You are here: Computer Attacks and Prevention > Subtopic 1 > Content

Subtopic 1: Denial of Service Attack

Method – SYN Flood

Internet communications are initiated by the exchange of packets. A client first sends a packet with the SYN (synchronization) flag set.  The server send a packet back with the SYN and ACK (acknowledged) flags set.  The server then waits for the client to respond with a packet that has the ACK flag set.  After this 3-way handshake is successful, communications between the client and server can occur.  This normally happens quite quickly so servers do not typically have the ability to handle numerous clients that are in the process of handshaking. 

These “half-open” connections can be exploited by flooding a server with a relatively small number of SYN packets that are never responded to by the client in the 3^rd part of the handshake cycle.  Usually these packets are sent from an IP address that doesn’t exist.   This causes the server to wait for a packet that never arrives and prohibits new clients from communicating with the server.  Although servers will eventually close down the half-open connection, new SYN floods can periodically be sent.

Prevention – SYN Flood

Firewalls now have the capability to mitigate the impact of a SYN flood.  They can automatically respond with an ACK packet to the server’s request.  This fools the server into thinking that the connection has been established so the server clears the connection out of the half-opened queue freeing that spot up for a new connection.  The firewall then monitors the connection for a “real” ACK packet and processes it as appropriate.  To prevent SYN floods from adversely impacting their systems, all companies with an online presence should run a proven, updated firewall.

References

Further reading and research can be found at the following links:

• http://staff.washington.edu/dittrich/misc/ddos/
• http://www.cert.org/tech_tips/denial_of_service.html
• http://www.denialinfo.com/