The PhoneBoy Blog


Simplifying Telecom, Mobile Phones, Gadgets, and More!

PhoneBoy Explains: SYN Floods and other Evils of the Internet

Web Communications, a web site publisher in Santa Cruz, CA, was shut down on some weekend as a result of a "SYN flood" by some hackers in Canada. A similar attack was launched against New York-based Panix in September. These kinds of attacks are difficult to defend against because they use inherent characteristics in the TCP/IP protocol to flood a system with network packets. Eventually, the system will not be able to respond to network packets from anyone and the target system becomes unusable.

Let me describe a SYN-flood in non-computer terms. Let's say you call an 800 number that has a bank of 2,000 people answering the phones and they can keep another 1,000 on hold. Let's say each call takes about a minute to complete and a person can wait up to a minute "on hold" for the next available agent. If 2,000 people call in the first minute, the load will be handled just fine. If 3,000 people call in the next minute, the first 2,000 will get a response and the other 10,00 people will wait a minute and most will get handled by the next available person.

Now let's say I can make my computer call up this 800 number and make it seem like I'm 20,000 people and I can keep doing this for an extended period of time. My computer makes the 20,000 phone calls, ties up the operators while they handle these "fake" calls. Every minute, I make another 20,000 call attempts from my computer. In this scenario, legimate callers can't get thru because they will either get a busy signal or a harried operator on the other end.

A SYN flood works in much the same way. SYN floods basically overwhelm the target computer with a bunch of "fake connection requests" which causes it to not be able to respond to legimate connection requests. SYN floods fall under the category of a "denial of service" attack. The basic characteristic of such an attack is an attempt to use a large amount of "apparently legimiate" traffic to cause a system to deny service to legitimate users of the service.

Denial of Service attacks are typically the easiest kinds of attacks to mount on a system and the most difficult to defend against because, after all, they're using "apparently legimate" traffic. Until very recently, SYN floods were difficult to do because of the necessary network programming skills required to create such a program, but a couple of hacker magazines published source code that can be used to do a SYN flood. Now, any mildly-knowledgable, malicious-minded hacker can do a SYN flood.

Some other, related attacks include:

  • A Land Attack is when someone sends you a spoofed SYN packet with your IP address as the source and destination. When an unpatched target system receives this packet, it causes the system to go into an infinite loop as it tries to fight with itself. Variations of this attack munge the TCP headers further to cause additional problems.
  • A TearDrop attack involves fragmented packets (packets that end up being broken up when transmitted). The attacker sends packet fragments that, when reassembled, aren't what the TCP/IP headers say they are. TCP stacks that don't handle this correctly either crash the system or cause it to hang. A bonk or boink is the same sort of attack performed in a slightly different way. A Syndrop uses a SYN packet to achieve this effect.
  • A Nuke can only be done against a Windows machine. A "Nuke" (or also called an "Out of Band" attack) involves sending certain kinds of malformed packets to certain ports on a Windows machine, the ports used for Microsoft Networking. The result is that the "attacked" machine loses its TCP/IP stack and can crash.
  • A "ping of death" involves sending a large ICMP echo request packet to a machine. ICMP echo request packets are used for pings and traceroutes. These packets come through "fragmented", and the TCP/IP stack on the target system does not know how to handle it.

Do you have to worry about this sort of attack as a home user? Not really. Most likely, though, your ISP will have to. But now you hopefully understand why they are a problem.


C-List #Cybersecurity Celebrity, Podcaster, #noagenda Producer, Frequenter of shiny metal tubes, Expressor of personal opinions, and of course, a coffee achiever.