SYN Flooding Torn Apart By Ankit Fadia


Date Released: 16th October 2001   Denial Of Services Attacks or DOS Attacks have these days become very common. Almost all servers are bound to be under a DOS Attack some time of the other. If one needs a one-line definition of a DOS Attack, then the following would best describe it: An attack on a target system by a malicious system to render the normal services offered by it to legitimate users as unavailable. For a more detailed look into DOS Attacks and various examples read:   In this manual, we will be focusing on one of the most common and easiest to execute DOS Attacks, known as SYN Flooding. SYN Floods are not only a very popular form of DOS attacks, but they are also one of the steps, which one has to take to successfully perform IP Spoofing. This manual talks about SYN Flooding in detail, giving the various malicious ways in which it can be misused and the countermeasures, that one can take to prevent one’s system from falling prey to such attacks.   The basic underlying concept behind SYN flooding is flooding the target system with so many connection requests coming from spoofed source Addresses such that all its memory gets hogged up, in trying to establish full, proper connections with all these connection requests. In effect, since all the memory of the target system is used up in trying to establish connections with spoofed source addresses, which do not actually exist, the target system is thus not able to provide services to even legitimate users or clients.    Did you still not get as to what SYN Flooding means? Consider the following real life scenario: Say there is a single telephone connection with 10 parallel lines i.e. the same number has 10 lines. If you use 10 telephones and dial this particular number 10 times, once each from each telephone, then all the 10 parallel lines of the target telephone would be used up in answering your 10 calls. Thus, even if there were any legitimate clients trying to call up the number (which is under attack by you), then he would not be able to get through. Thus as a result, we can say that the services of the target telephone have been rendered unavailable. SYN Flooding is even better than the above scenario, as in the former the connection requests are from spoofed source addresses, thus making it difficult (not impossible) for the target system to trace the source of the attack.   Similarly, in a SYN Flood Attack, the target system is flooded with endless number of connection requests, so that all of its memory is hogged up, thus rendering the services provided by the system unavailable to legitimate users. To understand SYN Flooding better, read further.   The SYN attack exploits TCP/IP's three-way handshake. Thus in order to understand as to how SYN Attacks work, one needs to first know how exactly TCP/IP establishes a connection between two systems. Whenever a client wants to establish a connection with a host, then three steps take place. These three steps are referred to as the three-way handshake.   1.        The client system sends a SYN Packet (Synchronization Packet) to the remote host

2.        The remote host replies with a SYN/ACK Packet (Synchronization/Acknowledgement Packet) to the client.

3.        The client replies with an ACK Packet, acknowledging the packet sent by the host in Step 2.

HACKING TRUTH: What exactly are ACK and SYN Packets?

TCP/IP in its bid to ensure proper and safe transfer of data from the client to the host demands that both the source and destination must transmit and receive acknowledgement messages, that confirms the safe and proper transfer of data. These acknowledgement messages are known as ACK messages.   Let us take an example to understand ACK messages in a better manner. Say there are 2 systems A and B. Let us assume that A sends a packet (say X1) to B. Now, A will not send the second packet (i.e. X2) to B, unless and until it receives an acknowledgement (i.e. ACK X1) from B acknowledging the receipt of the first packet X1. Thus, we can say that A will not send the second packet unless and until B acknowledges the receipt of the first packet. Thus ensuring proper transfer of data from the source to the destination.   The destination will not send more requests for data unless it gets the ACK from Source confirming that the ACK X1was received by it. If the source does not get an ACK message from the destination, then something, which is called a timed-out, occurs and the source (A) will resend the data to destination (B).   An ACK message of 1000 would mean that all data up to 1000 octets has been received till now. There is also something known as NACK, but we would not be going into that in this manual.   A SYN Packet is nothing but a normal TCP packet with the Synchronize (SYN) flag switched on. A packet with the SYN flag switched on basically means that the sender of the SYN packet wants to establish a three- way TCP/IP connection with the destination system. *****************   To understand the three-way handshake better, let us follow the below depiction of the 3 steps-:  
    Client --------SYN Packet--------------à Host

In the first step the client sends a SYN packet to the host, with whom it wants to establish a three-way connection. The SYN packet requests the remote system for a connection. It also contains the Initial Sequence Number or ISN of the client, which is needed by the host to put back the fragmented data in the correct sequence. Data sent over the Internet is broken down at the sender’s end and put back together at the receiver’s end, and it is in this process that ISN comes into play.

