COMMAND

    SYN Flood Vulnerability

SYSTEMS AFFECTED

    All unpatched TCP/IP implementations.

PROBLEM

    To  understand  SYN  Floods  it  is  important  to  understand the
    concept of TCP/IP handshakes.   When a client attempts to  connect
    to a server, it sends a SYN packet (which the server is  listening
    for).  The server then sends back to the client a SYN-ACK  packet,
    acknowledging the reciept  of the first  packet.  The  client then
    sends back to the server  an ACK packet acknowledging the  reciept
    of  the  server's  SYN-ACK.   In  essence,  the  server expects to
    recieve 2 packets from the client to establish a connection.

    A  SYN  Flood  is  when  an  attacker  sends  numerous SYN packets
    to a port on  your machine.  When  the server sends out  a SYN-ACK
    and never  recieves an  ACK back,  it sits  there and  waits for a
    while before timing out.   This is called a half-open  connection.
    Each occurance  of a  half-open connection  uses memory resources,
    and often  sending numerous  SYN packets  to a  specific port will
    fill the queue.  After  a certain amount of half-open  connections
    the server  listening on  the port  will start  to drop subsequent
    packets until  it either  recieves the  appropriate ACKs  from the
    clients that  initiated the  connections, or  until it  times them
    out.  On some machines like SUNs (SunOS) it can take as little  as
    8 half-open connections to fill a port's queue.

    When the  ports' queues  are filled  they start  dropping packets.
    This, in effect, renders them  useless.  If someone were  to flood
    the syslog port, then that port would no longer be able to  accept
    new  connections  until  it  times   out  all  of  the   half-open
    connections.

SOLUTION

    Increase the number of  half-open connections allowed to  ports on
    your machine.  Use a  programlike ISS's RealSecure to prevent  syn
    floods from happening in the first place, through realtime  active
    network traffic monitoring.  If RealSecure sees SYNs not  Followed
    by Acks,  it will  reset the  connections for  you, uncloggin your
    ports.

    With  the  routers  for  most  ISP,  they  should  be blocking any
    non-internal addresses  from leaving  their network  and going  to
    the Internet. This will stop  an attacker if their ISP  implements
    this.  Unfortunately, this does  not stop an attack from  areas on
    the Internet  that do  not block  that.   But atleast  the ISP can
    feel  comfortable  to  know  that  an  attacker can not launch his
    attack  from  that  ISP.   It  might  help  you temporarily if you
    notice the attacks have any pattern that can be blocked by  router
    rules.