Synk4/Syn Flooding

CVE 1999-0116

Description of Syn Flooding

Any system providing TCP-based services to the Internet community are potentially vulnerable to this Denial of Service attack. The Synk4 DoS is considered a Syn Flooding type of attack.

In order to understand how the Syn Flooding attack works, it is necessary to understand how computers establish connections with one another over the Internet using a TCP connection. When a system, which we will refer to as a "client," attempts to establish a TCP connection to a system providing a service, which we will refer to as a "server," the client and server exchange a set, predetermined sequence of messages.

First, a client system initiates a connection by sending a SYN message (a message that begins the client-server "handshake") to the server. The server acknowledges the SYN message by sending a SYN-ACKNOWLEDGE, or SYN-ACK, message to the client attempting to connect. The client then finishes establishing the connection by responding with an ACKNOWLEDGE, or ACK, message of its own. The connection between the client and the server is then open, and data can be exchanged between the client and server. Syn Flooding, and other SYN flooding attacks, work by creating scores of half-open connections. A half-open connection occurs when the server sends a SYN-ACK message, but never receives an ACK message from the client. This is achieved when the attacking system sends SYN messages to a target server with a return address other than its own (known as IP-spoofing). The server then sends a SYN-ACK message to the machine specified in the SYN message, which is, of course, not the IP address of the attacking machine. Thus, the server never receives the final ACK (as the system receiving the SYN-ACK message cannot respond to it) and the connection is never fully completed. These uncompleted connections are called "pending connections," and are written to a buffer of limited size.

Eventually, as the attacking machine creates an ever increasing number of pending connections, the buffer described above will eventually fill up and overflow. The number of pending connections that a system can handle simultaneously varies, depending on the operating system. It can range from as little as six, as is the case with Windows NT, to as many as 32, as is the case with most flavors of UNIX. Some UNIX systems can handle as many as 128 pending connections at one time. Usually, as few as 100 packets a second will render any machine unusable. This, in turn, will cause the target machine to stop accepting connections altogether. While pending connections will eventually expire, thus freeing up space in the pending connection buffer, the attacking system will more than likely continue sending IP-spoofed connection requests to the target machine, which will cause the buffer to fill up with pending connections at a faster rate than they can be expired. In effect, the machine is now closed to all new incoming connections.

Symptoms of Attack

Systems which fall prey to the Syn Flooding attack will, generally speaking, have difficulty accepting any new incoming network connections. Thus, legitimate users attempting to connect to the server will be unable to do so. Thankfully, the attack does not affect existing incoming connections or the ability of the server to open outgoing network connections. In some cases, though, the target system may exhaust memory, crash and/or hang. In these cases, the machine has been effectively rendered inoperable. In most instances, Syn Flooding will cause no permanent damage, and, as long as the attack has ended, a simple reboot should be sufficient to clear out the pending connection buffer and allow users to connect to the server. However, any unsaved data in open applications at the time of the attack may be lost if the system crashes or hangs. And, if the attack starts again, the machine is still vulnerable.

How can I fix this vulnerability?

Unfortunately, there is, at the time of this writing, no generally accepted solution to this vulnerability with the current IP protocol technology. However, proper router configuration can reduce the likelihood that your site, and others in the Internet community, will be a victim of this type of attack. CERT Advisory 96.21 - Appendix A details the proper router configuration to help minimize the occurrence of such attacks. A possible workaround to this problem is to track the number of pending connections in the pending connections buffer and resetting those connections when a preset limit is reached. Although this workaround may result in the loss of some legitimate connections on busy servers, this is the approach that many systems administrators take to keep the server up and running.

For those running Windows NT and Windows 95 based systems, Microsoft has released patches which protect against the Syn Flooding attack, and others in the SYN flooding category. It should be noted, though, that there is some disagreement as to whether these patches provide complete protection against SYN flood attacks.

In addition to the solutions and workarounds listed above, Internet Security Systems has developed a product, named RealSecure, which they claim will limit the effects of certain Denial of Service attacks. Read more about RealSecure, and download a demo version, at the link provided above.

Where can I read more about this?

You may read more about SYN flooding attacks by visiting both CERT Advisory 96.21 and PCWEEK Online. Other good sources of information include BSDI's SYN flood page, BugTraq and Hotwired. In addition to the links provided above, the source code for Syn Flooding may be found at Rootshell's Syn Flooding page.

To keep abreast of existing and emerging Denial of Service attacks, and other security threats, visit the Microsoft Security Advisor, the Windows Central Bug Site, and/or CERT. If information on a specific attack is not located on these sites, keep checking back as they are updated frequently.