SYN-Flood
A SYN flood is a form of denial-of- service attack against computer systems. The attack uses the connection of the TCP transport protocol to make individual services or whole computer inaccessible from the network.
Operation
When a client wants to establish a TCP connection to a server, the client and server perform a so-called three -way handshake to establish the connection. The normal sequence, as seen in the figure, is the following:
A malicious client may be the last ACK message embezzled. The server waits for some time on a corresponding packet, since it also could arrive late due to delays.
During this time, both the address of the client as well as the status of the still half-open connection in the memory of the network stacks are kept in stock to fully establish the connection later. For all systems, this so-called half-open connection uses resources on the server. Since resources are becoming limited, it is possible by " flooding " of the server SYN messages to use up all of these resources. Once this is the case, no new connections can be established, resulting in the denial of access (Denial of Service) to the server. The fact that SYN packets are very small and can be produced without great computational effort, makes this attack particularly unbalanced. The defense needed as the attacker for the attack more resources to defense itself
Affected resources
Among the resources that may be affected include especially the table in which the TCP connections will be remembered. Due to secondary effects may also be affected, the main memory of the server. The so-called backlog queue of the TCP stack, which steps in the case of many active connections at the same time as the queue also needs memory. If the attacked server runs out of memory, it crashes in many cases totally or partially.
Countermeasures
Possible measures against SYN floods:
- The SYN cookies mechanism
- RST cookies
- A real-time analysis of the attack by an intelligent firewall.
However, towards the distributed denial -of -service attacks, these measures do not protect under certain circumstances.