2 cissp ® Official Study Guide Eighth Edition



Download 19,3 Mb.
Pdf ko'rish
bet696/881
Sana08.04.2023
Hajmi19,3 Mb.
#925879
1   ...   692   693   694   695   696   697   698   699   ...   881
Bog'liq
(CISSP) Mike Chapple, James Michael Stewart, Darril Gibson - CISSP Official Study Guide-Sybex (2018)

SYN Flood Attack 
The
SYN fl ood attack
is a common DoS attack. It disrupts the standard three-way hand-
shake used by Transmission Control Protocol (TCP) to initiate communication sessions. 
Normally, a client sends a SYN (synchronize) packet to a server, the server responds with 
a SYN/ACK (synchronize/acknowledge) packet to the client, and the client then responds 
with an ACK (acknowledge) packet back to the server. This three-way handshake estab-
lishes a communication session that the two systems use for data transfer until the session 
is terminated with FIN (fi nish) or RST (reset) packets. 
However, in a SYN fl ood attack, the attackers send multiple SYN packets but never 
complete the connection with an ACK. This is similar to a jokester sticking his hand out to 
shake hands, but when the other person sticks his hand out in response, the jokester pulls 
his hand back, leaving the other person hanging. 
Figure 17.2 shows an example. In this example, a single attacker has sent three SYN 
packets and the server has responded to each. For each of these requests, the server has 
reserved system resources to wait for the ACK. Servers often wait for the ACK for as long 
as three minutes before aborting the attempted session, though administrators can adjust 
this time. 

750
Chapter 17 

Preventing and Responding to Incidents
F I g u R e 17. 2
SYN flood attack
Attacker
SYN
SYN/ACK
SYN/ACK
SYN/ACK
SYN
SYN
Victim
Three incomplete sessions won’t cause a problem. However, an attacker will send 
hundreds or thousands of SYN packets to the victim. Each incomplete session consumes 
resources, and at some point, the victim becomes overwhelmed and is not able to respond 
to legitimate requests. The attack can consume available memory and processing power, 
resulting in the victim slowing to a crawl or actually crashing.
It’s common for the attacker to spoof the source address, with each SYN packet having a 
different source address. This makes it difficult to block the attacker using the source Internet 
Protocol (IP) address. Attackers have also coordinated attacks launching simultaneous attacks 
against a single victim as a DDoS attack. Limiting the number of allowable open sessions isn’t 
effective as a defense because once the system reaches the limit it blocks session requests from 
legitimate users. Increasing the number of allowable sessions on a server results in the attack con-
suming more system resources, and a server has a finite amount of RAM and processing power.
Using SYN cookies is one method of blocking this attack. These small records consume 
very few system resources. When the system receives an ACK, it checks the SYN cookies 
and establishes a session. Firewalls often include mechanisms to check for SYN attacks, as 
do intrusion detection and intrusion prevention systems.
Another method of blocking this attack is to reduce the amount of time a server will 
wait for an ACK. It is typically three minutes by default, but in normal operation it rarely 
takes a legitimate system three minutes to send the ACK packet. By reducing the time, half-
open sessions are flushed from the system’s memory quicker.
TCP Reset attack
Another type of attack that manipulates the TCP session is the TCP reset attack. Sessions 
are normally terminated with either the FIN (finish) or the RST (reset) packet. Attackers 
can spoof the source IP address in a RST packet and disconnect active sessions. The two 
systems then need to reestablish the session. This is primarily a threat for systems that 
need persistent sessions to maintain data with other systems. When the session is rees-
tablished, they need to re-create the data so it’s much more than just sending three pack-
ets back and forth to establish the session.

Implementing Detective and Preventive Measures 

Download 19,3 Mb.

Do'stlaringiz bilan baham:
1   ...   692   693   694   695   696   697   698   699   ...   881



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish