How TCP sessions use a three way handshake
When establishing a session, two systems normally start a TCP session by exchanging three packets in a TCP handshake. For example, when a client establishes a session with a server, it takes the following steps:
1. The client sends a SYN (synchronize) packet to the server.
2. The server responds with a SYN/ACK (synchronize/acknowledge) packet.
3. The client completes the handshake by sending an ACK (acknowledge) packet. After
establishing the session, the two systems exchange data.
However, in a SYN flood attack, the attacker never completes the handshake by sending the
ACK packet. Additionally, the attacker sends a barrage of SYN packets, leaving the server with
multiple half-open connections.
In some cases, these half-open connections can consume a server’s resources while it is waiting
for the third packet, and it can actually crash. More often though, the server limits the number of these half-open connections. Once the limit is reached, the server won’t accept any new connections,
blocking connections from legitimate users. For example, Linux systems support an iptables command
that can set a threshold for SYN packets, blocking them after the threshold is set. Although this
prevents the SYN flood attack from crashing the system, it also denies service to legitimate clients.
When establishing a session, two systems normally start a TCP session by exchanging three packets in a TCP handshake. For example, when a client establishes a session with a server, it takes the following steps:
1. The client sends a SYN (synchronize) packet to the server.
2. The server responds with a SYN/ACK (synchronize/acknowledge) packet.
3. The client completes the handshake by sending an ACK (acknowledge) packet. After
establishing the session, the two systems exchange data.
However, in a SYN flood attack, the attacker never completes the handshake by sending the
ACK packet. Additionally, the attacker sends a barrage of SYN packets, leaving the server with
multiple half-open connections.
In some cases, these half-open connections can consume a server’s resources while it is waiting
for the third packet, and it can actually crash. More often though, the server limits the number of these half-open connections. Once the limit is reached, the server won’t accept any new connections,
blocking connections from legitimate users. For example, Linux systems support an iptables command
that can set a threshold for SYN packets, blocking them after the threshold is set. Although this
prevents the SYN flood attack from crashing the system, it also denies service to legitimate clients.
No comments:
Post a Comment