Tcp Syn Flood Attacks; The Jolt2 Attack; Distributed Dos Attacks - D-Link NetDefend DFL-210 User Manual

6.6.8. TCP SYN Flood Attacks

The Traffic Shaping feature built into NetDefendOS also help absorb some of the flood before it
reaches protected servers.
6.6.8. TCP SYN Flood Attacks
The TCP SYN Flood attack works by sending large amounts of TCP SYN packets to a given port
and then not responding to SYN ACKs sent in response. This will tie up local TCP stack resources
on the victim machine until it is unable to respond to more SYN packets until the existing half-open
connections have timed out.
NetDefendOS will protect against TCP SYN Flood attacks if SynRelay is enabled in the rule or ser-
vice allowing the traffic. By default, this is the case for the http-in, https-in, smtp-in, and ssh-in
services.
The "SynRelay" protection works by completing the 3-way handshake with the client before doing a
second handshake of its own with the target service. Overload situations do not occur nearly as eas-
ily in NetDefendOS due to much better resource management and lack of restrictions normally
placed upon a full-blown operating system. While a normal operating system can exhibit problems
with as few as 5 outstanding half-open connections, NetDefendOS can fill its entire state table
(thousands or millions of connections, depending on your product model), before anything out of
the ordinary happens. When the state table fills up, old outstanding SYN connections will be among
the first to be dropped to make room for new connections.
TCP SYN Flood attacks will show up in NetDefendOS logs as excessive amounts of new connec-
tions (or drops, if the attack is targeted at a closed port). The sender IP address is almost invariably
spoofed.

6.6.9. The Jolt2 Attack

The Jolt2 attack works by sending a steady stream of identical fragments at the victim machine. A
few hundred packets per second will freeze vulnerable machines completely until the stream is
ended.
NetDefendOS will protect completely against this attack. The first fragment will be enqueued, wait-
ing for earlier fragments to arrive so that they may be passed on in order, but this never happens, so
not even the first fragment gets through. Subsequent fragments will be thrown away as they are
identical to the first fragment.
If the attacker chooses a fragment offset higher than the limits imposed by the Advanced Settings >
LengthLim in NetDefendOS, the packets will not even get that far; they will be dropped immedi-
ately. Jolt2 attacks may or may not show up in NetDefendOS logs. If the attacker chooses a too-high
fragment offset for the attack, they will show up as drops from the rule-set to "LogOversizedPack-
ets". If the fragment offset is low enough, no logging will occur. The sender IP address may be
spoofed.

6.6.10. Distributed DoS Attacks

A more sophisticated form of DoS is the Distributed Denial of Service (DDoS) attack. DDoS attacks
involve breaking into hundreds or thousands of machines all over the Internet to installs DDoS soft-
ware on them, allowing the hacker to control all these burgled machines to launch coordinated at-
tacks on victim sites. These attacks typically exhaust bandwidth, router processing capacity, or net-
work stack resources, breaking network connectivity to the victims.
Although recent DDoS attacks have been launched from both private corporate and public institu-
tional systems, hackers tend to favor university networks because of their open, distributed nature.
Tools used to launch DDoS attacks include Trin00, TribeFlood Network (TFN), TFN2K and
Stacheldraht.
158
Chapter 6. Security Mechanisms