Thank you to everyone who replied. I had five answers even before my question
was echoed back to me by the list.
A special thanks to Janet Hoo for pointers to some of the most complete
information on the problem:
> Check out the cert web page. http://www.cert.org and look up Cert
> Advisory CA 96.21. It explains TCP SYN Flooding and IP Spoofing Attacks.
> It is also at ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding
Briefly, this is a fairly old (circa 1966) brute force denial of service
attack. Quoting from the CERT advisory, "The consequences of the attack may
vary depending on the system; however, the attack itself is fundamental to the
TCP protocol used by all systems."
Again, from the CERT advisory, here's how it works:
When a system (called the client) attempts to establish a TCP connection to
a system providing a service (the server), the client and server exchange a
set sequence of messages. This connection technique applies to all TCP
connections--telnet, Web, email, etc.
The client system begins by sending a SYN message to the server. The
server then acknowledges the SYN message by sending SYN-ACK message to the
client. The client then finishes establishing the connection by responding
with an ACK message. The connection between the client and the server is
then open, and the service-specific data can be exchanged between the
client and the server. Here is a view of this message flow:
...
The potential for abuse arises at the point where the server system has
sent an acknowledgment (SYN-ACK) back to client but has not yet received
the ACK message. This is what we mean by half-open connection. The server
has built in its system memory a data structure describing all pending
connections. This data structure is of finite size, and it can be made to
overflow by intentionally creating too many partially-open connections.
A server attacked in this way may eventually be unable to accept new
connections, although already open connections and outgoing connections work
fine. Older systems may even crash. You can imagine the excitement this can
cause if a DNS server or mail hub is attacked in this way.
Sanjay Patel also pointed out that this problem is not always the result of an
attack. A misconfigured firewall can allow the SYN through, but not allow
SYN-ACK back out, and the result would be the same. If you want to know
more, read the CERT advisory.
Someone also told me that "SysAdmin" magazine had an article on this recently.
I guess I'm going th have to subscribe so I'll know what the hackers are
reading ... :-)
Original question:
> I found the following in /var/adm/messages on one of our web servers:
>
> Jun 15 13:31:32 xxx.yyy.zzz unix: WARNING: High TCP connect timeout rate!
> System (port 80) may be under a SYN flood attack!
>
> Can someone tell me what this means, and whether or not there's anything I can
> do about it?
Rodney
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:12:42 CDT