SYN flood

SYN flood

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system [RFC 4987 TCP SYN Flooding Attacks and Common Mitigations] .

When a client attempts to start a TCP connection to a server, the client and server exchange a series of messages which normally runs like this:

#The client requests a connection by sending a SYN ("synchronize") message to the server.
#The server "acknowledges" this request by sending SYN-ACK back to the client.
#The client responds with an ACK, and the connection is established.

This is called the TCP three-way handshake, and is the foundation for every connection established using the TCP protocol.

The SYN flood is a well known type of attack and is generally not effective against modern networks. It works if a server allocates resources after receiving a SYN, but before it has received the ACK.

There are two methods, but both involve the server not receiving the ACK. A malicious client can skip sending this last ACK message. Or by spoofing the source IP address in the SYN, it makes the server send the SYN-ACK to the falsified IP address, and thus never receive the ACK. In both cases the server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK.

If these "half-open connections" bind resources on the server, it may be possible to take up all these resources by flooding the server with SYN messages. Once all resources set aside for half-open connections are reserved, no new connections (legitimate or not) can be made, resulting in denial of service. Some systems may malfunction badly or even crash if other operating system functions are starved of resources this way.

The [http://www.cert.org/advisories/CA-1996-21.html technology often used in 1996 for allocating resources for half open TCP connections] involved a queue which was often very short (e.g., [http://www.sean.de/Solaris/soltune.html 8 entries long] ) with each entry of the queue being removed upon a completed connection, or upon expiry (e.g., after [http://tools.ietf.org/html/rfc1122#section-4.2.3.5 3 Minutes] ). When the queue was full, further connections failed. With the examples above, all further connections would be prevented for 3 minutes by sending a total of 8 packets. A well-timed 8 packets every 3 minutes would prevent all further TCP connections from completing. This allowed for a Denial of Service attack with very minimal traffic.

Proposed countermeasures include SYN cookies or limiting the number of new connections from a source per timeframe, but because modern TCP/IP stacks do not have the above mentioned bottleneck, there should be little or no difference between a SYN flood and any other channel capacity-based attack.

Reflector routers can also be used as attackers, instead of client machines.

References

External links

* [http://www.cert.org/advisories/CA-1996-21.html Official CERT advisory on SYN Attacks]


Wikimedia Foundation. 2010.

Игры ⚽ Нужен реферат?

Look at other dictionaries:

  • Syn flood — Le SYN flood est une attaque informatique visant à atteindre un déni de service. Elle s applique dans le cadre du protocole TCP et consiste à envoyer une succession de requêtes SYN vers la cible. Sommaire 1 Principe 2 Historique 3 Contre mesures …   Wikipédia en Français

  • SYN flood — Le SYN flood est une attaque informatique visant à atteindre un déni de service. Elle s applique dans le cadre du protocole TCP et consiste à envoyer une succession de requêtes SYN vers la cible. Sommaire 1 Principe 2 Historique 3 Contre mesures …   Wikipédia en Français

  • SYN-Flood — TCP Handshake Ein SYN Flood ist eine Form der Denial of Service Attacke auf Computersysteme. Der Angriff verwendet den Verbindungsaufbau des TCP Transportprotokolls, um einzelne Dienste oder ganze Computer aus dem Netzwerk unerreichbar zu machen …   Deutsch Wikipedia

  • SYN flood — ● ►en loc. m. ►SECU Attaque consistant à submerger un site de requêtes SYN trafiquées, sans aucune intention d y répondre. Le site visé se retrouve donc à attendre des milliers de réponses qui ne viendront jamais et ne pense plus du tout à servir …   Dictionnaire d'informatique francophone

  • SYN flooding — SYN flood Le SYN flood est une attaque informatique visant à atteindre un déni de service. Elle s applique dans le cadre du protocole TCP et consiste à envoyer une succession de requêtes SYN vers la cible. Sommaire 1 Principe 2 Historique 3… …   Wikipédia en Français

  • Flood — steht für einen technischen Begriff aus dem Internet Relay Chat siehe Flood (IRC) ein Computerspiel aus dem Jahr 1990 siehe Flood (Computerspiel) ein Musikalbum der Band They Might Be Giants siehe Flood (Album) einen Musikproduzenten siehe Flood… …   Deutsch Wikipedia

  • SYN cookies — are the key element of a technique used to guard against SYN flood attacks. Daniel J. Bernstein, the technique s primary inventor, defines SYN Cookies as particular choices of initial TCP sequence numbers by TCP servers. In particular, the use of …   Wikipedia

  • Syn — steht für: die Syn anti Notation in der Chemie die Göttin der Gerechtigkeit in der germanischen Mythologie, siehe Syn (Mythologie) eine griechische Präposition, siehe Altgriechische Präpositionen ein Pseudonym des deutschen Musikproduzenten Peter …   Deutsch Wikipedia

  • SYN-Cookie — Unter SYN Cookies versteht man einen im Jahr 1996 von Daniel J. Bernstein entwickelten Mechanismus zum Schutz vor Denial of Service Angriffen, genauer: SYN Flood Angriffen. Beim Herstellen einer herkömmlichen TCP Verbindung, dem sogenannten Drei… …   Deutsch Wikipedia

  • flood tide — noun 1. the highest point of anything conceived of as growing or developing or unfolding the climax of the artist s career in the flood tide of his success • Syn: ↑climax • Derivationally related forms: ↑climactic (for: ↑ …   Useful english dictionary

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”