SYN flooding
   HOME

TheInfoList



Click Here for Items Related To - SYN flooding
OR:
SYN flooding on:   [Wikipedia]   [Google]   [Amazon]

A SYN flood is a form of denial-of-service attack in which an attacker rapidly initiates a connection to a server without finalizing the connection. The server has to spend resources waiting for half-opened connections, which can consume enough resources to make the system unresponsive to legitimate traffic. The packet that the attacker sends is the SYN packet, a part of
TCP TCP may refer to: Science and technology * Transformer coupled plasma * Tool Center Point, see Robot end effector Computing * Transmission Control Protocol, a fundamental Internet standard * Telephony control protocol, a Bluetooth communication s ...
's
three-way handshake The Transmission Control Protocol (TCP) is one of the main protocols of the Internet protocol suite. It originated in the initial network implementation in which it complemented the Internet Protocol (IP). Therefore, the entire suite is commonly ...
used to establish a connection.


Technical details

When a client attempts to start a
TCP TCP may refer to: Science and technology * Transformer coupled plasma * Tool Center Point, see Robot end effector Computing * Transmission Control Protocol, a fundamental Internet standard * Telephony control protocol, a Bluetooth communication s ...
connection to a server, the client and
server Server may refer to: Computing *Server (computing), a computer program or a device that provides functionality for other programs or devices, called clients Role * Waiting staff, those who work at a restaurant or a bar attending customers and su ...
exchange a series of messages which normally runs like this: #The client requests a connection by sending a SYN (''synchronize'') message to the server. #The server ''acknowledges'' this request by sending SYN-ACK back to the client. #The client responds with an ACK, and the connection is established. This is called the TCP three-way handshake, and is the foundation for every connection established using the TCP protocol. A SYN flood attack works by not responding to the server with the expected ACK code. The malicious client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, cause the server to send the SYN-ACK to a falsified IP address – which will not send an ACK because it "knows" that it never sent a SYN. The server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK. However, in an attack, the ''
half-open connection Half-open may refer to: * Half-open file in chess * Half-open vowel, a class of vowel sound Computing and mathematics * Half-open interval, an interval containing only one of its endpoints * Half-open line segment, a line segment containing only ...
s'' created by the malicious client bind resources on the server and may eventually exceed the resources available on the server. At that point, the server cannot connect to any clients, whether legitimate or otherwise. This effectively denies service to legitimate clients. Some systems may also malfunction or crash when other operating system functions are starved of resources in this way.


Countermeasures

There are a number of well-known countermeasures listed in RFC 4987 including: #Filtering #Increasing backlog #Reducing SYN-RECEIVED timer #Recycling the oldest half-open TCP #SYN cache #
SYN cookies Syn or SYN may refer to: In arts and entertainment In music *The Syn, a band *Synyster Gates, lead guitarist of the band Avenged Sevenfold Fictional characters *Doctor Syn, in novels by Russell Thorndike Other uses in arts and entertainment *SY ...
#Hybrid approaches #Firewalls and proxies


See also

*
Fraggle attack A Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address. M ...
*
Internet Control Message Protocol The Internet Control Message Protocol (ICMP) is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating success or failure when communi ...
* IP address spoofing * Ping flood * Smurf attack *
UDP flood attack A UDP flood attack is a volumetric denial-of-service (DoS) attack using the User Datagram Protocol (UDP), a sessionless/connectionless computer networking protocol. Using UDP for denial-of-service attacks is not as straightforward as with the Tra ...


References


External links


Official CERT advisory on SYN Attacks
{{DEFAULTSORT:Syn Flood Denial-of-service attacks