SYN flood attack is a form of denial-of-service attack in which an attacker sends a large number of SYN requests to a target system’s services that use TCP protocol. This consumes the server resources to make the system unresponsive to even legitimate traffic. This attack can occur on any services that use TCP protocol but mainly on web service. In this tutorial, we will go through the basics of SYN flood attacks and the mitigation steps in detail.
The SYN Flood attack exploits an implementation characteristic of the Transmission Control Protocol (TCP), which is called 3-way handshake.
Following are the steps that occur in a normal 3-way handshake:
1. The client requests a connection by sending a SYN (synchronize) message to the server.
2. The server acknowledges this request by sending SYN-ACK back to the client.
3. The client responds with an ACK, and the connection is established.
A SYN flood attack works by not responding to the server with the expected ACK code. By these half-open connections, the target machines TCP backlog will get filled up and hence all new connections may get ignored. This will cause the legitimate users to also get ignored.
This attack can take place in two ways:
1. Direct Attack
In this kind of attack, attackers rapidly send SYN segments without spoofing their IP source address. When detected, this type of attack is very easy to defend, because we can add a simple firewall rule to block packets with the attacker's source IP address which will shutdown the attack.
2. Using Ip address Spoofing
This is a more complex form of attack than the direct attack. In this method, the malicious machine will send SYN request floods to the target machine from spoofed IP addresses, causing the server to send the SYN-ACK to a falsified IP address - which will not send an ACK because it "knows" that it never sent a SYN.
Detecting SYN flood Attack
The generic symptom of SYN Flood attack to a web site visitor is that a site takes a long time to load, or loads some elements of a page but not others. If you suspect a SYN Flood attack on a web server, you can use netstat command to check the web server connection requests that are in “SYN_RECEIVED” state.
netstat -tuna | grep :80 | grep SYN_RECV
If it shows numerous connections with this state, the server could be under SYN Flood attack. If the attack is direct with large number of SYN_RECV packets from a single IP address, you can stop this attack by adding that IP address in the firewall. If you have APF or CSF firewall installed on your server, you can accomplish this by executing the following command:
apf -d IPADDRESS csf -d IPADDRESS
Defending SYN Flood Attack
• Using SYN cookies
This is the most effective method of defending from SYN Flood attack. The use of SYN cookies allow a server to avoid dropping connections when the SYN queue fills up. Instead, the server behaves as if the SYN queue has been enlarged. The server sends back the appropriate SYN+ACK response to the client but discards the SYN queue entry. If the server then receives a subsequent ACK response from the client, it is able to reconstruct the SYN queue entry using information encoded in the TCP sequence number.
SYN cookies can be enabled by adding the following to /etc/sysctl.conf
net.ipv4.tcp_syncookies = 1
After modifying the sysctl configuration file, you need to execute the following command to load sysctl settings from the file /etc/sysctl.conf
• Increasing the SYN backlog queue
An optional defending technique is to increase the SYS backlog queue size. The default size is 1024. This can be done by adding the following to /etc/sysctl.conf
net.ipv4.tcp_max_syn_backlog = 2048
• Reducing SYN_ACK retries
Tweaking the kernel parameter tcp_synack_retries causes the kernel to close the SYN_RECV state connections earlier. Default value is 5.
net.ipv4.tcp_synack_retries = 3
• Setting SYN_RECV timeout
Lowering the timeout value for SYN_RECV will help in reducing the SYN flood attack. The default value is 60 and we can reduce it to 40 or 45. This can be done by adding the following line to sysctl.conf.
• Preventing IP spoofing
The following sysctl parameter will help to protect against IP spoofing which is used for SYN flood attacks.
net.ipv4.conf.all.rp_filter = 1
Many hosting companies provide protection against SYN attack by deploying firewalls that employ SYN flood defense such as Netscreen or Appsafe.