5

Well recently I've been reading about different Denial of Service methods. One method that kind of stuck out was SYN flooding. I'm a member of some not-so-nice forums, and someone was selling a python script that would DoS a server using SYN packets with a spoofed IP address.

However, if you sent a SYN packet to a server, with a spoofed IP address, the target server would return the SYN/ACK packet to the host that was spoofed. In which case, wouldn't the spoofed host return an RST packet, thus negating the 75 second long-wait, and ultimately failing in its attempt to DoS the server?

EDIT: And what if I'm not using SYN cookies?

Rob
  • 2,303
  • 9
  • 31
  • 50

3 Answers3

2

I believe recent OSes will support Syn Cookies which aid in preventing this sort of attack. You can enable it with /proc/sys/net/ipv4/tcp_syncookies in Linux.

Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444
2

thanks to syncookies, the threat of syn flooding is kind of minimal these days. http://en.wikipedia.org/wiki/SYN_cookies

basically when a syn packet is received, the server sends a cookie, and if the guest responds with the proper response, the connection is established.

syn_flooding used to cause issues, because the servers had to keep the connections open, waiting for the rest of the handshake.

cpbills
  • 2,692
  • 17
  • 12
1

In my understanding, the spoofed IP address in that scenario is usually the server under attack... An attacker will use multiple senders sending out the same spoofed IP SYN packets to multiple recipients, all of which will respond to the same IP with SYN/ACK and poof... DDOS.

As to your title, I don't know if it's still a viable attack though.

Steven Evers
  • 653
  • 5
  • 9
  • 23
  • No, the spoofed IP is not the target. How it works is, you send the SYN packets from a multitude of spoofed IP addresses. The target server then sends SYN/ACK packets to those spoofed IP addresses. The servers being spoofed wouldn't be expecting any SYN/ACK packets, so they wouldn't respond with an ACK packet. In turn this would cause the target server to send another SYN/ACK. And another, and another, and another, and another, and another, and another, so forth and so on for 75 seconds until it times out, thus using one of its valuable half-open-connection slots. – Rob May 16 '10 at 00:09