Smurf and SYN Flood Attacks

smurf attack sends a large amount of ICMP Echo (ping) traffic to a broadcast IP address with the spoofed source address of a victim. Each secondary victim's host on that IP network replies to the ICMP Echo request with an Echo reply, multiplying the traffic by the number of hosts responding. On a multiaccess broadcast network, hundreds of machines might reply to each packet. This creates a magnified DoS attack of ping replies, flooding the primary victim. IRC servers are the primary victim of smurf attacks on the Internet.
SYN flood attack sends TCP connection requests faster than a machine can process them. The attacker creates a random source address for each packet and sets the SYN flag to request a new connection to the server from the spoofed IP address. The victim responds to the spoofed IP address and then waits for the TCP confirmation that never arrives. Consequently, the victim's connection table fills up waiting for replies; after the table is full, all new connections are ignored. Legitimate users are ignored as well and can't access the server.
A SYN flood attack can be detected through the use of the netstat command. An example of the netstat output from a system under a SYN flood is shown in Figure 1.

Figure 1: netstat output under a SYN flood attack
Here are some of the methods used to prevent SYN flood attacks:
  • SYN Cookies SYN cookies ensure the server does not allocate system resources until a successful three-way handshake has been completed.
  • RST Cookies Essentially the server responds to the client SYN frame with an incorrect SYN ACK. The client should then generate an RST packet telling the server that something is wrong. At this point, the server knows the client is valid and will now accept incoming connections from that client normally.
  • Micro Blocks Micro blocks prevent SYN floods by allocating only a small space in memory for the connection record. In some cases, this memory allocation is as small as 16 bytes.
  • Stack Tweaking This method involves changing the TCP/IP stack to prevent SYN floods. Techniques of stack tweaking include selectively dropping incoming connections or reducing the timeout when the stack will free up the memory allocated for a connection.
In Exercise 1, you will learn how to prevent SYN flood attacks on Windows 2000 servers.
Exercise 1: Preventing SYN Flood Attacks on Windows 2000 Servers

  1. Run the Windows Registry editor by clicking Start ð Run and typing Regedit.
  2. Navigate to the HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters Registry key.
  3. Add the SynAttackProtect=2 DWORD value to the Registry key.
  4. Close the regedit program.
This change will allow the operating system to handle more SYN requests. When the value of SynAttackProtect is 2, Windows delays the creation of a socket until the three-way handshake is completed. This change will effectively prevent SYN flood attacks from tying up resources on a Windows server.

No comments:

Post a Comment

Popular Posts