Securing Your Network From Syn Floods
By Tom Seest
At BestCybersecurityNews, we help entrepreneurs, solopreneurs, young learners, and seniors learn more about cybersecurity.
DDoS attacks have increased exponentially due to SYN floods. A SYN flood is a form of DDoS that overwhelms servers with incomplete TCP connections they cannot close and thus creates an incessant flood of incomplete TCP connections for them to close, overwhelming its resources and rendering the server unavailable for service.
An attacker spoofing the source IP address on SYN packets they send makes it hard to track and prevent their attack, although there are multiple methods available to you for protecting against this form of threat.
Table Of Contents
Each TCP connection starts off with a three-way handshake between client and server: the client sends a SYN packet, the server responds with SYN/ACK packets, and the client confirms the connection by sending an ACK packet. A SYN flood attack uses this three-way exchange to quickly initiate connections without finalizing them, overloading a target server so much so that legitimate traffic cannot access it.
SYN flood attacks are among the most frequently occurring volumetric denial-of-service (DoS) attacks each year and can come from many different sources – from botnets that comprise compromised computers or mobile phones through spoofed IP addresses used to conceal attacker identities, making detection and mitigation harder than ever.
SYN flood attacks involve sending numerous incomplete TCP connection requests at once to overload a victim’s servers, filling their memory buffer with SYN requests but never receiving an acknowledgment back from their victim – leaving half-open connections that consume resources while rendering other connections impossible to establish and the victim server unresponsive to users – potentially hindering business operations, commerce or data access.
Junos OS firewall can effectively combat SYN flood attacks by restricting the amount of SYN packets allowed per second. You can base this limit either on the destination address and ingress interface port combination or just the source address; once a threshold has been reached, Junos OS either starts proxying inbound SYN segments and responding with SYN/ACK packets or drops requests altogether.
Junos OS can also be configured to reject SYN packets with both SYN and TCP FIN flags set, which indicates that a connection is closing. This helps protect against DoS attacks that combine SYN floods with other forms of DDoS attack vectors.
Each operating system provides a certain amount of memory for its SYN backlog or list of half-open TCP connections. When this backlog reaches its limit, the system begins dropping connections; increasing this limit to prevent legitimate ones from being dropped during SYN floods or DDoS attacks may help.
SYN flood attacks are an increasingly prevalent type of distributed denial-of-service (DDoS) attack that utilize the TCP handshake to rapidly establish connections without waiting for responses, exhausting server resources while serving half-open connections, potentially overwhelming them so much so that legitimate traffic cannot be serviced effectively. However, effective defense mechanisms against such an attack do exist.
One popular strategy is setting a threshold value for how many SYN packets a device will accept within any second, after which it begins rejecting connection requests for the target IP address. This prevents malicious clients from creating multiple half-open connections at once and flooding their target with requests.
SYN cookies provide another effective solution. A server generates this special data structure using cryptographic hashing to encode the client’s IP address, port number, and other pertinent details; then, when the client responds with an ACK packet, it uses a SYN cookie to check if its packet is valid and thus verify that connection.
This technique can be combined with a SYN attack detector, which inspects SYN packets for suspicious patterns and verifies their integrity; any SYN packet that meets the criteria for an attack is transformed into an RST packet and converted accordingly. A network administrator may also employ an intrusion prevention system or firewall to filter incoming SYN packets in order to prevent attackers from sending any further.
An intrusion prevention system (IPS) may detect anomalous traffic patterns and prevent SYN floods, but it cannot always distinguish malicious from legitimate traffic – leading to dropped voice calls as a result. A better solution would be installing networking equipment with rate-limiting capabilities on site.
SYN attack detectors use SYN/ACK spoofing mechanisms to differentiate legitimate from malicious packets. If an attack progresses past its detection criteria, an IPS can convert incoming SYN/ACK packets to RST packets, thus stopping further attacks from being launched and allowing an IPS to filter all other traffic until all SYN/ACK backlog has been cleared.
Communication between two hosts usually starts by exchanging SYN — or synchronization — packets, with each server waiting to receive an ACK — or acknowledgment of communication — packet from its client before closing off the connection by sending an RST — or reset — packet back. However, when an attacker sends large volumes of SYN packets using fake IP addresses or fake accounts to disrupt these processes and tie up valuable server resources for real communications instead.
SYN attacks do have effective defenses available. While some solutions can be implemented directly on servers, others rely on network infrastructure with features such as segmentation and load balancing to protect networks against this form of cybercrime. Finally, cloud-based solutions work in concert with network security software to detect attacks quickly.
One of the simplest countermeasures against SYN flood attacks is setting a SYN flood threshold that triggers when SYN packets exceed a predefined value in any period of time. The threshold can be defined based on either destination address, ingress interface port, or both.
One possible approach involves creating a SYN cookie, a data packet containing information about its source and destination IP addresses, and port numbers of an original SYN packet. When responding to each SYN packet with an MD5 hash of it as part of an MD5 hash-ACK packet response, this allows servers to keep track of SYN packets that make their way backlog without losing critical connection data or prompting drops if this backlog becomes overburdened.
SYN cookie strategies also prevent servers from responding to each SYN-ACK packet with an RST packet, which would close down connections and enable further attacks. While these tactics can reduce the impact of SYN floods on servers and network devices, they may not always work against highly sophisticated attack vectors that spoof their IP addresses; to remain effective, they must be properly configured and kept up-to-date.
Every TCP connection between clients/users and servers begins with a three-way handshake: clients send SYN packets, the server responds with SYN-ACK packets, and the connection is established. In an SYN flood attack, an adversary sends thousands of SYN packets at once to servers or stateful elements such as firewalls and load balancers without sending back expected ACK packets; as a result, servers become overwhelmed with half-open connections, making legitimate requests impossible to process due to remaining busy half-open connections that cannot handle legitimate requests from clients.
SYN attacks can be extremely powerful, taking down web servers as well as infrastructure servers like routers, firewalls, and cloud-based/virtual private servers. Their target depends on an attacker’s motivations and objectives; for example, an attack might target websites or services to cause denial of service (DoS), steal data, or install malware on those targets.
SYN attacks differ from other forms of cyber attacks in that they don’t require large bandwidth or powerful systems for success; even an attacker with a home PC and dial-up connection can generate enough activity to overwhelm multiple servers in your network. Therefore, it is crucial that all systems in your network be protected with reliable firewalls and security measures to keep this type of attack at bay.
Junos OS can effectively protect itself against SYN attacks by monitoring incoming SYN packets and rejecting those without acknowledgment from its server. It does this by temporarily storing SYN packets in memory as a “backlog”, before periodically discarding older ones – saving server resources while simultaneously blocking SYN attack traffic for an arbitrary duration without impacting other services or the network performance in any way.
Junos OS provides more than the basic SYN backlog settings; instead, it offers an advanced option that enables you to set a threshold based on a destination IP address or ingress interface port. When this threshold is exceeded, Junos OS begins proxying inbound SYN packets and dropping them instead of simply denying all. While this method loses some details of each individual packet’s contents, this solution is more cost-effective for high-volume attacks.
Please share this post with your friends, family, or business associates who may encounter cybersecurity attacks.