There aren’t many things in this life that endure for more than 20 years, especially when it comes to computers. Hardware, software, services and even websites tend not to have a shelf life that extends into two decades. Yet website owners still find themselves staring down the barrel of a type of distributed denial of service attack that has been in use since 1996. It’s high time SYN floods stopped being effective, so here’s a rundown on what they are and what you can do to stop them.
Details on DDoS
Basically, DDoS attacks use a botnet – a network of internet-connected devices that have been hijacked for remote use – to overwhelm a targeted website or server with malicious traffic, leaving it too slow to be used or offline altogether. DDoS attacks are a major threat to websites, and that threat is only growing as DDoS for hire services gain popularity and botnets comprised of unsecured Internet of Things devices fire off attacks of previously unseen sizes.
There are three main categories of DDoS attacks: Application layer attacks that crash web servers with seemingly legitimate requests, volumetric attacks that saturate the bandwidth of the targeted site, and protocol attacks that exploit weaknesses in internet protocols to consume the resources of servers or communication equipment like firewalls or load balancers. The enduring SYN flood is a protocol attack.
Deadly SYNs
In the specific protocol, a SYN flood exploit is the TCP three-way handshake, a protocol that creates a connection between a user and a server. When working correctly, the TCP handshake works like this: The user’s browser sends a synchronize or SYN message to the server to request a connection, the server replies with a synchronize-acknowledge or SYN-ACK message, and then the user’s browser replies by sending an acknowledge or ACK message to the server. Voila, the connection is established.
This process can be exploited by an attacker sending repeated SYN requests to the target server. The server sends back the SYN-ACK messages as usual, but in a SYN flood attack, the attacker either doesn’t respond to these messages, or the SYN-ACK messages have nowhere to go because the initial requests came from a spoofed IP. Both scenarios leave the server waiting for responses that aren’t going to come, leaving a huge number of connections half-open and rendering the server unable to respond to requests from legitimate users.
The Years of the Flood
The first SYN flood on record came on Sept. 6, 1996, when the New York City-based internet service provider Panix saw its servers targeted with then-staggering 150 requests (also known as packets) per second, possibly as retaliation for installing a system that blocked spam emails for its users. The attack kept Panix crippled for four days.
Buoyed by this initial success, SYN floods have spent the last 20 years growing in popularity and size. In terms of popularity, 2014 saw SYN floods account for more than 50% of all DDoS attacks while they were involved in more than 75% of all DDoS attacks that involved more than one attack vector.
In terms of size, on Dec. 5, 2016, when the five largest financial organizations in Russia were hit by SYN floods, they were nailed with attacks that peaked at 3.2 million packets per second. Comparing the 1996 attack to the 2016 attack is kind of like comparing a basement flood to a tsunami.
The More Things Change
This first SYN flood caused plenty of hand-wringing among internet security experts, with famed computer science researcher Peter Neumann saying the only possible solutions were too draconian to actually be used, adding an attempt to filter attack traffic would be like attempting to saw off the top half of 1% of an iceberg. However, just like SYN floods’ popularity and size, the ability to handle these attacks has grown by leaps and bounds – so long as it’s left to the professionals.
What Neumann likely meant when he referred to draconian solutions is due to the fact that the internet relies on internet protocol to run smoothly, it isn’t a good idea to start messing with the TCP handshake protocol in order to protect against attack attempts. Instead, professional DDoS mitigation will include strategies such as SYN cookies, which force the user’s browser to respond to a SYN-ACK message with an ACK message that includes a specified sequence number, otherwise the server will not allocate any memory for the connection.
Other possible SYN flood protection strategies include allocating just small amounts of memory for SYN requests, reducing how long memory is allocated to potential connections, and replying to all first-ever SYN requests with a SYN-ACK message that is intentionally invalid.
Time to Evolve
There’s a reason SYN floods have a devastating sounding name, and it’s because these and all other DDoS attacks carry serious consequences. Most notably, the downtime caused by a successful attack not only frustrates users while it’s ongoing, but causes a lingering sense of mistrust that translates to a long-term loss of loyalty. While other DDoS consequences are stark – including hardware and software damage as well as potential intrusions – it can be this erosion of trust and loyalty that hurts the worst for many websites, especially when the attack type is one that’s been well-known for 20 years.
While being one of the oldest and better-known attack vectors, SYN floods still sees wide use today. Just recently Incapsula mitigated the largest DDoS attack in its history, and one of the largest even on record that peaked at a whopping 650 Gbps. Payloads used in this attack were abnormally large SYN network packets, introducing a modern twist on the tried-and-true age-old formula.
Igal Zeifman is director of marketing for Imperva Incapsula. He can be reached at igal.zeifman@imperva.com.
