SYN Flooding: Exploit and Mitigation

A SYN flood exploits a vulnerability in the TCP/IP handshake in an attempt to disrupt a web service.

A SYN flood (half-open attack) is a type of denial-of-service (DDoS) attack which aims to make a server unavailable to legitimate traffic by consuming all available server resources. By repeatedly sending initial connection request (SYN) packets, the attacker is able to overwhelm all available ports on a targeted server machine, causing the targeted device to respond to legitimate traffic sluggishly or not at all.

How does a SYN flood attack work?

SYN flood attacks work by exploiting the handshake process of a TCP connection. Under normal conditions, a TCP connection exhibits three distinct steps to establish a connection:

1. Client Sends SYN: The client sends a SYN packet to the server to initiate the connection.

2. Server Responds with SYN/ACK: The server responds to the initial packet with a SYN/ACK packet, acknowledging the communication.

3. Client Sends ACK: The client returns an ACK packet to acknowledge the receipt of the SYN/ACK packet from the server. Once this sequence is completed, the TCP connection is open and ready to transmit data.

Effects of SYN Flooding

• Resource Exhaustion: Overwhelms server resources like memory and CPU.
• Denial of Service: Prevents legitimate users from accessing the server.
• Network Disruption: Can slow down or crash affected network segments.

How to Mitigate SYN Flooding

1. Rate Limiting: Restrict the number of SYN packets allowed per IP or over time.

2. SYN Cookies: A technique where the server doesn't allocate resources for half-open connections. It encodes connection information into the SYN-ACK response and verifies it when the ACK is received.

3. Firewalls and Intrusion Prevention Systems (IPS): Use firewalls or specialized devices to detect and filter malicious SYN packets.

4. Distributed Defenses: Use Content Delivery Networks (CDNs) or cloud-based DDoS protection services to absorb the attack.

5. Increase Backlog Size: Configure the server to handle more simultaneous connections, although this only provides temporary relief.

Detailed Examples of SYN Flooding Detection and Mitigation

1. Rate Limiting

Rate limiting restricts the number of SYN packets a server can accept from a single IP or within a given timeframe.

Example: iptables

# Limit incoming SYN packets to 10 per second from a single IP
iptables -A INPUT -p tcp --syn -m limit --limit 10/second --limit-burst 20 -j ACCEPT

# Log and drop packets exceeding the limit
iptables -A INPUT -p tcp --syn -j LOG --log-prefix "SYN Flood: "
iptables -A INPUT -p tcp --syn -j DROP

2. SYN Cookies

SYN cookies ensure that the server doesn't store incomplete connection states, reducing memory consumption.

Linux Configuration Example

Enable SYN cookies on Linux:

# Enable SYN cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

3.Increase Backlog Size

A short-term solution is to increase the backlog queue size for half-open connections.

Linux Configuration Example
Modify the TCP backlog parameters:

Copy code
# Increase the SYN backlog size
echo 4096 > /proc/sys/net/ipv4/tcp_max_syn_backlog

# Reduce the timeout for incomplete connections
echo 30 > /proc/sys/net/ipv4/tcp_synack_retries

Make these settings permanent in

/etc/sysctl.conf:

bash
Copy code
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_synack_retries = 30