TCP SYN flood attack can cause two different symptoms depending on reachability of attacker’s source IPs. Any ISP will allow TCP SYN packets inside their network infrastructure since they cannot know if these packets are legitimate or not, and hence, all these packets will reach the victim. An attacker just needs to generate enough amount of TCP SYN packets to overwhelm a server. This is the base of a TCP SYN flood attack. Therefore, the server will need to allocate memory, even without knowing if these connections will be finished successfully or not. This is because, according to TCP standard, the server must answer with a SYN/ACK packet to all these TCP SYN packets, create a TCB entry for each connection and also wait for last ACK from client. This can be dangerous due to a simple reason, if a device running a server and waiting for connections receives a huge enough amount of TCP SYN packets then the service could be unavailable for legitimate users. This means that the system starts to consume memory even before the connection is already ESTABLISHED. Reason is that in SYN_RCVD state the system already reserves memory for the incoming connection information, which is saved in the so called TCB (Transmission Control Block). Below I have extracted the section of TCP diagram that describes a TCP passive open and I have filled in red the specific TCP state that support the TCP SYN flood attack. If you review the well-known TCP state diagram you can probably notice a weak point. In any case, as a rule of thumb, please do not change any DB key unless this change is recommended by an F5 engineer. I will talk about the difference throughout the articles.Īs a final comment, please be aware that I have tried as much as possible to avoid talking about DB keys or internal commands throughout these article series. Note that, SYN Cookie term refers to the countermeasure itself, but sometimes you will read SYN Cookie meaning in fact SYN Cookie challenge. All examples shown in these articles are based on TMOS v16, although there could be some slight difference with your specific version it will help you to understand what it is happening in your own system. In this article series I explain several aspects of SYN Cookie like how this countermeasure works and how is implemented in BIG-IP, how must be configured, differences between hardware and software SYN Cookie, things to take into account when dealing with SYN Cookie and troubleshooting. but the widest spread choice is TCP SYN Cookie. This is why you can find different countermeasures with the same goal, like reducing SYN-RECEIVED timer TCP state, increasing backlog, recycling old TCBs, using TCPCT ( RFC6013), implementing SYN cache, etc. Due to this, many efforts have been dedicated to implement the best solution to mitigate it. As for today one of the most common and easiest DDoS attacks to carry out is TCP SYN flood attack.
0 Comments
Leave a Reply. |