How could a SYN flood affect a home router

Question

I was curious how a DoS attack would affect a home router. In particular, I'm interested in how a SYN flood would affect a home router.

The reason I'm interested is due to a Cisco document I read. Within the document, it said SYN flood attacks can affect home routers. To me this seems odd because SYN floods must specify the TCP port to attack.

To illustrate a basic SYN flood against a router, I quickly threw together the following image:

Notes about the image: In the image, the attacker is represented by the red A. The attacker is sending SYN messages to the router. The SYN packets have forged IP addresses to mask their origin. The question marks simply denote the random IP addresses which the attacker has set as the fake origin IP addresses. The green lines reflect the router sending SYN-ACK packets to those random IP addresses.

When executing a SYN flood attack, one specifies the port which they will be attacking as well. As far as I know, a router constantly has different ports open which allows it to be asynchronous. So, how would an attacker know which ports to attack? Wouldn't the attacker need to know which ports are open and when?

The only way I can see a SYN flood working against a router would be if the router had a public port constantly open and the SYN flood forced the router to use up all of its RAM.

Can anybody supply some clarification on this matter?

Answer 1

There are three main ways a SYN flood can work against a home router:

1. If the router is performing NAT and has a port forwarded to a server, a SYN flood can fill up the router's NAT table, causing it to drop connections.

2. The SYN flood can act as a simple bandwidth-starvation attack. A typical home router is on an asymmetric connection with limited upstream bandwidth, so a SYN flood targeting a closed port can clog the upstream connection with RST packets sent by the router.

3. Home router firmware is often rather fragile. Simply throwing SYN packets at it too fast can cause a crash, taking down the connection.

Answer 2

Routers usually has running lightweight Web server that provides access to the configuration web interface. In most cases, it runs on port 80, 8080 or other common one (if isn't changed by the user).

The attacker (standing in the local subnet, if something like "Remote administration" is not enabled on the router, and the WAN port has public IP address) can use port scanner to perform a scan, and then send SYN packets with forged IP on that port. Then, if the router TCP/IP stack does not implement SYN cookies, the result will be filled to it's limit SYN queue and establishment of new connections will be impossible due to the limited memory of embedded devices like SOHO routers.

Answer 3

I believe the key is what open ports are on the home router. If a person just has a router and no servers or DMZ behind that router, the router should just ignore and log the request. However, I can't really say what ports are open by default on anyone's router. You could do a port scan, but unless you have a really good router where you have 100% control of configuring it to what you want, I don't see any way of stopping these dang syn flood attacks. No matter what, your network will get bogged down.

It would be nice if the ISP would filter that traffic for you... Meaning for home users, there should be no request from the ISP side to create or request a connection, that is unless you have some other services outside your home network that requires the connection. In any case, if the ISP sees an international syn request is coming in, they should just configure their router to send them to the void, and not forward the request to home users.