10 How does a SYN attack deny serviceSolutionSYN attack is a

10. How does a SYN attack deny service?

Solution

SYN attack is a DoS attack essentially involves flooding a server with a barrage of hand-crafted requests for connection. However, since these messages have invalid return addresses, the connections can never be established. The resulting volume of unresolved open connections eventually overwhelms the server and can cause it to deny service to valid requests. While this scheme does not represent a networking security compromise in itself, it can paralyze on-line services. This mechanism exploits the connection-oriented TCP protocol (which is used to carry the vast majority of Internet applications) and because the attack is an abuse of the defined standard for TCP, this vulnerability exists to some degree in all implementations.  

The TCP protocol uses a \"three-way handshake\" to set up an end-to-end connection before data flows. Assume client \'C\' wants to establish a connection to server \'S\'. C first sends a SYN packet (a TCP packet with the SYN bit set) to S. The server S then replies with a SYN/ACK packet (both SYN and ACK bits set), allowing S to complete the three-way hand-shake with a TCP ACK packet.  

However if a flood of incoming request packets have invalid source IP addresses, sessions never get established and remain as half-open connections. Many TCP implementations are only able to handle a small number of outstanding connections per port therefore these ports are effectively unavailable until the half-open connections time-out (typically 75 seconds). Additionally this attack may also cause the server to exhaust its memory or waste processor cycles in maintaining state information on these connections.  

Some efforts to combat this DoS attack centered around packet filtering capabilities which allow only known addresses to access resources and also on installing software upgrades available from some of the host and server manufacturers. However for Internet-wide services such as Web servers, controlling access based upon incoming address is not feasible and upgrading the servers themselves may only partially help and is typically a significant undertaking