SYN Flooding and Spoofing

For anyone learning about external network attacks, hacking and how to protect your networks one of the most famous attacks they will study is probably the SYN flood.  Not only has it been used for many years, it was also one of the attacks that brought fame to the world most famous hacker – Kevin Mitnick.

It was in Feburary 2000 when it briefly became one of the most well known attacks online.   The SYN floods were behind the DDoS attacks which briefly took down website like Yahoo and other major sites.  In truth the system and network administrators have come a long way from those days and vast improvements have been made to block these methods.   The SYN flood is certainly not dead though and is used all across the internet to this very day.

Nowadays however the SYN flood, is pretty much a brutish network attack utlising vast network resources like huge botnets to bring a server to it’s knees.  When an attacker starts making connections to a server using the SYN flood attack then he has no intention of completing any of the three way TCP/IP handshakes.   The goal is to exceed the limit set on a particular service for the number of connections waiting to be established.  In a SYN flood attack none of these will be completed by the attacker.  SYN/ACKS will be generated until the limit has been reached.  The server will normally drop the connection if the handshake is not completed but it does wait some time normally around a minute.

When that minute i reached the connection is closed, the memory released and the queue count is decreased by one making room for new connections.  However if the SYN flood attack sends enough connections quickly enough the queue is never decreased and is kept full.  One of the big difficulties in tracking and stopping these attacks is because the attacker will almost always use a fake ip by spoofing their network address. This is because the goal is to simply keep the server so busy that it will eventually fall over, the connections are immaterial and the attacker has no need to receive the reply.

Intrusion detection systems however have become much better at picking up the signatures of these packets.  They are frequently formed by software that produces errors in the packets that it forms.  Normally because it is fairly irrelevant to the originator if the packet is crafted properly as the sole intention is to use up system resources.  Although Kevin Mitnick will always be associated with these attacks to be fair his was much more elegant.   He merely silenced one part of the TCP connection and then impersonated as the silenced party to receive the reply.