[Dr.WoW] [No.14] SYN Flood Attack and Defense Highlighted

Latest reply: May 22, 2015 11:36:16 4603 1 0 0

In the past, a major obstacle facing attackers is insufficient bandwidth that prevents attackers from sending requests in a large number. Although attacks like ping of death can crash an unpatched operating system using a small number of packets, most DoS attacks require a large amount of traffic to crash the victims, which cannot be done by a single attacker. That is when distributed denial of service (DDoS) attacks have emerged.

DDoS attackers control massive zombie hosts to send a large number of grafted attack packets to the target. As a result, links are congested and system resources are exhausted on the attacked network, making the victim unable to respond to legitimate users, as shown in Figure 1-1.
Figure 1-1 DDoS attack

[Dr.WoW] [No.14] SYN Flood Attack and Defense-1320863-1 

When we talk about DDoS attacks, the first that comes to mind is SYN flood. SYN flood is a highly technical attack and has been a major DDoS attack for quite a long time. The special aspect of SYN flood is that it is difficult to prevent based on the features of a single packet or traffic statistics because it is too "real" and "commonplace."

SYN floods have powerful variation capabilities and have not fallen into oblivion these years thanks to the "excellent genes":

l   Each packet looks like "real" and is not malformed.

l   The attack cost is low, and a small overhead can be used to launch massive attacks.

During the 2014 Chinese New Year, an IDC experienced three rounds of attacks consecutively within days, and the longest attack lasted three hours and created a burst traffic volume of 160 Gbit/s. Based on the target and attack type ***ysis, it could be concluded that the attacks were well coordinated by hacker groups to attack the same target. The ***ysis of the captured packets showed that the major attack method was SYN flood.

According to a security operation report in 2013, DDoS attacks are increasing each year, and SYN flood attacks account for 31% of DDoS attacks in 2013.

Obviously, SYN flood attacks are still rampant nowadays. Know yourself and know your enemy, you will never be defeated. Let's take a look at the attack mechanism of SYN floods.

1 Attack Mechanism

As the name suggests, SYN flood attack is related to the SYN message of TCP. Therefore, let's review the TCP three-way handshake process, as shown in Figure 1-2.
Figure 1-2 TCP three-way handshake

[Dr.WoW] [No.14] SYN Flood Attack and Defense-1320863-2 

1.         First handshake: The client sends a SYN (synchronize) message to the server.

2.         Second handshake: After receiving the SYN message from the client, the server replies with a SYN+ACK message, indicating that the request sent by the client is accepted. In addition, the server sets the acknowledgment number in the SYN+ACK message to the client's ISN plus 1.

3.         Third handshake: After receiving the SYN+ACK message from the server, the client sends an ACK message to the server to complete the three-way handshake.

If the client becomes faulty after sending the SYN message, the server will not receive the ACK message after sending the SYN+ACK message. In this case, the three-way handshake cannot be completed. In this situation, the server usually retransmits the SYN+ACK message and waits for a period of time. If the server cannot receive an ACK message from the client within the specified period of time, the incomplete connection is removed.

An attacker can take advantage of the TCP three-way handshake mechanism to launch SYN flood attacks. As shown in 0, the attacker sends the target server a large number of SYN messages, whose source IP addresses do not exist or are unreachable. Therefore, after the server replies with SYN+ACK messages, the server will receive no ACK message, causing a large number of half-open connections. These half-open connections exhaust server resources and make the server unable to respond to legitimate requests.
Figure 1-3 SYN flood attacks

[Dr.WoW] [No.14] SYN Flood Attack and Defense-1320863-3 

The firewalls usually use TCP proxy or TCP source authentication to defend against SYN flood attacks.

