The SYN flood attack sends TCP connections requests faster than a machine can process them.
✑ Attacker creates a random source address for each packet
✑ SYN flag set in each packet is a request to open a new connection to the server from the spoofed IP address
✑ Victim responds to spoofed IP address, then waits for confirmation that never arrives (timeout wait is about 3 minutes)
✑ Victim’s connection table fills up waiting for replies and ignores new connections
✑ Legitimate users are ignored and will not be able to access the server
How do you protect your network against SYN Flood attacks?
A . SYN cookies. Instead of allocating a record, send a SYN-ACK with a carefully constructed sequence number generated as a hash of the clients IP address, port number, and other information. When the client responds with a normal ACK, that special sequence number will be included, which the server then verifies. Thus, the server first allocates memory on the third packet of the handshake, not the first.
B . RST cookies – The server sends a wrong SYN/ACK back to the client. The client should then generate a RST packet telling the server that something is wrong. At this point, the server knows the client is valid and will now accept incoming connections from that client normally
C . Check the incoming packet’s IP address with the SPAM database on the Internet and enable the filter using ACLs at the Firewall
D . Stack Tweaking. TCP stacks can be tweaked in order to reduce the effect of SYN floods. Reduce the timeout before a stack frees up the memory allocated for a connection
E . Micro Blocks. Instead of allocating a complete connection, simply allocate a micro record of 16-bytes for the incoming SYN object
Answer: A,B,D,E
Leave a Reply