SUMMARY: SYN flood attack ...

From: Rodney Wines (rodney.wines@ahqps.alcatel.fr)
Date: Wed Jun 17 1998 - 07:35:41 CDT


Thank you to everyone who replied. I had five answers even before my question
was echoed back to me by the list.

A special thanks to Janet Hoo for pointers to some of the most complete
information on the problem:

> Check out the cert web page. http://www.cert.org and look up Cert
> Advisory CA 96.21. It explains TCP SYN Flooding and IP Spoofing Attacks.

> It is also at ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding

Briefly, this is a fairly old (circa 1966) brute force denial of service
attack. Quoting from the CERT advisory, "The consequences of the attack may
vary depending on the system; however, the attack itself is fundamental to the
TCP protocol used by all systems."

Again, from the CERT advisory, here's how it works:

     When a system (called the client) attempts to establish a TCP connection to
     a system providing a service (the server), the client and server exchange a
     set sequence of messages. This connection technique applies to all TCP
     connections--telnet, Web, email, etc.

     The client system begins by sending a SYN message to the server. The
     server then acknowledges the SYN message by sending SYN-ACK message to the
     client. The client then finishes establishing the connection by responding
     with an ACK message. The connection between the client and the server is
     then open, and the service-specific data can be exchanged between the
     client and the server. Here is a view of this message flow:
        ...
     The potential for abuse arises at the point where the server system has
     sent an acknowledgment (SYN-ACK) back to client but has not yet received
     the ACK message. This is what we mean by half-open connection. The server
     has built in its system memory a data structure describing all pending
     connections. This data structure is of finite size, and it can be made to
     overflow by intentionally creating too many partially-open connections.

A server attacked in this way may eventually be unable to accept new
connections, although already open connections and outgoing connections work
fine. Older systems may even crash. You can imagine the excitement this can
cause if a DNS server or mail hub is attacked in this way.

Sanjay Patel also pointed out that this problem is not always the result of an
attack. A misconfigured firewall can allow the SYN through, but not allow
SYN-ACK back out, and the result would be the same. If you want to know
more, read the CERT advisory.

Someone also told me that "SysAdmin" magazine had an article on this recently.
I guess I'm going th have to subscribe so I'll know what the hackers are
reading ... :-)

Original question:

> I found the following in /var/adm/messages on one of our web servers:
>
> Jun 15 13:31:32 xxx.yyy.zzz unix: WARNING: High TCP connect timeout rate!
> System (port 80) may be under a SYN flood attack!
>
> Can someone tell me what this means, and whether or not there's anything I can
> do about it?

Rodney



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:42 CDT