Overview Of Syn Cookies - Avaya G250 Administration

Overview of SYN cookies

The G250/G350 provides various TCP/IP services and is therefore exposed to a myriad of TCP/
IP based DoS attacks.
DoS (Denial of Service) attacks refers to a wide range of malicious attacks that can cause a
denial of one or more services provided by a targeted host. Specifically, a SYN attack is a
well-known TCP/IP attack in which a malicious attacker targets a vulnerable device and
effectively denies it from establishing new TCP connections.
SYN cookies refers to a well-known method of protection against a SYN attack.
SYN attack (SYN flood attack)
The SYN (TCP connection request) attack is a common DoS attack characterized by the
following pattern:
Using a spoofed IP address, an attacker sends multiple SYN packets to a listening TCP port on
the target machine (the victim). For each SYN packet received, the target machine allocates
resources and sends an acknowledgement (SYN-ACK) to the source IP address. The TCP
connection is called a "half-open" connection at this point since the initiating side did not yet
send back an acknowledgment (termed the 3rd ACK).
Because the target machine does not receive a response from the attacking machine, it
attempts to resend the SYN-ACK, typically five times, at 3-, 6-, 12-, 24-, and 48-second
intervals, before de-allocating the resources 96 seconds after attempting the last retry.
Altogether, the target machine typically allocates resources for over three minutes to respond to
a single SYN attack.
When an attacker uses this technique repeatedly, the target machine eventually runs out of
memory resources since it holds numerous half-open connections. It is unable to handle any
more connections, thereby denying service to legitimate users.
Moreover, flooding the victim with TCP SYN at a high rate can cause the internal queues to fill
up, also causing a denial of service.
SYN cookies
SYN cookies protect against SYN attacks by employing the following strategies:
Not maintaining any state at all for half-open inbound TCP sessions, thus preventing the
●
SYN attack from depleting memory resources.
SYN cookies are able to maintain no state for half-open connections by responding to SYN
requests with a SYN-ACK that contains a specially crafted initial sequence number (ISN),
called a cookie. The value of the cookie is not a pseudo-random number generated by the
system but is instead the result of a hash function. The hash result is generated from the
source IP, source port, destination IP, destination port, and some secret values. The cookie
can be verified when receiving a valid 3rd ACK that establishes the connection. The
verification ensures that the connection is a legitimate connection and that the source IP
address was not spoofed.
Special security features
Issue 1.1 June 2005 55