Synchronize Packet Flood

A type of Denial of Service (DoS) attack. When a session is started between the Transport Control Protocol (TCP) client and the network server, a tiny buffer space exists to deal with the fast “hand-shaking” exchange of messages starting the session. The session-starting packets include a SYN field, identifying the sequence in the message exchange.

A cracker can send many connection requests in a rapid pace and then not respond to the reply. This activity leaves the first packet in the buffer so that other legitimate connection requests cannot be completed. Although the packet in the buffer is dropped after a given period without a reply (that is, the timeout period), the result of multitudes of these fake connection requests is to make it very hard for legitimate requests for connections to get started. Generally, this problem depends on the operating system’s ability to provide the correct settings or to allow the network administrator to tune the buffer size and the timeout period.

In September 2000, to counter SYN Flood, a TCP intercept was released in IOS Version 11.3. This feature, available on all Cisco Systems, Inc. routers, was designed to stop known SYN attacks against internal hosts.

To help readers better understand what a SYN attack is, first we describe the details for a SYN Flood, then we describe how a TCP intercept feature works. In the TCP three-way handshake, the initial packet has the SYN bit set. A host that gets this packet—asking for a particular service to be provided—responds with a packet that has the SYN and ACK bits set. It then waits for an ACK from the starter of the request. If the starter of the request never sends back this final acknowledgement—the third part of the handshake—the host “times out” the connection (a process that can take multiple seconds or even some minutes). During this waiting period, the half-open connection uses resources, which is the point of the attack.

Though thousands of these initiating SYN packets are sent to a host, not only is the source IP address in these packets fake but also the source address of the fake packet is an unreachable address. That is, most times the source address is either unregistered or is the address of a host that does not really exist. The attacker does not want to complete the handshake; therefore, the system under attack will not receive the final ACK packet completing the initial three-way handshake. Rather, it waits for the “timeout” on thousands of connections to occur. Eventually, the hosts’ resources are depleted. Because additional connections for legitimate requests cannot be set up, the host becomes unusable.

The TCP intercept feature fulfills its function by intercepting and validating TCP connection requests. This feature can work in two modes—the “watch only” mode and the “intercept” mode. In the intercept mode, the router intercepts TCP requests directed to it and creates a connection to the client on the behalf of the server, as well as to the server on the client’s behalf. If both connections succeed, the router merges the two. The router has strong timeouts to stop its own resources from being consumed by a SYN attack.

When in “watch mode,” the router watches half-open connections in a passive manner and actively closes connections on the server after a length of time that is configured. Also, access lists are defined to detail which source and which destination packets are subject to TCP intercepts.

See Also: Cisco Systems, Inc.; Denial of Service (DoS); Internet Operating System (IOS); Routers; TCP/IP or Transmission Control Protocol/Internet Protocol.