Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)
      9  1.4  Attacks
           9  1.4.1  Denial of Service (DoS) / Distributed Denial of Service (DDoS)

Previous Topic/Section
An Early DDoS Attack
Previous Page
Pages in Current Topic/Section
1
Next Page
What Can I Do to Prevent DDoS Attacks?
Next Topic/Section

SYN Floods

Unfortunately, having sufficient bandwidth to cope with the flood of data is not necessarily enough to protect you. These attacks not only exhaust bandwidth, they can be specifically targeted to take down hosts on the network by resource exhaustion. For example, if XYZ Corp has a single web server sitting on a 10gigabit line to the Internet, it is unlikely that an attacker could summon enough DDoS clients to sufficiently exhaust the bandwidth on XYZ Corp’s network segment. However, they may attack the web server directly. To understand how this can be done, let’s briefly examine how the TCP protocol works, and explore how characteristics of the protocol can help an attacker stage an attack called a “SYN flood”.

When a user somewhere on the Internet wishes to view a web page on XYZ Corp’s web server, they type the domain name into their web browser. After name resolution has taken place, and the client machine knows the IP address of the web server, it sends a TCP SYN packet to it. The web server then allocates the client a port to communicate on and replies with a TCP SYNACK packet. Finally, under normal circumstances the client will reply with a TCP ACK packet; the TCP session will be established and the HTTP data will be transferred from web server to client. This SYN-SYNACK-ACK conversation is known as the TCP 3-way handshake.

One of the more famous DoS techniques is to modify this TCP 3-way handshake so that the opening part of the handshake, the Request to SYNchronize, is sent again and again, without closing the sequence by accepting the acknowledgment from the first request. The modified handshake is produced by a low-level program specifically designed to create the SYN Flood DoS situation by making repeated connections to a server and sending SYN requests, without terminating the TCP conversation properly with an ACK.

Since the server does not think that the conversation’s handshake has been completed, it keeps each SYN request in its table of “connections in progress.” As more and more partially open connection requests accumulate in the target’s system tables, the target eventually reaches the point of being unable to handle additional requests. When this happens, the server is unable to accept new connections, and thus, legitimate users are prevented from accessing the server. Generally the time that the TCP stack waits before resetting a port is more than enough for an attacker to send new requests to exhaust more resources. As you can see, this type of attack is called a SYN Flood, as flooding the target with SYN packets is precisely what it does.

SYN Flood

A SYN flood is a DoS technique in which the attacker initiates many TCP connections to a server, but omits the final portion of the TCP 3-way handshake, leaving the target’s reply to it un-ACK’d. This results in many half-open connections on the target system, which use up its resources, eventually causing that system to deny access to legitimate users.


There are many other variants on the DoS attack. ICMP (more commonly known as “ping”, after the command line tool) floods are used to send ICMP_ECHO packets to a single host, which quickly and exponentially exhausts bandwidth on the target host’s network. The reverse ICMP flood, or Smurf attack, sends a ping to the broadcast address of the target network. Because packets sent to the broadcast address are seen by and responded to by all hosts on the network, you potentially have hundreds of machines replying to one single ping packet. As you can imagine, this would also quickly exhaust the available bandwidth.

More DoS Attacks

Other DoS attacks include variants on the ping flood, IGMP fragmentation, out-of-bounds nukes and teardrop attacks.



Previous Topic/Section
An Early DDoS Attack
Previous Page
Pages in Current Topic/Section
1
Next Page
What Can I Do to Prevent DDoS Attacks?
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.