Before you can understand how SYN flood attacks work, you need to understand how a normal TCP connection three-way handshake works. A server has to establish a passive (half-open) connection to a port for a client to be able to connect to it, and does so via a three-way handshake.
Step 1: SYN. The client sends a SYN packet to the server to create an active open.
Step 2: SYN-ACK. The server acknowledges with a SYN-ACK.
Step 3: ACK. The client responds with an ACK.
A full connection between the client and server is now established. Under normal conditions, if the server rejects the connection, it sends an RST packet to terminate the connection, making it available for new requests.
SYN floods are protocol attacks that exploit a weakness in the three-way handshake. Most operating systems have a relatively low limit on the number of half-open connections available at any given time – and if that limit is exceeded, the server stops responding to new connection requests until the half open times out. The attacker never sends the final ACK, so the server waits, binding resources, and an RST is never sent to terminate the connection. While the connection will time out at some point, the attacker continues to send SYN requests, consuming the server’s resources and preventing legitimate clients from connecting.
In recent years, attackers have evolved their SYN flood methods. A combo SYN flood uses two types of SYN packets. Regular SYN packets are used to consume server resources. At the same time, large SYN packets (above 250 bytes) saturate the network, adding a volumetric aspect to a SYN flood attack.
The three-way handshake provides information that hackers can exploit. When they receive the SYN-ACK, they know exactly which ports are half-open. SYN scanning is the process of sending SYN requests to look for these half-open ports for reconnaissance purposes, giving options for which attacks to try next.
Despite the fact that SYN flood attacks have been around for two decades – and even combo SYN floods have been around for several years – they are still a huge problem. Kaspersky’s Botnet DDoS Attacks in Q3 2015 report found that SYN floods were the most popular DDoS attack method in Q3 of 2015, accounting for more than half of all DDoS attacks. And SYN floods can be massive. According to Akamai’s State of the Internet / Security Q3 2015 report, the largest “mega attack” it mitigated was a SYN flood that peaked at 222 Mpps – that’s 222 million packets per second!
Because SYN packets are so common on any network, it can be difficult to distinguish malicious requests from legitimate traffic. Here are some common approaches for detecting SYN flood attacks.
Time-outs: You could decrease the length of time a system waits for a SYN-ACK before timing out the connection. This could, however, potentially prevent some legitimate traffic from connecting. And this counter-measure is easily overcome by simply increasing barrage of SYN packets to the server.
Filtering: You can use built-in features in firewalls and other devices to block or minimize malicious SYN requests. For example, a firewall can help protect against a simple attack that uses a small number of unusual IP addresses with a rule to drop incoming traffic from those sources. This approach won’t, however, be effective against a sophisticated attacker with the ability to use a large group of compromised hosts or spoofed sources.
Proxies: If a certain threshold is exceeded, connection establishment procedures are offloaded to another system that screens connection attempts until they are completed and then proxies them back to the server (or until they time out).
SYN cookies: A SYN cookie is a stateless proxy mechanism that is enabled when the threshold is exceeded. At that point, it replies to incoming SYN packets with a SYN-ACK that contains an encrypted cookie and drops the original SYN packet. If it receives an appropriate response, it will enable the connection to be established on the server. If, however, there is no response to the packet containing the cookie, it’s noted as an active SYN flood attack and stopped. There is however, a limitation in the amount of data that can be encoded, so some of the data (such as timestamps) is discarded. There could also be issues if the final ACK packet is lost, then the initiator will think the connection has been successfully established but the server is never notified.
IPS: Standard intrusion prevention systems (IPS) can detect SYN flood attacks and trigger automated mitigation processes. But this can be an expensive option and require sensors to be deployed throughout the network.
Network flow analysis: Network flow data – NetFlow, Jflow, sFlow, Cflow and IPFIX – contains valuable information about traffic traversing the network, such as IP addresses, port and protocol, exporting device, timestamps, VLAN and TCP flags, etc. Solutions that analyze this data can quickly detect a high volume of incoming SYN requests, including combo SYN floods, and immediately trigger mitigation.
FlowTraq monitors network flow traffic in real time and immediately detects deviations that indicate network reconnaissance, DDoS attacks, and other unwanted behavior on the network so you can act fast. FlowTraq detects a large range of DDoS attacks, including SYN flood and combo SYN flood attacks, within seconds and can automatically trigger mitigations to leading DDoS scrubbers (including A10 TPS, Verisign and others) or black hole routes. In addition to helping you defend against DDoS attacks, FlowTraq can detect a wide range of other undesirable behavior in the network, including scanning, data exfiltration, insider threats, and more.
Try FlowTraq for yourself free for 14 days or schedule a demo today.