SYN flood

SYN flood is an computer attack aiming at reaching a Denial-of-service. It applies within the framework of the protocol TCP and consists in sending a succession of requests SYN towards the target.

Principle

At the time of the initialization of a connection TCP between a customer and a waiter, an exchange of messages takes place. The principle is that of the three-way handshake , which, in the case of a normal connection without will to harm, is held as follows:

1. the customer requires a connection by sending a message SYN (for synchronize ) to the waiter

2. the waiter answers and accepts by sending to SYN-ACK ( synchronize-acknowledgment ) towards the customer
3. the customer answers in his turn with a message ACK ( acknowledgment ); connection is then established

A malevolent customer can remove the last stage and not answer with the ACK. The waiter waits a certain time because this time could be caused by the latency of the network. This period of waiting by the waiter was approximately 75 seconds at the time of first attacks SYN.

At this stage, connection is half-open and consumes a certain number of resources on the side of waiter (memory, time processor, etc). By generating sufficient connections of this type, it is possible to monopolize the resources of the waiter. As the number of connections is limited most of the time, the waiter does not accept any more new customers with for result a denial-of-service. In certain cases, the waiter can even plant for lack of resources.

History

This type of attack becomes popular in the middle of the Années 1990 at the sides of other techniques which aim TCP. Groups of hackers diffuse, in two electronic magazines, the technique as well as the source code to conclude it. The September 6th 1996, a supplier of American access (Panix) was paralyzed by an important flood of requests SYN.

Countermeasures

Several solutions exist:

• limitation of the number of connections since the same source or the same beach of IP, with a more or less large time limit

• release of half-open connections according to a choice of random customer and a time
• reorganization of the management of the customers while avoiding consuming resources with useless fields as long as connection is not completely established
• use of SYN cookie S (checking based on numbers of sequence generated with a Fonction of chopping)
• statistical analysis of the traffic (algorithm CUSUM )

References

Random links:

Stamp transposed | Mike Modano | Championship of Europe of handball female 2000 | Kevin Bieksa | Bimini Run | _d'ODETTE_Bancilhon

© 2007-2008 speedlook.com; article text available under the terms of GFDL, from fr.wikipedia.org