North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Syn flooding attacks

  • From: Phil Howard
  • Date: Mon Oct 20 13:34:20 1997

Paulo Maffei wrote...

>     Hi, I had heard about a solution to Syn Floodind attack, but I'd
> like to be sure about it so I could keep researching about these
> solutions. I had heard that I could set up a filter in my router that
> would wait for the second ACK packet after the SYN request and SYN-ACK
> response before finish the whole connection with the server. Is it true?

The problem is the server getting the first SYN.  For the router to help
the server, the router would have to suspend the SYN.  But there will not
be a followup ACK from the client unless the router fabrications the SYNACK
to go back to the client.  But how will it know what sequence number the
server would use on its side?  In order to proceed with a valid connection
the router would have to be translating sequences for the remainder of the
connection life.  You might as well have a proxy server.  Either a stateful
connection router or a proxy server would then itself be susceptible to
the SYN attack.

There are ways to deal with this attack.

The router could discard the SYN, remembering it, and let pass the retry SYN
that usually occurs with valid connections and does not with invalid ones.
This memory of SYNs would have to be large enough to handle all peak traffic
over the time that SYN attempts would timeout and retry in clients.

The router could pass on the SYN, remembering it, and if it does not see the
SYNACK come through in some reasonable time, it can fabricate the RST and
clear the server.

I don't know of any routers that have these or other means of dealing with
the SYN attacks.

The server can enlarge its table of pending connections and shorten it's
timeout on them.  Currently I think this is on the order of 2 to 3 minutes
and I think I can live with shortening it to 20 seconds, if I could get in
the kernel to make that change (easy for Linux, FreeBSD, etc, but not for
most commercial systems like Solaris, NT, etc).

Phil Howard  +-------------------------------------------------------------+
KA9WGN       | House committee changes freedom bill to privacy invasion !! |
phil at      | more info:,4,14180,00.html | +-------------------------------------------------------------+