However, some of them have negative side effects or only work under certain conditions. In general, it is not easy to distinguish malicious SYN packets from legitimate ones. Most of the popular defensive measures are used at the server level , although there are also cloud-based solutions .

SYN queue boost

The SYN incomplete connection queue mentioned above is part of the operating system. We can imagine it as a data table . Each row in that table contains information to establish a single TCP connection. The operating system is responsible for managing the connections initially. After a connection is established at the conclusion of the 3-step negotiation, the connection will be transmitted to the listener application on the port and removed from the SYN queue.

One of the simplest methods of increasing the security of a system against SYN flood attacks is to increase the maximum number of semi-open connections that the operating system will allow. Each entry in the SYN queue consumes a certain amount of memory , which makes the number of entries limited. By default, on Linux the limit is several hundred entries. However, the value can be easily increased. In principle, the SYN queue can contain thousands of entries. In this way, SYN flood attacks can be cushioned .

Recycling the oldest semi-open TCP connection

A related method is to remove the oldest semi-open connection from the SYN queue when it is full. This creates space for a new semi-open connection. This method, in combination with a sufficiently large SYN queue, can result in continued access to the system during a SYN flood . However, this method has been shown to be ineffective when the volume of the attack is very high.

SYN cache and cookies

The idea of ​​the SYN cache is simple: instead of storing a full transmission control block (TCB) for each semi-open connection in the SYN queue, only a minimal TBC is stored. The technique uses cryptographic hash functions to prevent the attacker from guessing critical information about the connection. The SYN cache has proven to be an effective method. Connection data can only be lost in some exceptional cases.

The invention of SYN cookies in 1996 was followed by the concept of the SYN cache. In this case, the use of the transmission control block as a data structure is dispensed with. Instead, the relevant connection parameters are encoded in the sequence number of the SYN / ACK packet . Cryptographic hash functions ensure that the attacker cannot easily guess the sequence number.

A legitimate client responds to the SYN / ACK packet with an ACK packet and falls back to the specially prepared sequence number. The server uses the sequence number of the ACK packet to establish the connection and verify it cryptographically . The use of SYN cookies provides effective protection against SYN flood attacks . However, in some circumstances, it can lead to loss of performance.

Both technologies are also used in combination. During normal operation, the SYN cache is used. If the SYN cache is full, it switches to SYN cookies. This combines the positive aspects of both technologies.

Cloud-based mitigation service

The fight against denial of service attacks is as old as the Internet. However, modern attackers have much higher attack power due to robot networks. The denial of service attacks they unleash put even the most secure systems at their feet, with their massive data flow. Therefore, the services of large global cloud-based security providers are being used more and more.

The idea is that the incoming DDoS data stream is distributed to many individual systems. In this way, the total attack load is dispersed and the peak load affecting each of the systems decreases. Therefore, the network can withstand serious attacks.

At the network level, Anycast technology has been consolidated , in addition to the packet filtering method. Requests to systems connected through Anycast are automatically directed to a geographically closer server. In this way, when the denial of service attack is global in magnitude, iron is taken away at the local level. Anycast networks like Cloudflare convince with their elegance and resistance.

The Cloudflare blog provides very interesting insight into current progress in fighting SYN flood attacks . In addition to the bot- based mitigation strategy, SYN packet signatures appear to have a promising future. This system consists of generating human readable fingerprints of incoming SYN packets . From the fingerprint, some conclusions can be drawn about the operating system of the computer that originally sent the SYN packet. During a SYN flood attack , when fingerprint analysis is performed, packets sent that do not meet the pattern are filtered.

In summary

25 years after its discovery as an attack tool, the SYN flood remains a threat to website owners. Fortunately, there are effective protection measures to ensure the security of the transmission control protocol against these attacks.


...