Slide 10 of 16
- A TCP SYN flooding attack exploits a design flaw in some BSD-based TCP/IP stacks. TCP SYN floods send large amounts of TCP SYN packets with spoofed source addresses. These SYN packets identify the initiation of a connection, and the receiving side of the connection must then acknowledge and wait for confirmation message from the initiator before the connection is fully opened.
- Since the attack involves spoofed addresses, the connections are bogus. Many times, the spoofed source addresses do not represent actual hosts, and the server waits for a lengthy amount of time (usually 3-6 minutes) for the connection to be confirmed.
- In some BSD-based TCP/IP stacks, this queue may only contain 5 connections, not accepting more connections beyond that. Only 5 source-spoofed packets are required to forge this attack.
- This attack is characterized by only a few service(s) on a machine being unavailable. For instance, if the telnet port is being SYN flooded, the web server may still be available.
- On UNIX machines, the “netstat” command will show these half-open connections in a “SYN_RECV” state.
- The SYN flooding attack, as well as vendor information regarding vulnerability, is discussed in CERT advisory number CA-96.21, available at http://www.cert.org/pub/advisories/CA-96.21.tcp_syn_flooding.html
- Information about TCP SYN flood Denial of Service attacks can be found at the following URL:
- “Defining Strategies to Protect Against TCP SYN Denial of Service Attacks”