TCP SYN Flood Attacks
TCP SYN flood
attacks are designed to take advantage of the methodology used in establishing a
new TCP connection, referred as a TCP three-way handshake. Figure 1-4 illustrates how the TCP connections are
established.
In the example presented in Figure 1-4, the client tries to establish a TCP connection
to the web server. First, it sends out a SYN (synchronize) packet to the server
to synchronize the sequence numbers. It stipulates its initial sequence number
(ISN). To initialize a connection, the client and server must synchronize each
other's sequence numbers. The Acknowledgment (ACK) field is set to 0 because
this is the first packet of the three-way handshake and there are no
acknowledgements thus far. In the second packet, the server sends an
acknowledgment and its own SYN (SYN-ACK) back to the client. The server
acknowledges the request from the client, but also sends its own request for
synchronization. The server increments the client's sequence number by one and,
in addition, uses it as the acknowledgment number. To conclude the connection,
the client sends an acknowledgment (ACK) packet to the web server. The client
uses the same methodology the server used by providing an acknowledgment
number.
In TCP SYN flood attacks, the attacker generates spoofed
packets to appear as valid new connection requests. These packets are received
by the server, but the connection never completes. On the other hand, the server
tries to reply without successfully completing the connections. After several of
these packets are sent to the server, the server may quit responding to new
connections until its resources are available to process the additional requests
or when the attack stops attacking. Figure
1-5 shows how SYN flood attacks work. The attacker sends numerous spoofed
SYN packets to the web server.
Note
Spoofing is the technique where the attacker sends IP packets
with someone else's source address to hide their identity. Sometimes attackers
use authorized external or internal IP addresses that are trusted by firewalls
and other devices, in order to obtain access to internal
resources.
Note
The server keeps all spoofed connections open until they time
out. This causes substantial performance degradation.
land.c Attacks
Another primitive example of a DoS attack is the land.c
attack. In this type of attack, an attacker sends numerous SYN packets with the
same source and destination IP addresses and the identical source and
destination ports to its victim. The purpose of this attack is to make the
victim send the reply packet to itself. Because the attacker repeatedly sends
these packets, the victim can run out of resources by replying to itself.
Technically, the attacker uses the server's own resources against itself.
Smurf Attacks
Attackers can also consume bandwidth by directing unnecessary
traffic to the victim's network. A classic example of this type of attack is the
smurf attack. There are two major components in a smurf attack:
Normally, ICMP handles errors and barters control messages. For
example, the popular tool called ping uses ICMP. It is used to verify that a
specific system on the network is responding. It does this by sending an ICMP
echo request packet to such a system. Consequently, it expects the system to
return an ICMP echo reply packet.
In smurf attacks, ICMP echo request packets are sent to IP
broadcast addresses of remote subnets to degrade network performance. Figure 1-6 illustrates the essentials of
smurf attacks. In smurf attacks, usually there is an attacker, an intermediary,
and a victim (in this case, a web server). If the network is 192.168.1.0 with a
24-bit subnet mask of 255.255.255.0, the broadcast address will be
192.168.1.255. If the ICMP traffic is sent to the broadcast address, all the
systems or nodes on the network will receive the ICMP echo request packets and,
consequently, send ICMP echo reply packets in return. Additionally, the
intermediary can also become the victim, because it receives an ICMP echo
request packet sent to the IP broadcast address of its network. Attackers make
this technique successful by using spoofed packets. By doing this, the victim
responds with ICMP echo reply packets that consume available bandwidth.
DDoS Attacks
DoS attacks may be
orchestrated collectively to structure a more sophisticated technique called
distributed DoS (DDoS) attacks. DDoS attacks coordinate the use of several
systems in different locations to attack a specific victim, making them very
difficult to trace. In DDoS attacks, the attackers compromise numerous systems
on the Internet by installing malicious code to launch coordinated attacks on
victim sites. These compromised systems are often referred as bots (short for
robots). These attacks characteristically deteriorate bandwidth and other
network resources. Figure 1-7 explains
how an attacker compromises numerous systems (agents) on the Internet and then
launches a chained attack from them to a target system/network (victim).
In general, attackers control the agents to generate these
packets with spoofed source addresses.
Session Hijacking
Session hijacking occurs when an attacker intercepts a
connection or session between two systems. The most common type of session
hijacking attack uses TCP-based connections and source-routed packets. In other
words, the hacker sits in on a given location on the network to take part in a
session between two systems, routing all the TCP packets to pass through its
system. Figure 1-8 shows a basic session
hijacking example, which is known as a man-in-the-middle attack. An attacker
sits in between the hosts and, by using a sniffer, intercepts and routes packets
from Host A to Host B without them knowing that the information has been
compromised by the attacker.
If an attacker is not able to use source routing, they can also
use a method called blind hijacking. By using this technique, the attacker
guesses the replies of the two hosts. The only disadvantage to the attacker is
that they may send a command and never see its response. However, the attacker
can impersonate the receiver of both devices.
Note
Source routing is a technique by which the sender can specify
the route that a packet should take through the network.
Sections
Comments (0 posted)
Syndication
