When a system (called the client) attempts to establish a TCP connection to a system providing a service (the server), the client and server exchange a set sequence of messages. This connection technique applies to all TCP connections: telnet, Web, email, etc. The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message. The connection between the client and the server is then open, and the service-specific data can be exchanged between the client and the server.
The potential for abuse arises at the point where the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message. This is referred to as a half-open connection. The server has built in its system memory a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially-open connections. Creating half-open connections is easily accomplished with IP spoofing. The attacking system sends SYN messages to the victim server system; these appear to be legitimate but in fact reference a client system that is unable to respond to the SYN-ACK messages. This means that the final ACK message will never be sent to the victim server system.
The half-open connections data structure on the victim server system will eventually fill; then the system will be unable to accept any new incoming connections until the table is emptied out. Normally there is a timeout associated with a pending connection, so the half-open connections will eventually expire and the victim server system will recover. However, the attacking system can simply continue sending IP-spoofed packets requesting new connections faster than the victim system can expire the pending connections.
In most cases, the victim of such an attack will have difficulty in accepting any new incoming network connection. In these cases, the attack does not affect existing incoming connections nor the ability to originate outgoing network connections. However, in some cases, the system may exhaust memory, crash, or be rendered otherwise inoperative. The location of the attacking system is obscured because the source addresses in the SYN packets are often indeterminable. When the packet arrives at the victim server system, there is no way to determine its true source. Since the network forwards packets based on destination address, the only way to validate the source of a packet is to use input source filtering.
Systems providing TCP-based services to the Internet community may be unable to provide those services while under attack and for some time after the attack ceases. Accordingly, several methods have been described to defeat these SYN attacks. One conventional method for defeating SYN attacks is to randomly drop uncompleted connections as the number of SYN packets received increases. In this manner, all SYN packets are assumed to be malicious, and incomplete open connections are randomly deleted from the open connections data structure without prejudice. However, this results in a very low connection establishment rate for non-malicious TCP requests. Moreover, system resources are wasted due to the costs of processing the SYN packet and allocating space in the data structure.
Yet another method for defeating SYN attacks is referred to as SYN cookies. In this method, the TCP stack does not maintain a data structure for uncompleted connections. Instead, all of the information needed to remember the connection is encoded into a sequence number in the reply to the initial SYN packet. If this is a genuine connection, a reply to that packet (completing the three-way handshake) is received, and its acknowledgement number will be one more than the sequence number sent. This number is decoded to give the information needed to identify the connection. This means that the server does not need to remember anything at all, so no memory is used until the handshake is completed. While this method may prove effective, the increased CPU usage is not worth the marginal increase in packet processing power. Furthermore, because the initial sequence number is a deterministic function of the addresses and port numbers, this method is exposed to various kinds of failures and replay attacks.
In still another method for defeating SYN attacks, the amount of memory allocated for each uncompleted connection in the data structure is reduced. Thus, the server is able to maintain more uncompleted connections during an attack. However, this only delays this inevitable, since as the arrival rate of SYN packets increases, the data structure will eventually overflow.
Accordingly, there is needed in the art of TCP request processing a TCP stack capable of defeating SYN attacks by maintaining an acceptable rate of newly established connections during a SYN flood.