Tech Nuske

Tech Nuske

Thursday, 3 May 2012

SYN flooding


Recently I unknowingly made a small configuration change in my PC at work, which caused the entire network of my office to go down for one whole day, all without my knowledge. This small mistake that led to such a huge disaster got me interested in how entire networks can become flooded and hence rendered useless, just because of a small packet. I came across one such type of network flooding attack, SYN flooding. 

SYN flooding is a method that the user of a hostile client program can use to conduct a denial-of-service (DoS) attack on a computer server. The hostile client repeatedly sends SYN (synchronization) packets to every port on the server, using fake IP addresses.
Normally when a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this:
  1. The client requests a connection by sending a SYN (synchronize) message to the server.
  2. The server acknowledges this request by sending SYN-ACK back to the client.
  3. The client responds with an ACK, and the connection is established.

This is called the TCP three-way handshake, and is the foundation for every connection established using the TCP protocol.
But when an attacker starts a SYN flood attack, the following sequence takes place
1.      Attacker creates a random source address for each packet
2.      SYN flag set in each packet is a request to open a new connection to the server from the spoofed IP address
3.      Victim server responds to spoofed IP address, then waits for confirmation that never arrives (waits about 3 minutes)
4.      Victim's connection table fills up waiting for replies
5.      After table fills up, all new connections are ignored
6.      Legitimate users are ignored as well, and cannot access the server
7.      Once attacker stops flooding server, it usually goes back to normal state (SYN floods rarely crash servers)
8.      Newer operating systems manage resources better, making it more difficult to overflow tables, but still are vulnerable .



The hostile client makes the SYN requests all appear valid, but because the IP addresses are fake ones, it is impossible for the server to close down the connection by sending RST packets back to the hostile client. Instead, the connection stays open. Before time-out can occur, another SYN packet arrives from the hostile client. A connection of this type is called a half-open connection. Under these conditions, the server becomes completely or almost completely busy with the hostile client. Communications with legitimate clients is difficult or impossible.
A hostile client can exploit half-open connections and possibly get access to server files. The transmission by a hostile client of SYN packets for the purpose of finding open ports and hacking into one or more of them, is called SYN scanning. A hostile client always knows a port is open when the server responds with a SYN/ACK packet.

- Joohi Sinha
Stay tuned for more...


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)