What is an advantage of using IP spoofing along with the TCP SYN flood attack

With cybercriminals seizing the advantage of the increased use of the internet, there has been a steep increase in the potency of DDoS (Distributed Denial of Service) attacks. It is a kind of attack wherein the victim’s service or website is brought down by the attackers by flooding it with malicious traffic. In large part, the key reason for this rise in DDoS volume has to do with the increased adoption of the attack method: SYN (Synchronization packet flood) attack.

For example, if we consider the DDoS attack statistics of 2019 and 2020 from Kaspersky, among the types of DDoS attacks, the SYN flooding attack had a significant share in Q1 2019. Though there were some noticeable changes in the types of DDoS attacks in 2020, SYN flooding is the only non-mover on the list, but its share continued to grow and touched the highest record of 92.6%.

It has been proved that more than 80% of DDoS attacks use the SYN flooding method, which can inflict all the damage related to DDoS attacks: Loss of consumer Trust, loss of revenue, theft of financial data, IP, or customer information, and damage to software and hardware.

Let us explore what SYN (Synchronize) attack is and how to prevent this attack.

Contents

What is a SYN Attack?

SYN flood attack, also known as the half-open attack, is a protocol attack, which exploits the vulnerabilities in the network communication to make the victim’s server unavailable to legitimate requests. By consuming all the server resources, this type of attack can bring down even high-capacity components capable of handling millions of connections.

How Does the SYN Flood Attack Work?

As SYN flood DDoS attacks exploit TCP three-way handshake connection and its limitation in handling half-open connections, let’s begin with how normal TCP handshake mechanism works and proceed to how SYN attack disturbs the connection.

• When a client system wants to start a TCP connection, it sends the SYN (synchronize) message as a request to the server.
• The server responds to this request by sending SYN-ACK to the client.
• Then, the client answers the SYN-ACK with an ACK to the server. After completion of this sequence of packets sending and receiving, the TCP connection is open for communication.

In the SYN flooding attack, the hacker, pretending as a client, sends the TCP SYN connection requests at a higher rate than the victim machine can process. It is a kind of resource exhausting DoS attack. The hackers can do the SYN flood attack in three different ways:

1.     Direct SYN Flood Attack

In this method, the hacker initiates the attack using his own IP address. He sends multiple SYN requests to the server. However, when the server responds with SYN-ACK, as an acknowledgment, he doesn’t respond with ACK but keeps sending the new SYN request to the victim server.

While the server waits for ACK, the arrival of SYN packets preserves the Server resources with a half-open connection session for a certain time, which eventually makes the server unable to operate normally and deny the requests from the legitimate client.

In this direct attack method, to ensure the SYN/ACK packets are ignored, the hacker configures the firewall accordingly or restricts the traffic to outgoing SYN requests. Since the hackers use their own IP addresses, the attackers are more vulnerable to detect. This attack is rarely used.

2.     SYN Spoofed Attack

As an alternative to avoid being detected, the malicious attack sends the SYN packets from spoofed/forged IP addresses. Upon receiving the SYN request, the server sends the SYN-ACK to the forged IP address and waits for a response. Since the spoofed source didn’t send the packets, they don’t respond.

For this kind of SYN flood attack, the attackers choose the IP addresses, which are not in use, which ensures the system never responds back to the SYN-ACK response.

3.     DDoS (Distributed Denial of Service) SYN attack

In this variant of SYN flood attack, the victim server receives SYN packets simultaneously from several infected computers under the control of the attacker. This combination of hijacked machines is called a botnet.

How to Protect Against SYN Flood Attacks?

The vulnerability of SYN flood has been well-known for a long time, hence several SYN flood attack mitigations have been utilized. A few SYN attack protections are as follows:

1.     Increase Backlog Queue

Each OS allocates certain memory to hold half-open connections as SYN backlog. If the limit is reached, it begins to drop off the connection. To prevent SYN attacks, we can increase the limit of a backlog so that it would avoid the denying of legitimate connections.

2.     Recycling the oldest half-open connection

Another approach of SYN attack protection is reusing the memory of the SYN backlog by deleting the oldest half-open connection. This creates space for new connections and ensures the system remains accessible during flood attacks for a certain limit. This mitigation approach is ineffective for high-volume SYN flood DDoS attacks.

3.     SYN Cookies

The next SYN flood attack mitigation strategy involves the concept of cookies. In this case, to avoid the denying of connections, the server responds with an ACK packet to each request and then drops the SYN request packet from the backlog. By removing the request, the server leaves the port open for new connections.

If the request was from a legitimate client, the server would get the ACK packet back from the client machine, then it will reconstruct the SYN backlog entry. This approach does lose some details about the connection; however, it is better than being a victim of a DDoS attack.

4.     Firewall Filtering

Enable the firewall to detect and filter the SYN packets. It is possible to configure the firewall to prevent or limit the impacts of all kinds of DDoS attacks, including packet sweeps, flooding, and unauthorized port scanning.

Go beyond IPS devices and traditional firewalls to mitigation SYN flood DDoS Attacks!

While network-based firewalls and IPS devices are critical for network security, they are not adequate to ensure complete DDoS protection against complex attacks. Today’s more sophisticated attacks demand a multi-facet approach. Some of the facilities to expect from the best DDoS protection and faster SYN flood attack mitigation include:

• Support for both inline and out-of-band traffic visibility to analyze traffic from various parts of the network
• Different sources of threat intelligence, including customizable threshold alerts, statistical anomaly detection, and a database of known as well as emerging threats to assure accurate detection
• Scalability to both low-end and high-end attacks

How to Stop SYN Attacks?

Protection against network-level DDoS attacks such as these should be part of your hosting provider plan and most public cloud providers include this in their offerings. As a business owner, you have to be concerned more about the shared responsibility model and how to protect from risks that are specific to the payload and applications hosted on the hosting provider’s provided compute instances.

How Does Indusface help from DDoS Attacks?

Indusface DDoS protection solution is a SaaS offering hosted in the Public cloud and it automatically ensures DDoS attack protections for your application instances.

Besides, it provides comprehensive DDoS mitigation, with no shutdown, downtime, and latency, or any business disruptions. Our AppTrana WAF, a fully managed web application firewall also provides fully managed Application-level DDOS/Bot mitigation and defense against other attacks exploiting the application vulnerabilities.

The Closure

All types of cyber attacks are painful, and SYN attacks are no exception. You should consider effective mitigation capabilities for attacks of this kind and ensure attempts to fight against this attack. Don’t result in self-imposed downtime…!

What is an advantage of using IP spoofing?

What are the three methods for protecting against SYN flood attacks?

What occurs during a TCP SYN flooding attack?

What defenses are possible against TCP SYN spoofing attacks?