COMMAND
NT SYN Flood Attack
SYSTEMS AFFECTED
Win NT 3.51, 4.0
PROBLEM
This vulnerability was originally presented on:
www.ntshop.com/security
and this text (or it's parts) is their credit.
"Computer hackers" can target an entire machine, or a specific TCP
service such as web services. The attack is focused on the TCP
protocol used by all computers on the Internet, and is not
specific to the Windows NT operating system. If interested in
how SYN flooding works, under section 'mUNIXes' you will find
info. The following information is from Microsoft KB source:
A TCP connection request (SYN) is sent to the target
computer. The source IP address in the packet is "spoofed,"
or replaced with an address that is not in use on the
Internet, or that belongs to another computer. An attacker
will send many of these TCP SYNs to tie up as many resources
as possible on the target computer,
Upon receiving the connection request, the target computer
allocates resources to handle and track the new connection,
then responds with a "SYN-ACK". In this case, the response is
sent to the "spoofed" non- existent IP address,
No response is received to the SYN-ACK. A default-configured
Windows NT 3.5x or 4.0 computer will retransmit the SYN-ACK 5
times, doubling the time-out value after each retransmission.
The initial time-out value is three seconds, so retries are
attempted at 3, 6, 12, 24, and 48 seconds. After the last
retransmission, 96 seconds are allowed to pass before the
computer gives up on receiving a response, and deallocates
the resources that were set aside earlier for the connection.
The total elapsed time that resources are in use is 189
seconds.
If you suspect that your computer is the target of a SYN attack,
you can type the following command at a command prompt to view
connections in the "SYN_RECEIVED" state:
netstat -n -p tcp
This command may cause the following text to appear on your
screen:
Active Connections
Proto Local Address Foreign Address State
TCP 127.0.0.1:1030 127.0.0.1:1032 ESTABLISHED
TCP 127.0.0.1:1032 127.0.0.1:1030 ESTABLISHED
TCP 10.57.8.190:21 10.57.14.154:1256 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1257 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1258 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1259 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1260 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1261 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1262 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1263 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1264 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1265 SYN_RECEIVED
TCP 10.57.8.190:21 10.57.14.154:1266 SYN_RECEIVED
TCP 10.57.8.190:4801 10.57.14.221:139 TIME_WAIT
If a large number of connections are in the SYN_RECEIVED state,
it is possible that the system is under attack. A network
analyzer can be used to track the problem down further, and it
may be necessary to contact your Internet Service Provider for
assistance in attempting to trace the source.
The effect of tying up connection resources varies, depending
upon the TCP/IP stack and applications listening on the TCP port.
For most stacks, there is a limit on the number of connections
that can be in the half-open (SYN_RECEIVED) state. Once the limit
is reached for a given TCP port, the target computer responds with
a reset to all further connection requests until resources are
freed.
Microsoft has confirmed the TCP/IP protocol in Windows NT versions
3.51 and 4.0 to be vulnerable to these attacks.
SOLUTION
Use the hot-fixes available from Microsoft (fot both Windows NT
3.51 and Windows NT 4.00). Obtain the Service Packs, or follow
some of the suggestions that Microsoft gave in his KB about SYN
attacks.