3

Well recently I've been reading about different Denial of Service methods. One method that kind of stuck out was SYN flooding. I'm a member of some not-so-nice forums, and someone was selling a python script that would DoS a server using SYN packets with a spoofed IP address.

However, if you sent a SYN packet to a server, with a spoofed IP address, the target server would return the SYN/ACK packet to the host that was spoofed. In which case, wouldn't the spoofed host return an RST packet, thus negating the 75 second long-wait, and ultimately failing in its attempt to DoS the server?

Rob
  • 2,303
  • 9
  • 31
  • 50
  • possible duplicate of [Is SYN flooding still a threat?](http://serverfault.com/questions/142280/is-syn-flooding-still-a-threat) – pQd May 16 '10 at 09:53

1 Answers1

2

There are several cases in which this might not happen.

  • The spoofed host might not exist.
  • It might exist, but be configured to silently drop a SYN/ACK that does not match a SYN packet that the host sent out.
  • It might exist and respond, but not have enough bandwidth to handle all incoming SYN/ACKs from the host under attack.

SYN cookies can be used as a defense against SYN floods, by removing all server-side state during the handshake. (Check out how they work if you don't know, it's quite a brilliant hack that does not break the TCP spec.) SYN cookies are enabled on my Ubuntu Lucid system by default, so I'd expect that most servers use them nowadays.

Thomas
  • 791
  • 1
  • 8
  • 16
  • I read somewhere last night that if the spoofed host doesn't exist, the target will receive an ICMP packet telling him so. – Rob May 14 '10 at 17:27
  • Not that I know of. Who would send that packet? – Thomas May 15 '10 at 09:12
  • "However, the target machine is likely to receive an ICMP host unreachable message if the attacker’s fake IP address does not belong to any particular host." http://cobweb.ecn.purdue.edu/~kak/compsec/NewLectures/Lecture16.pdf Page 65 – Rob May 15 '10 at 14:17
  • I think that enabling them when needed is better than enabling them by default. They might be spec compliant, but they also reduce the amount of the spec you can use... – Vinko Vrsalovic Jul 26 '11 at 09:54