Denial of Service SYN Flood

A SYN Flood attack is an attack designed to cause a denial of service by issuing a large number of requests for TCP incomplete synchronization with a server.

The protection against attacks from denial of service

The denial of service distributed can not be countered by identifying the IP address of the machine issuing the attacks and the banning at the firewall or server. IP packets from the hostile machine are rejected without being treated to prevent the server service is overloaded and therefore can not be found offline.

Distributed Denial Of Service (DDoS) attacks are more difficult to counter. The principle of the attack by distributed denial of service is to reduce the possibility of stopping the attack. This machines from many different places hostile to block IP addresses limits the attack but did not stop. Thomas Longstaff of the University of Carnegie Mellon says here that: “In reality, prevention should focus more on strengthening the security level of machines connected to the network [to avoid a machine could be compromised] on the protection of target machines [web servers].”

A distributed architecture consisting of multiple servers offering the same service managed so that each client is only supported by one of them, a way of distributing access points to services and offers, in situations of attack, a degraded mode (slower) often acceptable.

According to the attacks it is also possible to put a stamp server that filters and cleans the traffic. This server, “cleaning center allows in case of attack to ensure that malicious applications can not reach the target server.

The use of SYN cookies is also an option to prevent attacks like SYN flood, but this approach does not avoid the saturation of network bandwidth.

Back to normal

The return to normal after an attack may require human intervention, because some software does not restart properly after an attack.

Responsible for these attacks

The denial of service is often performed by inexperienced hackers like lamers and script kiddies.

These attacks are also used by a hacker who fails to take control of a computer trying to impersonate a trusted machine by IP spoofing. Indeed, if session request (TCP SYN) with an IP address “spoofed” to be one of the trusted machine, it is the latter who receive the TCP SYN / ACK issued by the target, so it automatically reset the connection attempt with a RST packet (since it is not the source of the request for session establishment), prohibiting the attacker to establish session.

In recent years, the attack by distributed denial of service is also used for purposes of blackmail from companies whose business relies on the availability of their website. These frauds are usually committed by criminal organizations (mafia) and not isolated hackers.

Possible solutions

Solutions that meet the standard:
* Dynamic dimension of the backlog queue;
* Decrease the TTL for requests waiting (half open connection).

Solutions that do not meet the standard:
* Discard TCP SYN randomly;
* Please apply only required to complete the 3-way handshake (the receipt of the ‘final ACK).

Other protective devices from DoS and DDoS attacks

Filtering incoming data

By implementing the filters that govern the entry, in their routers and firewalls, packet containing information about the source of the data altered (i.e., spoofed), you will not get a stop DoS attack but you can reconstruct the flow of traffic qualify as “evil “relatively quickly, to allow the defensive reaction of the Internet Service Provider (anti-spoofing).

Traffic restrictions

Many routers can, at present, limit the amount of bandwidth used for the provision of a service through the “sampling” and analyzing packets passing through. In case of attack will not remain an active amount of bandwidth sufficient to cause substantial damage or block the flow of legitimate data. This limitation will be achieved for example by the use of a Linux machine to act as a gateway through action CAR (Committed Access Rate), so it will block a DDoS attack that uses TCP or ICMP, SYN, since it is considerably limit the bandwidth used from them.

Recognition systems intrusion

These commercial systems capable of detecting and Trinoo TFN, for example, the FBI provides, for free, Find a product called DDoS able to discover the file system seen above, the result of the attack Distributed Denial of Service. Through these verification systems (Intrusion Detection System) identifies the bad people who communicate via slave, master and agent, find out if some of the machines in your network, is used, maliciously, as pawns to launch the attack. In particular, Network Auditing Tools are programs that allow the verification and analysis of the corporate network for potential agents that can cause a type of DDoS attack.

Attacks by a single host

These types of DDoS attack, coming from a single source, are potentially detectable.

Legal Risks

Hackers attacking web servers through denial of services in recent years pursued by the justice of various countries. Three major cases have occurred. The first in August 2005. Jasmine Singh, 17, was sentenced to 5 years in prison after being attacked by DDoS against Jersey Joe.com Distant Replays and sponsored by a competitor of both sites.

In the United Kingdom

Since November 2006, with the vote of the Police and Justice Act (PJA), attacks by DDoS is a misdemeanor punishable by 10 years in prison. Providing tools to launch DDoS attacks is punishable by 2 years in prison.

In Russia

In 2008 the court sentenced three Balakov hackers to 8 years’ imprisonment for blackmail against gaming sites online. Customers demanded tens of thousands of dollars not to be subjected to the sites of attacks by DDoS.

Study: From Wikipedia, the free encyclopedia. The text is available under the Creative Commons.