Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
What is SYN Flood Attack

What is SYN Flood Attack

Latest reply: Aug 9, 2021 16:21:25 622 17 12 0 1
View the author 1#

Hello everyone,

SYN Flood is currently one of the most popular methods of DoS (Denial of Service Attack) and DDoS (Distributed Denial of Service Attack). Today I will introduce to you what is SYN Flood attack, the principle and prevention of SYN Flood attack.

What is SYN Flood Attack

SYN Flood uses the TCP protocol to send a large number of SYN requests to consume the server's CPU and memory resources, causing the server to fail to provide services normally. Because SYN Flood is generated based on the TCP three-way handshake mechanism, if you want to understand it thoroughly, you need to start with the TCP three-way handshake to establish a connection.

What is TCP Three-way Handshake

As a safe and reliable network communication protocol, TCP stipulates that when communicating parties, they must establish a communication line in advance, which includes 3 processes: 1. Requester: request connection; 2. The requested party: confirm the connection and request the connection to the opposite end; 3. Requester: Confirm the connection. The above three interactive processes are very similar to our handshake to say hello, so we affectionately call it: three-way handshake.

A normal three-way handshake to establish a connection has the following interaction process: 

First handshake

The client sends an SYN message to the server, that is, requests the server to establish a connection. 

Second handshake

When the server receives the SYN message, it must respond to the connection request. The response content is SYN+ACK message. 

There are 2 meanings here: 

a. ACK: I'm ready, you can connect to me. 

b. SYN: Because TCP is a duplex connection and supports two-way communication, both parties can receive data while sending data. Therefore, the server also needs to send an SYN message to the client, and the server also requests the client to establish a connection. Through the second handshake, a one-way communication channel between the client and the server is established. This is called a semi-connection. As the name implies, the connection is half successful. 

Third handshake

Similarly, the client receives the SYN+ACK message from the server and sends an ACK packet to the server to confirm the connection. At this point, the three-way handshake is completed, and the two ends successfully establish a connection. Through the third handshake, a one-way communication channel between the server and the client is established. At this time, after the two-way road has been established, both parties can transmit data on this road.

Preventive measures

1. SYN Cookie

SYN Cookie is to defend against SYN Flood by modifying the TCP three-way handshake protocol mechanism.

Its principle is:

The first handshake: The client sends an SYN message to the server.

Second handshake: After receiving the SYN message, the server responds: SYN+ACK message. 

Although the server responded to the confirmation and request messages this time, the server did not save any handshake data but calculated a Cookie value through this SYN+ACK packet. Used to verify the third handshake ACK message that the client may respond to.

Since the server does not save the client's data during the second handshake, it just calculates and saves a serial number, which frees up a large number of resources on the server, thus effectively defending against SYN Flood attacks.

Disadvantages: 

a. Increase the time to establish a connection: When the server calculates the cookie value, it also needs a certain amount of calculation time, which increases the time to establish a connection.

b. When the server calculates the cookie value, it also needs a certain amount of computing resources. If the other party has too many SYN requests, the server will be busy calculating and verifying. When the computing resources are exhausted, the server will refuse service-this forms a new type of attack: SYN Cookie Flood.

2. SYN Proxy 

To put it simply, SYN Proxy finds an "assistant" for the server, and all visitors establish a "three-way handshake" with the assistant in advance. Let the assistant first distinguish whether the visitor is a real user. When the client and assistant have completed the "three-way handshake", indicating that the client is a real user, the assistant will let the client and the server establish a real "three-way handshake".

The assistant is generally a professional security device, even if the source of the attack is the professional security device, it has no effect on the server.

3. The first packet is discarded

The first packet discard is easier to understand: it is the first handshake message, directly discarded without responding. Anyway, for the first handshake, the client initiates an SYN request to connect. The server pretended not to look at it and did not respond. 

The client is divided into two situations at this time:

If it is a false attack source: no longer repeat the transmission.

If it is a real client source: SYN will be sent again to request a connection. At this time, the server will respond to the connection request and initiate a second handshake.

Disadvantages:

In the face of repeated attack tools, this defense is ineffective.

4. Source authentication

Source authentication refers to the authentication of the client. After the source authentication, the user will be directly added to the whitelist within a certain period of time, and the user will be released directly, and a three-way handshake will be established with the server.

The client initiates an SYN request to connect. The server intentionally replies with an incorrect SYN+ACK message.

The client is divided into two situations at this time:

If it is a false attack source: no longer repeat the transmission. Pass the source certification in the same way.

If it is a real client source: the client initiates an SYN request to connect again. At this time, the server will respond to the connection request and initiate a second handshake.

Disadvantages:

When the attacker sends thousands of SYN requests, and the server responds with thousands of incorrect serial number packets, it will cause severe network congestion, leading to a second attack.

Currently, because the SYN Flood initiator consumes fewer resources than the defender, no single method can completely withstand the SYN Flood attack.

We must combine the real situation of the existing network, choose a security defense plan that suits us, and minimize our attack losses.

That is all I want to share with you!


Like (12) Dislike (0) Favorite(1) Share Report
Previous: 【NE Tech in Pictures – At-a-Glance Series】(29) User-side Multicast
Next: How to setup the banner before input the USERNAME and PASSWORD
(2) (0)
2#
andersoncf1
MVE Author Created Jun 30, 2021 15:29:53

Thanks for sharing knowledge with us. Very useful
View more
  • x
  • convention:

PanchakS
PanchakS Created Jul 16, 2021 02:15:50 (0) (0)
yes  
(2) (0)
3#
EL.BODO
Created Jun 30, 2021 16:25:13

It is the reason that we TCP(0x06) is the three-ways hand shakes in the establishment connection and at the end of connection we say it is four-ways hand shakes.
View more
  • x
  • convention:

Sokrin
Sokrin Created Jul 17, 2021 11:50:43 (0) (0)
 
ulrichwandja
ulrichwandja Created Aug 9, 2021 16:21:05 (0) (0)
Yeah  
(0) (0)
4#
Unicef
MVE Created Jul 9, 2021 12:51:04

Thanks for sharing friend
View more
  • x
  • convention:
(1) (0)
5#
Herediano
Created Jul 15, 2021 18:57:14

Excellent
View more
  • x
  • convention:

Sokrin
Sokrin Created Jul 17, 2021 11:50:50 (0) (0)
 
(0) (0)
6#
PanchakS
Created Jul 16, 2021 02:15:42

well done
View more
  • x
  • convention:
(0) (0)
7#
Sokrin
Created Jul 17, 2021 11:50:34

Very good post
View more
  • x
  • convention:
(1) (0)
8#
IndianKid
Moderator Author Created Jul 17, 2021 11:53:26

Very Useful Information, Thanks for sharing
View more
  • x
  • convention:
(1) (0)
9#
BAZ
MVE Author Created Jul 17, 2021 20:47:56

I want to recommend is What is SYN Flood Attack, https://forum.huawei.com/enterprise/en/what-is-syn-flood-attack/thread/752439-861 as it gives a complete understanding of SYN Flood which is popular source of DOS attacks with Preventive measures
View more
  • x
  • convention:
(0) (0)
10#
wissal
MVE Created Jul 18, 2021 07:41:52

Very Interesting information
View more
  • x
  • convention:
12
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.