Sunday, 25 May 2008

SYN Flood Attack - A DOS attack method

In TCP/IP protocol, the protocol uses SYN/ACK handshake to establish connection between two hosts. The communication host who initiating a connection sends a packet with SYN flag to the target host. Target host on receiving this packet, sends another packet with ACK flag set to indicate that the connection request is accepted. The reply will also be with a SYN flag to open a connection to the first host. The first host on receiving this SYN/ACK flagged packet, opens a reverse channel. This is the part of 3-way handshake protocol for establishing a communication channel.

To illustrate this, the protocol messages would be:
Host 1 --> Host 2: SYN
Host 2 --> Host 1: SYN / ACK
Host 1 --> Host 2: ACK

An attacker who wants to launch a Denial of Service (DoS) attack uses this property of the communication hosts, ie; if the ACK flagged packet from the Host 1 is not received, Host 2 waits for some time leaving the connection half-opened and memory allocated for the first received SYN message.
An attacker send thousands of packets to the target system. The target system then sends the ACK and SYN flagged messages and waits to receive the last ACK message from Host1. The attacker then sends no ACK flagged packets making Host 2 wait to wait for receiving ACK message. Eventaully, as large number of messages are waiting for the final ACK message, system will be running out of memory to accept more packets. Thus by flooding the memory, the target system accepts no new connection and DoS is successfully done.

There are a few countermeasures available. Users can use firewalls to filter out receiving repeated packets with SYN flag. Also, a Network based IDS (Intrusion Detection System) can efficiently counter this attacker by analyzing the packet signatures.

No comments:

Microsoft Passport - A Single Sign-on System

Microsoft passport is a facility from MS which offers single sign on capabilities. With SSO, user don't need to remember each password f...