- Views: 1
- Report Article
- Articles
- Computers
- Security
What is SYN Attack and How to Achieve effective DDoS protection against it?
Posted: Sep 23, 2022
The TCP SYN flood attack is a protocol DDoS (Distributed Denial of Service) attack that aims to make a server unavailable to legitimate users by exploiting a phase of the TCP 3-way handshake to overwhelm and consume all its resources.
In a normal TCP three-way handshake, the client requests connection by sending a SYN (synchronize) message to the server. The server then acknowledges by sending SYN-ACK (synchronize-acknowledge) message back to the client. The client responds with an ACK (acknowledge) message, and the connection is established.
In an SYN attack, the malicious client repeatedly sends a large volume of SYN packets from a spoofed IP address to every port on the targeted server. The server believes that each request is legitimate and responds to each request with an SYN-ACK packet from each open port. The malicious client does not send an ACK to complete the handshake causing the server to wait for acknowledgment for each open port connection.
Network exhaustion and saturation
As the malicious client keeps sending (SYN) packets to the server at a fast rate, the targeted server will eventually use all of its available ports, preventing any legitimate connection from taking place. The server could eventually exhaust all of its resources and crash.
SYN flood attack is one of the several vulnerabilities that take advantage of TCP/IP to overwhelm target systems. The attacker does not have to use a powerful system or large bandwidth to accomplish a SYN flood attack.
Public-facing websites are more vulnerable to SYN attacks
As SYN packets are part of a valid TCP handshake, any organization with a public-facing website is vulnerable to an SYN flood attack. As the attack effectively puts the server off use for sometime so that legitimate users are denied service, this can result in a damaged reputation, lost sales, and loss of business continuity. Attackers can use SYN flood attacks in combination with a smokescreen or other types of attacks, including ransomware attacks, to steal data or plant malware on the user’s device.
SYN flood attacks come in various flavors
Syn flood attacks can be initiated from a malicious client using a spoofed IP address to mask its identity to evade detection and mitigation not to mention potential prosecution.
These attacks can also be initiated from botnets and the attackers will not have to spoof the IP addresses of a botnet as they are a hijacked network of bots.
SYN flood DDoS attacks can be mitigated in various ways
Micro blocks: The administrators can allocate micro-record for as few as 16 bytes in the server memory for each SYN request instead of a complete connection object.
Increasing backlog queue: The server sends it SYN-ACK response with a sequence number with unique identifying information. Memory for connection is established only after the server verifies ACK.
Intrusion Detection System (IDS): An IDS or firewall is installed to detect and block malicious traffic from a SYN flood attack.
SNN cookies: With this DDoS protection technique, each connection request is provided a unique identifier, which can block illegitimate requests.
RST cookies: The server intentionally sends an invalid SYN-ACK, that should result in the client generating an RST packet, telling it that something is wrong. However, if it is received, the request is considered legitimate, and subsequent connection requests are accepted.
Rate limiting: In this DDoS protection, the number of SYN requests that can be sent to a server at any time is limited, thus saving it from getting overwhelmed.
Stack Tweaking: The server administrators can tweak TCP stacks to mitigate the effect of SYN attacks, and provide DDoS protection to it.
Recycling the oldest half-open connections: When the backlog of connection requests is full, the oldest half-open TCP connections are recycled. This DDoS protection method works as long as the legitimate connections can be established at a faster rate than the malicious half connections requested by the hostile client.
Why should you have DDoS prevention against SYN attacks?
DDoS prevention against SYN flood attacks is important because these attacks can cause significant damage to the network and systems. Besides crippling the servers and networks, SYN flood attacks can also result in data losses and other damages.
Providing DDoS protection against SYN attacks, deflecting botnets and other exploits requires a solid enterprise cybersecurity plan, and employees must be trained about it. However, if you find it to be too overwhelming, you may outsource your DDoS protection to a professional company providing DDoS protection solutions. The company will be able to recognize that an SYN flood attack might be occurring, and take defensive measures to protect the connection table of your server, while allowing legitimate connection access to the protected network.
Three purpose-built DDoS protections
Akamai offers three purpose-built DDoS protection solutions viz. App & API Protector, Edge DNS, and Prolexic, for holistic cloud-delivered DDoS defenses. Depending upon the use case, application requirements, and desired time-to-mitigate service level agreement (SLA), and appropriate DDoS protection can be used for the highest quality DDoS mitigation to keep the web and internet-facing assets available and protected. Prolexic provides cloud-delivered mitigation across all ports and protocols to stop DDoS before they become business-impacting events. With 20 global high-capacity scrubbing centers, Prolexic can stop attacks closer to the source to maximize performance for users and maintain resiliency through cloud distribution. Mitigation controls dynamically scale capacity to stop attacks across IPv4 and IPv6 traffic flows. Compute resources can be dynamically allocated to whatever mitigation controls need to be scaled up.
Akamai powers and protects life online. With the most distributed compute platform — cloud to edge — customers can build modern apps while keeping experiences closer to users and threats farther away.