Page 1204 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1204

FIGURE 17.2 SYN flood attack


               Three incomplete sessions won’t cause a problem. However, an
               attacker will send hundreds or thousands of SYN packets to the victim.
               Each incomplete session consumes resources, and at some point, the
               victim becomes overwhelmed and is not able to respond to legitimate
               requests. The attack can consume available memory and processing
               power, resulting in the victim slowing to a crawl or actually crashing.

               It’s common for the attacker to spoof the source address, with each

               SYN packet having a different source address. This makes it difficult to
               block the attacker using the source Internet Protocol (IP) address.
               Attackers have also coordinated attacks launching simultaneous
               attacks against a single victim as a DDoS attack. Limiting the number
               of allowable open sessions isn’t effective as a defense because once the

               system reaches the limit it blocks session requests from legitimate
               users. Increasing the number of allowable sessions on a server results
               in the attack consuming more system resources, and a server has a
               finite amount of RAM and processing power.

               Using SYN cookies is one method of blocking this attack. These small
               records consume very few system resources. When the system receives
               an ACK, it checks the SYN cookies and establishes a session. Firewalls

               often include mechanisms to check for SYN attacks, as do intrusion
               detection and intrusion prevention systems.

               Another method of blocking this attack is to reduce the amount of time
               a server will wait for an ACK. It is typically three minutes by default,
               but in normal operation it rarely takes a legitimate system three
               minutes to send the ACK packet. By reducing the time, half-open
               sessions are flushed from the system’s memory quicker.



                  TCP Reset Attack



                  Another type of attack that manipulates the TCP session is the TCP
                  reset attack. Sessions are normally terminated with either the FIN
                  (finish) or the RST (reset) packet. Attackers can spoof the source
                  IP address in a RST packet and disconnect active sessions. The two
                  systems then need to reestablish the session. This is primarily a
   1199   1200   1201   1202   1203   1204   1205   1206   1207   1208   1209