    Host -------------SYN/ACK Packet----------à Client

In the second step, the host replies to the client with a SYN/ACK packet. This packet acknowledges the SYN packet sent by the client and sends the client its own ISN.  
    Client --------------ACK-----------------------à Host

In the last step the client acknowledges the SYN/ACK packet sent by the host by replying with an ACK packet.   These three steps together are known as the 3-way handshake and only when they are completed is a complete TCP/IP connection established between the source and the destination. After a complete handshake has taken place, the connection thus established is called a fully established connection.  

The SYN Flood Attack

In a SYN attack, several SYN packets are sent to the server but all these SYN packets have a bad source IP Address. When the target system receives these SYN Packets with Bad IP Addresses, it tries to respond to each one of them with a SYN ACK packet. Now the target system waits for an ACK message to come from the bad IP address. However, as the bad IP does not actually exist, the target system never actually receives the ACK packet. It thus queues up all these requests until it receives an ACK message. The requests are not removed unless and until, the remote target system gets an ACK message. Hence these requests take up or occupy valuable resources of the target machine. As a result, due to such a large number of connection requests, the memory of the target system gets hogged up, thus it is unable to cater to requests for information made by legitimate users.

It is important to note that to actually affect the target system, a large number of SYN packets having bad IP addresses have to be sent. As these packets have a Bad Source IP, they queue up, use up resources and memory of the target system and eventually crash, hang or reboot the system.

In accordance with the rules of TCP/IP, after a certain time has passed, a ’timed out’ takes place and the connection requests queued up by the target system are discarded, thus a part of the hogged up memory gets freed up. However, in a typical SYN Flooding Attack, the attacker keeps on sending connection requests from spoofed addresses at a rate faster than a ‘timed out’ of the earlier connection requests can take place (A "Timed Out" forces the earlier connection requests to get discarded.) As a result, even though due to ‘timed out’ the queued up connection requests are being discarded, the memory of the target system does not get freed up, as the attacker is continuously sending more and more spoofed connection requests.   ****************
SYN Packets in conjugation with the concept of half open connections are used for stealth port scanning or half open port scanning. For more details read: ****************   When the target system has sent the SYN ACK packet to the client, who had tried to establish a connection, and it is waiting to receive an ACK from this particular client, then the existing connection is said to be a half open connection or the host is said to be in the state of SYN_RECEIVED. It is this state, that one can use to detect whether his system is under SYN floods are not. Simply type in the following Netstat command at the prompt: (The parameters passed and the results in this case would vary from system to system)   C:\windows>netstat -a   Active Connections     Proto     Local Address          Foreign Address              State   TCP      ankit                                 201.xx.34.23                       SYN_RECEIVED   TCP      ankit                                 197.xx.21.31            SYN_RECEIVED   TCP      ankit                                 1.xx.91.66                                SYN_RECEIVED   TCP       ankit                                151.xx.45.0              SYN_RECEIVED   TCP       ankit                               187.xx.71.98                ESTABLISHED   TCP       ankit                               197.xx.11.41                SYN_RECEIVED   TCP       ankit                                      *:*                          SYN_RECEIVED   TCP       ankit                                      *:*                          ESTABLISHED   ……….   If the above command, when executed on your system shows you a lot of connections in the SYN_RECEIVED state, then it probably means that your system is under a SYN Flood Attack. It is important to note that in the above output, there are indeed some connections in the state of ‘Established’. They basically are legitimate connections, which remain unaffected even after the SYN flood attack on the target system.   We now know the working of SYN Attacks and how to detect whether or not your system is under a SYN flood attack or not. Let us now learn the countermeasures, which can be taken against such attacks.  


There is no single countermeasure to protect your system against SYN Flood attacks. However, there are certain sets of steps, which can be followed to minimize the risk of damage caused by such attacks-:  
    Reducing the duration of time required for a ‘timed out’ of a connection, to take place. This will ensure that if a large number of connection requests are sent to the target system, then the spoofed requests would be discarded sooner, thus minimizing the hogging of memory i.e. minimizing the risk of such attacks. Although this will minimize the hogging up of system resources, it is definitely not a very good countermeasure against SYN Attacks.
    Increasing the queue of connection requests: This means to increase the number of connection requests that can be accepted by a particular host at one time. However, one negative to this is that it will result in hogging up of more memory and resources of the host.

    Installing vendor specific updates and patches or by employing a firewall, which will detect SYN attacks and effectively respond with fake responses and try and trace back the spoofed source address to the actual attacker. For more details read: CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks

SYN Flooding is also commonly used in the process of performing IP Spoofing. We would be discussing IP Spoofing in later manuals. With this we come to the end of this manual. Hope you enjoyed it. Till next time, bye.   Ankit Fadia