0

I've read online that SYN flooding is when "the attacker sends repeated SYN packets to every port on the targeted server." However, HTTPS only runs on port 443. Therefore, why is it productive for an attacker to target "every port" if only port 443 is responsible for web traffic? Why does a web server care what happens on ports <443 and >443?

As a related question, to mitigate SYN flood attacks, why doesn't the server just stop listening at every port except 443? That way, the server can continue on with its business and not have to deal with incoming SYN packets at other ports?

Guy4444
  • 47
  • 2
  • 1
    The "to every port" part is just an error in that description of a SYN flood; a SYN flood can be targeted entirely at a single port. – Gordon Davisson Mar 09 '21 at 21:57

2 Answers2

1

Sending to every port is overkill; to quote the same article,

[The server] responds to each attempt with a SYN-ACK packet from each open port.

So it is only open ports that matter, because if they receive a SYN they will wait for an ACK response to their SYN-ACK. It is the resources consumed by such a "half-open" connection which get exhausted. And in fact, with enough SYN packets, it is possible to SYN flood a server even if the only open port is the web port. So limiting traffic to that one port is not enough protection if the attacker can pump enough SYN packets in.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • I would suggest edits to clarify that: 1) Only SYN packets to open ports matter (but a even a barely intelligent attacker will only send to open ports), and 2) It is the rate of SYN packets that matters, regardless of the port, as the limited server resources being consumed are at the OS level (open connections), but it is trivial to generate problematic rates for undefended systems. – Slartibartfast Mar 10 '21 at 01:33
0

The replies that come back for each port will generate traffic unless the packet is just dropped. the ACK or RST packet will come back down the pipe, hence generating more traffic. The attacker in this case does not care if a service is available on that port just if it will generate traffic. The more traffic the better. Research a smurf attack.

e-Euler
  • 56
  • 4