A Syn-Attack is a form of Denial-of-Service Attack. In this type of attack the attacker sends a flood of Syn Packets to the target machine and brings it down. To understand this attack in a better way we need to take a look at the connection initiation phase of TCP protocol. When a client attempts to establish a connection with the server through TCP, both the client and the server needs to go through a 3-way handshake phase. The steps shown below demonstrate the 3-way handshake:
1. The client requests a connection by sending a SYN (synchronize) message to the server.
2. The server acknowledges this request by sending SYN-ACK back to the client.
3. The client responds with an ACK, and the connection is established.
In a TCP SYN attack the attacker exploits the first step of the 3-way handshake protocol. When he pumps a flood of SYN packets to the victim machine, the victim machine sends ACK back to the client for all the millions of SYNs it received. It not only sends the ACK back, but the server also expects a response from the client. Hence the connections are half-open at this stage, which basically translates into consumption of a huge chunk of memory. After some time when the whole memory is used up, the server can no longer accept new incoming connections. So, all the legitimate users are blocked from using the server’s services. This is clearly a form of Denial of Service attack.
There are several ways in which this attack can be mitigated. One of the methods which I worked on is by using Syn-Cookies. In this case, when a client sends a SYN to the server the server acknowledges the SYN by sending an ACK with a cookie value set. The client has to respond back to the server using the same cookie. Otherwise the connections will be dropped. Moreover, if the client doesn’t respond back in a stipulated time frame, the half-open connection will be closed too. In this way the attack can be thwarted quite comprehensively. I used to work on this feature while working on a Cisco Product called Application Control Engine (Cisco ACE). During the testing phase, I used to generate millions of syn packets to attack the ACE, but the syn-cookie feature was very stable and I could crash the system only once :D.
I know I have used a lot of technical terms in this blog. If any of my class mates is interested in learning this is detail I will be happy to help.
No comments:
Post a Comment