|
|
SYN Flooding: The basis of the attack is to not complete the 3-way handshake necessary to establish communication. Specifically the attacker (client machine A in fig. 6) refusing to send the ACK signal to the host server (B) after receiving the SYN/ACK from Host B. Such a connection is called a half open connection.  Instead of sending an ACK, attacker A sends another SYN signal to the victim server. The server again acknowledges it with a SYN/ACK and B again refuses to send the final ACK signal. By repeating this several times the attacker tries to overflow the data structure of the host server. The data structure is built in the memory of the host server with the purpose of keeping records of connections to be completed (or half open connections). Since the data structure is of a finite size, it is possible to overflow it by establishing a large number of open connections. Once overflow occurs the host server will not be able to accept new connections thus resulting in a denial of service. There is however a time-out associated with each of the connections (approximately 3 minutes) after which the host server will automatically drop the half open connection and can start accepting new connections. If the attacker can request connections at a rate higher than the victim servers ability to expire the pending connections then it is possible to crash the server. Thus the objective of SYN flooding is to disable one side of the TCP connection which will result in one or more of the following
Ack Flood: A denial of service attack that sends a large number of TCP packets with the ACK flag set to a target. The goal of the attack is to use all of the target system's network resources causing the target's performance to degrade and possible even cause a system crash. This attack can also be very effective against stateful firewalls & IDS/IPS product if they have a low amount of memory dedicated to state table management. Reset (RST) Attack: Whereas SYN flooding attacks are carried out at the beginning of the connection, RST attacks usually occur in the middle of it. The RST flag in the TCP packet is used to reset the connection. If two machines C and B are in the middle of a connection and an attacker A decides to attack machine C then all he has to do is calculate/guess the correct sequence number using the methods described above. (there is no ACK in a RST packet). After that the attacker can disrupt the connection by sending a spoofed packet with RST flag set to B. The attacker then assumes B's identity and starts attacking C. FIN Attack: A FIN attack is similar to the RST attack and is used to disconnect the client. However it concentrates on the end state of a TCP connection. The attacker tries to establish a series of new connections and closing them immediately without any data transfers. The idea is to keep the server busy and eventually crash it with a large number of open and close connection requests. This is more popular than the RST attack because the attacker can know immediately whether or not the attack was successful as the client has to reply with an ACK after it receives a FIN flag. Teardrop Attack: A teardrop exploits the vulnerability of the TCP/IP protocol at the time of reassembling the fragmented IP packets at the receiving end. In section 4 we described a field in the IP packet called Fragment Offset which is used to identify where each of the fragments belong at the time of reassembly. A teardrop attack is carried by manipulating the fragment offset field to overlap. This confuses the server at the time of reassembly causing it to crash. |
|
|
|