Reputation: 31
SYN Denial Of Service attack
This may be a trivial question. This is regarding Syn Cookie. Why only half open connections are only considered as DOS attack. It may be possible that a client completes the handshake (SYN, SYN-ACK, ACK) and never replies after that. That will also take system resources.
So if a client is flooding with (SYN, SYN-ACK, ACK) sequence why that is not considered as DOS attack?
Upvotes: 3
Views: 581
Answers (3)
Reputation: 40
Yes, Sockstress is an old attack, from 2008, that completes TCP handshakes and then lowers the Window size to zero (or some other small value), tying up connections at layer 4, somewhat similar to the SlowLoris layer 7 attack. Click Here to learn more about Sockstress
Upvotes: 0
Reputation: 1046
In a SYN flood the client does not have to track state or complete connections. The client produces a number of SYN packets with spoofed IP, which can be done very fast. The server (when not using SYN cookies) consumes resources waiting for each connection attempt to time out or complete. As a result, this is a very effective DoS with leverage of resources consumed by the (DoS-ing) client vs. attacked server in the range of 1:10000.
If the client completes each connection, then the leverage disappears - the server does not have to wait any more and the client has to start tracking state. Thus we have 1:1 instead of 1:10000. There is a secondary issue here - buffers for half open connection are (or were when this attack was first invented) small compared to established connections and are (were) exhausted easier.
SYN cookies allow the server to forget about the connection immediately after replying to the SYN packet, until it receives and ACK with the correct sequence number. Here again the resource use becomes 1:1
Upvotes: 1
Reputation: 46633
A SYN flood attack, which is what are describing, is a specific form of Denial of Service attack. A DOS can take many forms, often unrelated to SYN requests.
The reason that a SYN flood attack is effective is because you can forge the client IP address. This allows a very large number of SYN requests from the same client, but since the SYN-ACK will never be received, there is no way of sending the ACK, and the server is left waiting for the response, hence using available connections on the server. A client sending SYN and ACK will not be using up the available connections. A large number of useless (SYN, SYN-ACK, ACK) would still be a DOS attack, just not such an effective one.
Upvotes: 3
Related Questions
- Perform Denial of Service attack
- Denial of Service attack for One Time Password resend function
- Regarding TCP SYN flood: Why is half-open connections worse than established connections?
- How to detect denial-of-service attack coming from my computer?
- ASP.NET Web application prevent denial of service attacks
- Denial-of-Service Attacks Using Range
- How do I prevent DoS and BruteForce attacks directed to a REST service
- Blocking IP addresses, preventing DoS attacks
- Implications on DoS/DDoS with non-blocking frameworks