COMMAND

    'SYN Flood' Attack

SYSTEMS AFFECTED

    IBM AIX 3.2.5, 4.1.x, 4.2.x

PROBLEM

    The  exploitation  of  this  vulnerability  takes advantage of the
    Transmission  Control  Protocol  (TCP)  connection   establishment
    procedure,  usually   called  the   "three-way  handshake."    The
    three-way handshake works as follows:

    Suppose that Host A wants to connect to Host B:

    1. Host  A begins  the process  of establishing  the connection by
       sending a SYN (synchronization) packet to Host B.  This  packet
       requests a new connection on a particular port, and begins  the
       process  of  negotiating  connection  details  such  as  packet
       sequence numbers.

    2. Host  B  responds   by  sending  a  SYN/ACK   (synchronization/
       acknowledgement) packet back to  A.  This packet   acknowledges
       Host A's packet, and goes one step further in negotiating   the
       connection details.

    3. Host  A sends  a final  ACK (acknowledgement)  packet back   to
       Host  B;  this  acknowledges  Host  B's  packet, finalizes  the
       negotiations  of  connection  details,  and  the connection  is
       established.

    The three-way handshake is designed  to work properly even if  one
    of the  packets gets  lost or  duplicated, which  can happen  from
    time to time (as a part of normal operations).

    During the time between steps 2  and 3, Host B must keep  track of
    the  pending  new  connection  by  storing  the  details  of   the
    negotiation in an in-memory  data structure.  This  data structure
    is  usually  of  finite  size,  which  means that too many pending
    connections  at  one  time  can  cause  it to overflow.  When this
    happens, Host B  will be unable  to accept any  new connections at
    all  until  some  of  the  pending  connections  have  been  fully
    established  (or  have  timed  out),  freeing  space  in  the data
    structure.

    The basic SYN flood attack works  by sending a high volume of  SYN
    packets  to  the  target  host,  and  then never responding to the
    SYN/ACK  packets  that  are  returned,  thus  filling  up the data
    structure(s) used  by the  target host  to keep  track of  pending
    connections.    Although  pending   connections  will   time   out
    eventually and free up space in the data structure(s), the  sender
    can simply transmit additional  SYN packets, faster than  they can
    expire.

    In another possible  scenario, the sender  takes advantage of  the
    fact that since he is ignoring the target host's SYN/ACK  packets,
    he doesn't even  need to receive  them.  This  allows him to  hide
    his location  by using  a forged  address in  the SYN  packets his
    system sends  -- he  can use  the real  address of  another system
    (thus  misleading  the  target),  or  he  can  use  a non-existent
    address (and simply hiding).  At least one of the attack  programs
    currently in  use on  the Internet  makes up  a new, random source
    address for each packet it sends.

    For more complete information on the SYN Flood attack, see

    ftp://info.cert.org/pub/cert_advisories/CA-96.21.tcp_syn_flooding

SOLUTION

    IBM  has  released  AIX  operating  system  fixes for both the SYN
    flood.  If  you  are  using  the  IBM  Internet Connection Secured
    Network Gateway (SNG) firewall  software, you must also  apply the
    fixes listed in http://service.software.ibm.com/aixsupport/.

        System        Patch
        -------------------
        AIX 3.2.5     No APAR available; upgrade to AIX 4.x recommended
        AIX 4.1.x     APAR - IX62476
        AIX 4.2.x     APAR - IX62428

       NOTE:  The  fixes  in  this  section  should ONLY be applied to
       systems  running  the  IBM  Internet Connection Secured Network
       Gateway (SNG) firewall software.

       IBM SNG V2.1   APAR - IR33376 PTF UR46673
       IBM SNG V2.2   APAR - IR33484 PTF UR46641