2 TCP Proxy

The firewall can be deployed between the client and server as a TCP proxy to establish a three-way handshake with the client on behalf of the server and relay the TCP connection to the server if the three-way handshake is complete.
As shown in Figure 1-4, the firewall collects statistics on SYN packets. If the number of SYN packets destined to a destination reaches the preset threshold during a specified period of time, the TCP proxy is triggered.
After TCP proxy is enabled, the firewall will return a SYN+ACK message on behalf of the server upon receiving a SYN message from a client. If the client fails to return an ACK message, thee firewall considers the SYN message abnormal, and maintains the half-open connection until the half-open connection expires. If the client returns an ACK message, the firewall considers the SYN message normal and establishes a three-way handshake with the client. Subsequent TCP packets from the client will be sent to the server. The TCP proxy process is transparent to both the client and server.
Figure 1-4 TCP proxy

[Dr.WoW] [No.14] SYN Flood Attack and Defense-1320863-4 

During the TCP proxying, the firewall proxies and responds to each SYN message received and maintains half-open connections. Therefore, if a large number of SYN messages are sent to the firewall, the firewall must have high performance to handle them. In TCP proxying, the firewall is using its own resource to handle half-open connections. Firewalls usually have higher performance than servers. Therefore, firewalls can handle the resource intensive attacks.

However, when the forward and return paths are different, TCP proxy cannot be used because the packets destined from the client to the server pass through the firewall, but the packets destined from the server to the client do not. Therefore, the SYN+ACK message returned by the server to the client does not pass through the firewall during the three-way handshake.

In this case, TCP proxy cannot be used to prevent SYN flood. However, different forward and return paths are common scenarios. How can we prevent SYN flood attacks in these scenarios?

Don't worry. We have another measure: TCP source authentication.

3 TCP Source Authentication

TCP source authentication can prevent SYN flood attacks when forward and return paths are different. Therefore, compared with TCP proxy, TCP source authentication is more widely used.
As shown in Figure 1-50, the firewall collects statistics on SYN packets. If the number of SYN packets destined to a destination reaches the preset threshold during a specified period of time, TCP source authentication is triggered.

After TCP source authentication is enabled, the firewall will reply with a SYN+ACK message that carries an incorrect acknowledge number upon receiving a SYN message from the client. If the firewall does not receive a RST message from the client, the firewall considers the SYN message abnormal and determines that the source address is a fake address. If the firewall receives a RST message, the firewall considers the SYN message normal and determines that the source address is real. Then, the firewall whitelists the source address and considers all packets from the client legitimate until the whitelist entry expires.

Figure 1-5 TCP source authentication

[Dr.WoW] [No.14] SYN Flood Attack and Defense-1320863-5 

In TCP source authentication, the source client is whitelisted once the client passes the authentication, and authentication is not performed on subsequent SYN messages sent by this source. This implementation greatly improves the defense efficiency and performance and minimizes the resource consumption.

4 Commands

Table 1-1 lists the TCP proxy and TCP source authentication configuration commands on USG9500 V300R001, for example.
Table 1-1 TCP proxy and TCP source authentication configuration commands

Function

Command

Enable SYN flood attack defense.

firewall defend syn-flood enable

Configure interface-based TCP proxy.

firewall defend syn-flood interface { interface-type interface-number | all } [ alert-rate alert-rate-number ] [ max-rate max-rate-number ] [ tcp-proxy { auto | on } ]

Enable IP address-based TCP proxy.

firewall defend syn-flood ip ip-address [ max-rate max-rate-number ] [ tcp-proxy { auto | on | off } ]

Enable security zone-based TCP proxy.

firewall defend syn-flood zone zone-name [ max-rate max-rate-number ] [ tcp-proxy { auto | on | off } ]

Configure TCP source authentication.

firewall source-ip detect interface { interface-type interface-number | all } [ alert-rate alert-rate-number ] [ max-rate max-rate-number ]

 

5 Threshold Configuration Guide

In this section, we will learn some tips for configuring flood attack alarm thresholds.

Alarm thresholds are tricky. If they are too high, attacks may not be detected in time; if they are too low, legitimate packets may be considered attack packets and discarded.

The traffic patterns vary with networks. Therefore, before configuring these thresholds, you must learn the types and patterns of the traffic on your network in normal situations. These benchmarks can be based on your experience or statistics for a period of time.

For example, if you want to configure an alarm threshold to prevent SYN flood attacks, you must roughly know the peak rate of SYN packets on your network in normal situations. The SYN flood attack defense threshold is usually 1.2 to 2 times that peak rate. After the threshold is configured, you need to monitor your network for the next days to check whether the threshold interrupts normal services. If the threshold interrupts normal services, increase the value of the threshold.

These configuration tips apply to the thresholds for preventing the following attacks, such as UDP, DNS, and HTTP flood attacks.

 

 

 

To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

user_2790689
Created May 22, 2015 11:36:16 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login