Last time, we introduced DDoS attacks, and highlighted the threat of TOS Floods. This time, we turn our attention to SYN Floods. What are the risks for service providers, and how can you stay ahead of the game to keep yourself and your customers safe?
Hackers Back in the Spotlight
Cybersecurity Ventures predicted that “global spending on cybersecurity products and services will exceed $1 trillion cumulatively over the next five years, from 2017-2021.” Unlike other sectors within technology that see this kind of increase as they improve productivity and stay ahead of the competition, the cybersecurity sector sees this growth due to cybercrime.
Just this month, the FBI issued an advisory to businesses regarding the notorious Lizard Squad, well known for their attacks against Microsoft and Sony in the past. While SYN Flooding has been well-known since 1996, many criminals now use a blended style of threat, utilizing more than one type of DDoS attack. As there are as many as 25 types, a blended attack is far more difficult to stop in its tracks.
Exploiting the TCP Handshake
Understanding SYN Flooding means deciphering what’s known as the TCP three-way handshake.
A healthy TCP three-way handshake consists of the following steps:
- The client will request a connection by sending a synchronize message, known as SYN, to the server.
- The server than acknowledges the request by sending back to the client a synchronize-acknowledge message, known as SYN-ACK.
- The client then responds one last time with their own acknowledgement, known as ACK, and the connection has then been established.
In a SYN Flood attack, the malicious client, often generated by botnets, takes advantage of this procedure. Often using a fake IP, they send SYN messages to the server (i.e. a firewall), requesting a connection from every available port, and repeating the request over and over. The server will respond with SYN-ACK for each one, quickly becoming overloaded, or flooded.
However, the malicious client will not reply with their own ACK, or might not even receive the SYN-ACK at all. While the server waits for the response, the connection is neither open nor closed, giving these attacks the nickname of ‘half open attacks’.
What are the Risks?
As the target is receiving SYN packets at such a high rate, the connection state table is rapidly filled up, which can cause disconnections, as well as the dropping of legitimate connections and traffic packets, even forcing an element reboot. The server will close the requests after a period of time, but by this point new traffic packets have been started by the malicious client.
As the SYN Flood can succeed in removing perimeter defence elements and firewalls, customers and the Communication Service Providers (CSPs) own services are unprotected and exposed while the connection is ‘half open’.
Preparing for these kind of attacks is a must, as cybercriminals will often strike without warning, inflicting severe damage before CSPs can even work out what has happened. A DPI-based DDoS protection provides two layers of defence;
- Traffic shaping proactively limits the traffic to elements capacity so that they cannot be overwhelmed by DDoS attacks, even the massive ones.
- Dynamic anomaly detection with scalable mitigation can block attack traffic in seconds, maintaining supreme QoE.
In the next instalment, we will be uncovering the threats behind PING Flood attacks.