So many of you may have heard the auth problems in the last week were a syn flood. The questions I've seen the most are "What is a syn flood or ddos?" and "Why can't they stop it?" First we're going to learn some Acronyms. DoS - Denial of Service - This occurs when only one computer denies a service to your computer. This can be something that simply resets your router or modem, or can be much more complex. DDoS - Distributed Denial of Service - This accomplishes the same out come from above but goes about it in a much different way. A DDoS involves many if not hundreds or thousands of computers normally to attack your internet connection and use up all available bandwith, causing your service to drop. A Syn Flood is a DDoS. Syn floods are especially dangerous because they exploit a flaw in the way the internet as we use it today works. Currently two versions of the internet protocol are used. Theres IPv4, or what your normal user or ISP uses. Theres also a IPv6 which has its own problems but is barely used except in high end applications and testing. So heres how a syn flood works. Basic knowledge: When you click a link on the web. Your computer sends a packet to a remote server. This packet identifies your computer, requests the information you want, which is then returned to your computer in another packet. There are different kinds of packets such as TCP Packets, UDP Packets, SYN Packets, ACK Packets, ICMP Packets. The three that we will be dealing with are TCP, SYN, and ACK. So now on to the Syn Flood. So normally most of the packets on the internet are normal TCP Packets. The problem with this is if your packet is mission critical. You don't know that this packet necessiarly reached its intended destination. This is where the SYN packet, and the ACK or Acknowledgement packet come into play. So when you send a SYN packet, it contains several parts, I don't remember the exact order but I'll give you the general idea. You have a time stamp, an originating ip, and a code. Once you send this SYN packet, the server that receives it must send an ACK or acknowledgement packet before the data stream starts which is TCP Packets. Now with a SYN packet, since the ip is tagged in the packet you can manipulate this packet and change the tagged ip. Now when the server it was sent to gets this packet, and tries to generate an ACK packet, its trying to communicate with a computer without an open syn packet, with a fake, or non existant address. Now your server is going by default to try for a set amount of time to connect back out to send this ACK packet back. Since Syn floods are spoofed. 10 connections could make your server try to make 100 connections back out in a matter of seconds. Now imagine how backed up your server will get with even more connections. As some point your server gets too backed up and begins to crash, dropping people, and disconnecting from internet. Now not only does this back your server up. But also uses up costly bandwith which most places will charge you for. So as you see some attacks aren't as easy to stop as you would think they would be. To be completely rid of these type of attacks the entire internet and every operating system and how it was all designed would need to be replanned. So yes... The best people for the job aren't necessarily fixing this problem. No, no one could get rid of it entirely. Yes, you do need to be patient. Each and every time some moron lauches one of these attacks he loses more and more of his ability to do this. So either he will wear his self out, or will run out of drone machines to do it with. These types are also extremely hard to track but it can be done. Anyways. I know its not exact to the letter of how this all works. But it will give newer people to the internet the basic idea of whats happening with the attacks.
So you should be able to use a good firewall. Set it up to Proxy all incoming connections and use a very short timeout period. With a Cisco 5510 you can handle 9000 new connections per second, with a 5580-40 you can handle 150,000Cp/s. The firewall is built purposefully to create and destroy connections. By using the hhtp proxy feature, the firewall actually performs the TCP 3 way handshake (Syn-Ack-SynAck) and if it does not get a response to its Ack then the connection is terminated. There is additional software that allows you to build a short term drop list that typically has a 5 minute rolling timeout. In all a 5510 can be managing 130,000 connected sessions and continuously drop of the ones that fail to respond. Obviously, you can still saturate this type of device. That is where you must be able to scale out the hardware and work with your upstream providers to try and eliminate a bulk of the incoming traffic. All in all, its a pain in the butt.
