SYN/Ack Flooding

SYN/ACK Attacks - DoS (Denial of Service)

SYN = SYNchronize sequence numbers

A ``SYN flood'' is a Denial of Service attack that takes advantage of the TCP ``three way handshake'' protocol. A SYN is a type of TCP packet sent to initiate a connection with a listening TCP port. The port responds with a SYN/ACK to the initiating port, and places the SYN packet in a partial connections queue. When a corresponding ACK packet is received on the listening port, the validated SYN packet is removed from the partial connections queue and an entry is placed in the established connection queue awaiting a socket connection.

A SYN flood occurs when one or more listening TCP ports are sent large numbers of SYN packets. Such attacks could take various forms, most of which do not adversely affect the attacked system. However, the most potentially harmful attack sends SYN packets in which the client address refers to a system which does not exist. In this case, SYN packets remain in the TCP partial connection queue for each listening port that is attacked, unable to complete because the SYN/ACK cannot be routed to a bogus address. If the queues are too small and packets awaiting response remain on the queues, the TCP stack refuses to accept any connections until the bogus packets have timed out.

TCP uses a three way handshake to establish connections between two
machines. Here's how it works:

1: The client sends a TCP packet with the SYN (synchronize sequence numbers) flag set, a destination port the clinet wishes to connect to, and the clients initial sequence number .

2: The server responds with a SYN containing the server's inital sequeqnce number and acknowledges the clients SYN by ACK'ing the clients initial sequence number plus one. This is referred to as SYN/ACK (both a SYN and
an ACK to the first SYN are sent in one segment).

3: The client acknowledges this SYN from the server by acking the server's initial sequence number plus one. This is referred to as ACK.

With this done, you now how a TCP connection opened.

What Syn flooding does is sends hundreds/thousands of spoofed TCP SYN's to a port on a victim host in hopes that it will be able to fill the incoming connection queue so that the victim machine will stop answering connections on that port. Since the packets are forged, the SYN/ACK phase of the connection is met with nothing, so the half open TCP connections
are left in the queue to time out at whatever timeout the OS has set. When you flood a port with enough SYN's it causes a Denial of Service.

Protection against SYN/Ack

There are a number of ways to protect against this. Linux, for example, is capable of defending against SYN floods using either SYN cookies and/or RST cookies, both written by Erik Schenk http://www.dna.lth.se/~erics / . The code appears in Linux kernel versions 2.0.30 and later.

The most common method is to control the size of the TCP queues by setting the tcp_q0limit parameter with the inconfig(ADMN) command. When tcp_q0limit is set to a value greater than 0:

The TCP partial connection queue for each listening port is set to the number of connections you specify. It should be considerably greater than 1, sufficient to handle normal connection requests (including packets lost under normal conditions) with a margin of safety to guard against attack. A normal tcp_q0limit setting is expected to be in the range 100-1000, depending on system usage.
The stack randomly drops existing uncompleted partial connections when the number of connections value is exceeded; in the case of an attack, most of these packets will be bogus.
If a pending SYN request is dropped, the connection is terminated and the client is notified. You can safely raise the tcp_q0limit value during an attack.

In the event of an attack, you should ensure that legitimate requests remain in a queue long enough to receive responses and get passed to the established connections queue. The higher the tcp_q0limit value, the less likely legitimate packets will be dropped. However, low-speed or high-latency links increase the time a packet must wait in a queue for response, and slower connections will be at greater risk during an attack.