Security Warning:.

TCP SYN Flooding and IP Spoofing Attacks

On September 19, 1996, the Computer Emergency Response Team (CERT) issued a security advisory [CERT Advisory CA-96.21)] concerning TCP SYN Flooding and IP Spoofing attacks. Any organization that is connected to the Internet and provides TCP/IP-based services such as a WWW server or an electronic mail server is a possible target for these types of attacks.

The Attack

When a client attempts to establish a TCP connection with a server, the client and server exchange an initial set of messages that are used to create the internal data structures that manage the connection. This connection setup procedure, known as the 3-way handshake, applies to all TCP connections - WWW, FTP, SMTP, telnet, etc.

The 3-way handshake begins when the client initiates a connection request by transmitting a SYN message to the server. Upon receipt of the SYN message, the server creates an entry in its pending TCP connection data structure and sends a SYN-ACK message back to the client. The client completes the 3-Way handshake by responding to the server's SYN-ACK message with an ACK message of its own. When the server receives the client's ACK, the connection is established, and the server removes the associated entry from its pending TCP connection data structure.

A possibility for abuse exists if the connection remains "half-open." A half-open connection occurs when the client system does not respond to the server's SYN-ACK with the final ACK to complete the 3-way handshake. Note that the client initiating the connection determines whether the 3-Way handshake is completed, not the server!

A client can launch a denial of service attack against a server by creating too many half-open connections causing the server's pending TCP connection data structure to overflow. This means that the victim server will not be able to accept legitimate connections from other clients until the pending TCP connection data structure is emptied. Depending on the server's TCP/IP implementation, a worst case scenario could result in the exhaustion of the server's memory and a potential system crash. It is important to note that in a TCP SYN Flooding attack the actual service is not damaged, only the ability to provide the service to legitimate clients is impeded.

Creating half-open connections is facilitated by combining the attack with IP Spoofing. The client initiating the attack spoofs, or changes, the source IP address in its SYN messages to that of a currently unreachable host. The source IP address must be changed to an unreachable address since the attacker does not want any host that receives the server's SYN-ACK to respond with a RST (Reset) message. A RST is transmitted when a host receives a packet that does not appear to be correct for the referenced connection. This would defeat the attack since a RST message from an active host owning the spoofed IP address would cause the backlogged connection to be removed from the server's pending TCP connection data structure.

Finally, it is very difficult to discover the origin of this type of assault since the source IP address in the attacking client's SYN message is counterfeit. A thorough discussion of TCP SYN Flooding attacks is published on the WWW in Phrack Magazine. An account of IP Spoofing attacks is also available from Phrack Magazine.

Preventing the Attack

Unfortunately, there is no generally accepted solution for this type of attack since it exploits a fundamental weakness in the standards that define the TCP/IP protocol suite. One of the most disturbing features of this attack is that it can be launched with a very limited amount of network traffic when compared to other types of denial of service attacks such as ping flooding, mass mailings, etc. Due to the global nature of this problem, a wordwide solution needs to be developed to ensure its effectiveness and interoperability.

It is important to note that servers placed behind Internet firewalls that block all incoming TCP connection requests are currently protected from externally launched TCP SYN Flooding attacks. If an organization wishes to provide remote offices, nomadic workers, and business partners with access to corporate servers via the Internet, packet filters can be configured on the organization's firewall system that restrict access to a limited set of external network numbers. While this is a prudent policy, there is still an exposure if the attacker spoofs one of the small set of addresses that is permitted through the firewall system. Finally, there is no guaranteed way to protect servers that provide information to the general public via the Internet since public servers accept connection requests originating from any subnetwork on the Internet.

CERT recommends that you configure your firewall to prevent packets that contain spoofed IP addresses from exiting your network. This can reduce the likelihood that your site will be the source of one of these attacks. Unlike the situation in which you are protecting yourself from IP spoofing attacks against your IP addresses, in this case you are acting as a good Internet citizen by preventing systems on your network from launching a TCP SYN Flooding attack. CERT urges all Internet Service Providers (ISPs) to implement policies that prohibit packets containing spoofed IP addresses from exiting their infrastructure.

As of this writing, a number of UNIX system vendors are modifying their TCP/IP kernels to be more resilient against TCP SYN Flooding attacks. Also, vendors of host-based firewall systems are beginning to develop their own proprietary solutions: