SYN Flooding:

A Denial of Service Attack

Topics
• What is Denial of Service attack?

• Types of attacks

• SYN flooding attack

• Solutions

• Conclusion
What is Denial of Service
Attack?
 Main aim to stop the victim’s machine
from doing it’s required job

 Server unable to provide service to

legitimate clients

 Damage done varies from minor

inconvenience to major financial losses
 Types of Attacks
• Bandwidth Consumption: All available
bandwidth used by the attacker e.g.,ICMP
ECHO attack

• Resource Consumption: Resources like web

server, print or mail server flooded with useless
requests e.g., mail bomb

• Network Connectivity: The attacker forces the

server to stop communicating on the network
e.g., SYN Flooding.
SYN Flooding Attack
• Network connectivity attack
• Most commonly-used DoS attack
• Launched with a little effort
• Presently, difficult to trace attack back to its
originator
• Web servers and systems connected to Internet
providing TCP-based services like FTP servers,
mail servers are susceptible
• Exploits TCP’s three-way handshake mechanism
and its limitations in maintaining half open
connections
TCP Protocol: Three-way Handshake

Client connecting to TCP port

SYN
LISTEN
Client requests for connection

ACK + SYN
SYN_RCVD
Server agrees for connection request

ACK CONNECTED
Client finishes handshake

S D
Three-way Handshake

Initialize sequence numbers for a new connection (x,y)

SYN x LISTEN
Resources allocated
SYN y +ACK x+1 SYN_RCVD

ACK y+1

CONNECTED

S D
How SYN Flooding Attack Works?

Client connecting to TCP port

Uses spoofed
addresses SYN

SYN + ACK
Resources allocated
for every half open SYN
connection SYN + ACK
I have ACKed
SYN
these connections
Limit on number SYN + ACK but I have not
of half open received an ACK
connections back!
Attacker Victim
Attack Modes
• Different parameters by which SYN flood attack can vary:
1. Batch-size : Number of packets sent from source address
in a batch
2. Delay : Time interval between two batches of packets
sent
3. Source address allocation
– Single Address: Single forged address

– Short List: Small list to pick source addresses

– No List: Randomly created source addresses

Solutions

 Using firewall

 System configuration improvements

 SYN cache
Using Firewalls

 Two ways in which firewall used:

– Firewall as a relay: Packets from source
received and answered by the firewall

– Firewall as a semi-transparent gateway:

Lets SYN and ACK to pass, monitors the
traffic and reacts accordingly
Firewall as a Relay
Acts as a proxy
Attack with Relay Firewall
SYN

SYN+ACK
SYN

SYN+ACK

A FIREWALL D
Firewall as a Relay (cont’d)
Legitimate connection with relay firewall

SYN
SYN+ACK

SYN
ACK
SYN+ACK
Data ACK
Data
Data
Data

Sequence number conversion

S Firewall D
Firewall as Semi-transparent Gateway

SYN

SYN+ACK
ACK
Timeout

RST

S D
Firewall
System Configuration Improvements

1) Decrease timeout period

 Reset the connections sooner
 Can deny legitimate access where the timeout
period will be less than the round trip times

2) Increase the number of half-open

connections
 More connections at the same time
 Will increase the use of resources
SYN Cache

• Global hash table instead of the usual per

socket queued connections

• Protection from running out of the resources

• Limit on number of entries in the table and

hash bucket

• Limit on the memory usage and amount of time

taken to search for a matching entry
SYN Cache (cont’d)
• Queue is divided into hash buckets
• Each bucket treated as a First in First out
Queue.
• Hash value computed by choosing a function of
source and destination IP addresses, ports and
a secret key
• Hash value acts as an index in the hash table.
• Secret key transforms hash value so that an
attacker cannot target specific hash bucket and
deny service to a specific machine
Conclusion
• SYN Flooding denial of service attack one of
the most common attacks

• Caused by the flaws in TCP protocol

• Not possible to eliminate the attack

• Possible to reduce the danger by taking the

described measures properly
ARP Poisoning Attacks

 Topics
– Logical Address
– Physical Address
– Mapping
– ARP
– ARP Cache Table
– ARP Poisoning
– Prevent ARP Poisoning
Logical address

 Internetwork address
 Unique universally
 In TCP/IP its called IP Address
 32 bits long

Physical Address
 Local address
 Unique locally
Mapping

 Delivery of a packet requires two levels of addressing

– Logical
– Physical
 Mapping a logical address to its physical address
– Static Mapping
• Table to store information
• Updating of tables
– Dynamic Mapping
• ARP
– Logical Address to Physical Address
• RARP
– Physical Address to Logical Address
ARP

 ARP request
– Computer A asks the network, "Who has this IP address?“
ARP(2)

 ARP reply
– Computer B tells Computer A, "I have that IP. My Physical Address
is [whatever it is].“
Cache Table

 A short-term memory of all the IP addresses and Physical

addresses

 Ensures that the device doesn't have to repeat ARP Requests

for devices it has already communicated with

 Implemented as an array of entries

 Entries are updated

Cache Table
 Cache Table
State Queue Attempt Time-out IP Address Physical Address
R 5 900 180.3.6.1 ACAE32457342
P 2 2 129.34.4.8

P 14 5 201.11.56.7

R 8 450 114.5.7.89 457342ACAE32

P 12 1 220.55.5.7

R 9 60 19.1.7.82 4573E3242ACA

P 18 3 188.11.8.71
ARP Poisoning

 Simplicity also leads to major insecurity

– No Authentication
• ARP provides no way to verify that the responding device is really who
it says it is
• Stateless protocol
– Updating ARP Cache table
 Attacks
– DOS
• Hacker can easily associate an operationally significant IP address to a
false MAC address
– Man-in-the-Middle
• Intercept network traffic between two devices in your network
ARP Poisoning(3a) – Man-In-The-Middle
ARP Poisoning(3b) – Man-In-The-Middle
ARP Poisoning(3c) – Man-In-The-Middle
Prevent Arp Poisoning

 For Small Network

– Static Arp Cache table

 For Large Network

– Arpwatch

 As an administrator, check for multiple Physical addresses

responding to a given IP address
Prevent Arp Poisoning

 For Small Network

– Static Arp Cache table

 For Large Network

– Arpwatch

 As an administrator, check for multiple Physical addresses

responding to a given IP address
DNS Cache Poisoning
DNS Cache Poisoning
 WLAN Vulnerabilities
 Frame Spoofing- (Beacon, Association, Authentication frame)
 Termination done by Deauthentication frame
 with fabricated Dauth frame sender address = station_27
 Receiver address = AP (address are 48 bits)
WLAN Vulnerabilities

 Spoofing Power Management Control Frames-

 It informs AP that station in power saving mode so that AP can
buffer all frames intended for it.
 When the st wake up it sends Poll Control frame. It can be
spoofed.
 The attacker use spoofed frames for sleeping stations and
forced to transmit all buffered frames.
References:

 www.watchguard.com/infocenter/editorial/135324.asp
 www.l0t3k.org/security/docs/arp/