Figure 1: The TCP connection cycle.
Packets with malicious intent encompass a diverse ecosystem of TCP behaviors. However network layer attacks that seek to be the most powerful are the ones that work within the expected connection cycle (see above: figure 1). For example one could launch a flood of ACK packets, FIN packets, or RST packets upon an unsuspecting web site. While, this attack could be volumetric in affect (an overwhelming volume of internet traffic), the attack will hold very little efficiency. In this example the flag/packets are quickly dropped, as they are not proceeded by the expect flags required to establish a connection cycle. However, when an attack is launching in a manner of which adopts methods within the norms of a connection cycle, the attack becomes increasingly efficient and in many cases devastating to its target.
An attack that games the expected connection cycle can quickly overwhelm an unprotected server. In this section we will go over two simple examples.
Figure 2: An example of a SYN attack as seen from the DOSarrest Customer DSS Dashboard
The SYN Flood:
The SYN Attack, for all its simplicity remains an effective means of attack, on an unprotected server. As noted previously, the SYN packet is the first step in establishing a connection between two computers over the internet. This event is expected and treated by servers as a normal event. However, when a mass flood of SYN packets is sent to web server, things can get out of hand. SYN events build connections quickly; while, the server waits for each connection to proceed through its normal connection cycle. However, the attacker, in this case, has no intension of completing this cycle. The server is then left waiting for its expected ACK packet; of which, none will arrive.
Most of these connections will be dropped with relative speed after the server concludes that no ACK is coming back. However, in this time server, resources are being accumulated to an extent in which the server is quickly overwhelmed. This is the simplest way for an attacker to game the system, in the goal of bringing down a web site or service.
The Spoofed IP SYN Flood:
This method of attack follow the same methods as the SYN flood described above; with one key difference, resulting in a dramatically different outcome. In this example the IP address of the attack is spoofed (to make it appear that your IP address is someone else's IP address). The spoofed IP could be that of an unsuspecting personal computer or high powered server. For this example we will assume the latter.
First our attacker launches a spoofed SYN flood onto its target. The target (a server) begins to take on connections and responds to the SYN with an ACK. However, since the IP is spoofed, our target server sends a flood of ACKs to the actual server for which the spoofed IP belongs. The target server being unaware of the events that have unfolded upon its behalf; responds with a flood of RST packets for each of the ACKs it has received. Consequently, what started as a single sourced SYN attack has now become a two vector SYN and RST attack. The second source being completely innocent in the hostile intent it has now conducting upon the target.
Summary:
As we have seen above, methods that game expected connection behaviors the best, become the most efficient and effective means of attacking a server. This logic can be continuous along the connection cycle; whereby, attacks increase in diversity and effectiveness.
Justin Bauer
Security Analyst
DOSarrest Internet Security
