CITS3002 Computer Networks  
prev
next CITS3002 help3002 CITS3002 schedule  

The SYN-Flood Attack

We recently saw how the standard TCP/IP session establishment sequence may be used by an attacker to establish one half of a valid connection with a target system.

However, an attacker may choose the SYN-Flood, or half-open, attack:

  • the attacker (client) sends a SYN request to the server,

  • the server records the request on a queue of connections waiting to complete, replies with a SYN/ACK packet, and eagerly awaits the final ACK reply.

  • however, the attacker does not send the ACK reply. Instead, the attacker sends another, actually hundreds of, SYN requests with different source forged address.

Fast TCP session establishment is considered vital, but operating systems allocate only a small number of these 'half-open' sockets, before running out of resources. The release of these incomplete 'half-open' sockets is slow (30secs), and so an attacker can quickly exhaust the supply of buffers which are pre-allocated.

To avoid SYN-Flood attacks, modern operating systems will now not employ large number of 'half-open' sockets for new connections.

Instead, they will encode and save the opening details (such as the client's IP address) as a 32-bit number, and use this as the initial sequence number in the SYN/ACK reply. Only if the final ACK reply returns, will socket resources be allocated.


CITS3002 Computer Networks, Lecture 11, Security of TCP/IP, p13, 15th May 2024.