If you’re planning on taking the Security+ exam, you should have a basic understanding of several common types of attacks launched against systems and networks such as system attacks that disrupt users from accessing services.
For example, can you answer this question?
Q. An IDS alerts on increased traffic. Upon investigation, you realize it is due to a spike in network traffic from several sources. Assuming this is malicious, what is the MOST likely explanation?
A. A smurf attack
B. A flood guard attack
C. A DoS attack
D. A DDoS attack
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
DoS Versus DDoS
A denial-of-service (DoS) attack is an attack from one attacker against one target. A distributed denial-of-service (DDoS) attack is an attack from two or more computers against a single target. DDoS attacks often include sustained, abnormally high network traffic on the network interface card of the attacked computer. Other system resource usage (such as the processor and memory usage) will also be abnormally high. The goal of both is to prevent legitimate users from accessing services on the target computer.
Many DoS and DDoS attacks attempt to consume resources on the target computer. For example, a SYN (synchronize) flood attack consumes memory resources by flooding a system with half-open connections.
Remember this
A denial-of-service (DoS) attack is an attack from a single source that attempts to disrupt the services provided by another system. A distributed denial-of-service (DDoS) attack includes multiple computers attacking a single target. DDoS attacks typically include sustained, abnormally high network traffic.
SYN Flood Attacks
The SYN flood attack is a common attack used against servers on the Internet. They are easy for attackers to launch, difficult to stop, and can cause significant problems. The SYN flood attack disrupts the TCP handshake process and can prevent legitimate clients from connecting.
Chapter 3 of the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide, “Understanding Basic Network Security,” explained how TCP sessions use a three-way handshake when establishing a session. As a reminder, two systems normally start a TCP session by exchanging three packets in a TCP handshake. For example, when a client establishes a session with a server, it takes the following steps:
- The client sends a SYN (synchronize) packet to the server.
- The server responds with a SYN/ACK (synchronize/acknowledge) packet.
- The client completes the handshake by sending an ACK (acknowledge) packet. After establishing the session, the two systems exchange data.
However, in a SYN flood attack, the attacker never completes the handshake by sending the ACK packet. Additionally, the attacker sends a barrage of SYN packets, leaving the server with multiple half-open connections. The following figure compares a normal TCP handshake with the start of a SYN flood attack.
TCP handshake and SYN flood attack
In some cases, these half-open connections can consume a server’s resources while it is waiting for the third packet, and it can actually crash. More often though, the server limits the number of these half-open connections. Once the limit is reached, the server won’t accept any new connections, blocking connections from legitimate users. For example, Linux systems support an iptables command that can set a threshold for SYN packets, blocking them after the threshold is set. Although this prevents the SYN flood attack from crashing the system, it also denies service to legitimate clients.
Flood Guards
Flood guards use a variety of different methods to protect against SYN flood attacks. Many firewalls and intrusion detection systems include flood guards, which are simply techniques to limit the success of a SYN flood attack. Additionally, some vendors sell flood guard appliances dedicated to detecting and blocking these attacks.
One method of detecting and blocking these attacks is by identifying the source IP address. If a single source IP address is initiating these half-open connections, but never completing them, a flood guard can block all traffic from this IP. However, attackers now commonly spoof the source IP address in each SYN flood packet. Additionally, attackers often launch attacks from multiple systems at the same time, making it difficult to identify legitimate traffic from attacking traffic.
Another method is to dynamically adjust the time a system waits for the third packet. For example, the system may normally wait 75 seconds for an ACK after sending the SYN/ACK packet. After sensing a barrage of SYN packets, it can reduce the time it waits for the ACK.
There is a lot more depth to SYN flood attacks and methods used to mitigate them. Additionally, attacks and mitigation techniques continue to evolve. If you’re interested in digging deeper, check out RFC 4987, “TCP SYN Flooding Attacks and Common Mitigations,” here: http://tools.ietf.org/html/rfc4987.
Remember this
A SYN flood attack disrupts the TCP initiation process by withholding the third packet of the TCP three-way handshake. Flood guards protect against SYN flood attacks.
Q. An IDS alerts on increased traffic. Upon investigation, you realize it is due to a spike in network traffic from several sources. Assuming this is malicious, what is the MOST likely explanation?
A. A smurf attack
B. A flood guard attack
C. A DoS attack
D. A DDoS attack
Answer is D. A distributed denial-of-service (DDoS) attack causes spikes in network traffic as multiple systems attempt to connect to a server and deplete the target’s resources.
A smurf attack is an attack using directed broadcasts, and this might be a smurf attack if routers aren’t blocking directed broadcasts, but it could also be another type of DDoS attack.
Flood guards protect against SYN flood attacks, and flood guards are not an attack method.
A DoS attack comes from a single system.