SYN flood denial of service
| synflood (135) |  Medium Risk |
Description:
A standard TCP connection is established by sending a SYN packet to the destination host. If the destination host is waiting for a connection on the specified port, it will respond with a SYN/ACK packet. The source host (the initial sender) then replies to the SYN/ACK with an ACK packet, and the connection is established.
When the SYN/ACK packet is sent back to the source host, a block of memory on the destination host is allocated to hold information about the state of the connection that is currently being established. Until the final ACK is received from the source host, or a timeout is reached, this block of memory remains unused, waiting for more information to be received from the source host.
By sending numerous SYN packets to a host, the destination host will exhaust the portion of memory used to manage opening connections. When this memory is exhausted, legitimate connections will no longer be able to connect to the destination host.
This situation can be detected by a flood of SYN packets that do not have accompanying responses. This situation can be corrected by sending the destination host RST packets that correspond to the initial SYN packets. This results in the destination host freeing up that block of memory, allowing for new, legitimate connections.
Note for Proventia Network IPS users:
The SYNFlood signature detects a TCP SYN flood attack by monitoring the number and rate of SYN packets that a server receives that do not result in an established connection during the measurement window. You control the triggering rate using two tuning parameters to specify the number of new connection requests and measurement interval. Enabling this signature on Proventia G appliances running in IPS mode will enable SYNFlood protection. This default behavior can be changed to report only with a tuning parameter.
Consequences:
Denial of Service
Remedy:
Most modern releases of operating systems contain fixes for SYN-based flooding attacks. Users should contact their vendor for further information.
Windows NT users should upgrade to at least SP2 or install the synattack post-SP1 hotfix to remedy this vulnerability.
— AND —
Consider increasing the default limit of connection buffers.
References:
- CERT Advisory CA-1996-21: TCP SYN Flooding and IP Spoofing Attacks.
- Microsoft Knowledge Base Article 142641: Internet Server Unavailable Because of Malicious SYN Attacks.
- SGI Security Advisory 19960901-01-A: TCP SYN Denial of Service Attack.
- SGI Security Advisory 19961202-01-PX: TCP SYN and Ping Denial of Service Attacks.
- Sun Microsystems, Inc. Security Bulletin #00136: TCP-based "SYN flood" denial-of-service attack.
- CVE-1999-0116: Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood.
Platforms Affected:
- Apple Mac OS
- Cisco IOS
- Compaq Tru64
- Data General DG/UX
- IBM AIX
- IBM OS2
- Linux Kernel
- Microsoft Windows 2000
- Microsoft Windows 2003 Server
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows Me
- Microsoft Windows NT 3.5.1 SP1
- Microsoft Windows NT 3.51
- Microsoft Windows NT 4.0
- Microsoft Windows XP
- Novell NetWare
- SCO SCO Unix
- SGI IRIX
- Sun Solaris
- WindRiver BSDOS
- HP-UX
Reported:
Oct 01, 1996
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net