Overview
» IDS/IPS Signatures
Security Sites
Products
White Papers
Data Sheets
Case Studies
Support Login
Locate a Partner
iPolicy Networks Security Advisory
 
SYN Flood attacks
Severity: High
Type: Host Scan DoS
Operating System Affected: Windows (any), Linux (any)
Application Affected:

Windows (any) TCP/IP stack, Linux (any) TCP/IP stack

 
Synopsis

SYN flooding and IP spoofing are some classical attacks which can cause denial of service on the host system and the sub network.

A host is said to be under SYN flood attack when the attacker tries to create a huge number of connections and open many ports in the SYN_RECEIVED state of the TCP state diagram on the victim machine's until the backlog queue gets overflowed. After receiving the initial SYN flags, the victim machine puts half open connections into the backlog queues and sends out SYN_ACK responses. If the victim machine does not receive ACK responses, it tries to re-transmit the SYN_ACK packets within time-out period. Here, victim machine maps all pending connections through a finite size data structure in its system memory, and the data structure can be over flown as well.

SYN flooding/IP Spoofing can be easily accomplished using easily available network tools. A system under attack may crash or suffer from resource usage issues..

iPolicy Networks Response

iPolicy Networks has IDS/IPS signatures which are generalized and specific to many malicious ports/patterns for such attacks, belonging to categories HOST SCAN, NETWORK SCAN, FLOOD and Traffic Anomaly. Few of these are listed below:

  • SYN_SCAN - Detects any scan attempt made accross the network or a specific host.
  • Syn_Network_Scan - Detects any scan attempt made accross the network.
  • Syn_HOST_Scan - Detects any scan attempt made accross a host.
  • SYN_network_scan_on_port_25 - Detects network scan attempt on port 25.
  • SYN_scan_attack_on_tcpport_135 - Detects SYN flood attempt across a specific host on tcp port 135.
  • SYN_scan_attack_on_tcpport_139 - Detects SYN flood attempt across a specific host on tcp port 139.
  • SYN_scan_attack_on_tcpport_445 - Detects SYN flood attempt across a specific host on tcp port 445.
Recommended Actions
IDS/IPS Action: Please refer the associated help files for each signatures in order to set an IPS action
Threat Analysis

While the SYN SCAN may not be completely prevented but one can always reduce the impact of the SYN flooding attacks by using iPolicy Networks IPS detection mechanism and by hardening the host’s TCP/IP stack.

WINDOWS OS:

The most important parameter in windows 2000 and windows 2003 is "synAttackProtect". Add this DWORD parameter to the following registry key

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

When a SYN attack is detected, this parameter changes the behavior of the TCP/IP stack. The recommended value for this DWORD parameter is 2, which additionally delays the indication of a connection to the Windows socket until the three-way handshake is completed.

If "SynAttackProtect" is set to 1, the number of retransmissions is reduced and the creation of a route cache entry is delayed until a connection is made.

Enabling these parameters does not change the stack behavior until a SYN flood occurs. But even then when it starts to operate we are able to handle legitimate connection.

Also the operating System protects against the SYN attack whenever the "TcpMaxHalfOpen", "TcpMaxHalfOpenRetried" and "TcpMaxPortsExhausted" parameters values are exceeded.

This parameter needs to be added at the following location:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
TcpMaxHalfOpen
"TcpMaxHalfOpen" parameter specifies maximum number of SYN_RECEIVED States, which can be handled before SYN Protection Starts Working.
Recommended Values
Windows 2000 100
Windows 2000 Advance Server 500
Windows 2003 200

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
TcpMaxHalfOpenRetried
"TcpMaxHalfOpenRetried" specifies the maximum number of half open connection for which the OS sends at least one retransmission.
Recommended Values
Windows 2000 80
Windows 2000 Advance Server 400

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
TcpMaxPortsExhausted
"TcpMaxPortsExhausted" specifies the number of dropped SYN request, after which the protection against the SYN attack starts.
Recommended Value 5
Write-up by: Samrat Saha
 
Security Sites
 
“iPolicy is one of the most visionary firewall vendors in the firewall Magic Quadrant. Its architecture of a central session processing engine and multiple content blades that are able to block based on signatures, rules and so on is the closest to the network security ideal.”
 
Greg Young, John Pescatore
Magic Quadrant for Network Firewalls, 2H04, Gartner
 

 

 
Home | About Us | Products | Technology | Solutions | Support | Partners | News & Events | Resources | Contact Us
Copyright ©2009 iPolicy Networks - Security Products Division of Tech Mahindra Limited | Privacy Policy | Site Map