The SYN-Flood Attack
We recently saw how the standard
TCP/IP session establishment sequence may be used by an attacker
to establish one half of a valid connection with a target system.
However, an attacker may choose the SYN-Flood,
or half-open, attack:
- the attacker (client) sends a SYN request to the server,
- the server records the request on a queue of connections waiting to
complete, replies with a SYN/ACK packet,
and eagerly awaits the final ACK reply.
- however, the attacker does not send the ACK reply.
Instead, the attacker sends another, actually hundreds of,
SYN requests with different source forged address.
Fast TCP session establishment is considered vital,
but operating systems allocate only a small number of these 'half-open'
sockets, before running out of resources.
The release of these incomplete 'half-open' sockets is slow (30secs),
and so an attacker can quickly exhaust the supply of buffers
which are pre-allocated.
To avoid SYN-Flood attacks,
modern operating systems will now not employ
large number of 'half-open' sockets for new connections.
Instead, they will encode and save the opening details
(such as the client's IP address) as a 32-bit number,
and use this as the initial sequence number in the SYN/ACK reply.
Only if the final ACK reply returns,
will socket resources be allocated.
CITS3002 Computer Networks, Lecture 11, Security of TCP/IP, p13, 15th May 2024.
|
CITS3002