In data communications, Internet Protocol (IP) networks have become pervasive. In particular, the majority of public data communication networks, particularly the Internet, use IP. Given the availability of cheap, high speed, access to public data communications networks using DSL connections or similar, many organisations wish to use these networks to provide interconnectivity between trusted areas or devices. The trusted devices may be located, for example at branch offices or homes. Trusted areas would include networks within corporate offices.
However, by connecting trusted areas and devices to public networks, they become open to attack and abuse. This means that organisations are forced to take defensive measures against attack.
The Transmission Control Protocol is the most common, reliable and popular protocol used in IP networks to control connection establishment and transfer. In addition, TCP/IP is the protocol most Microsoft Windows® systems use to access networks. Unfortunately, it is well known that existing session establishment for TCP over IP networks is inherently insecure and prone to exploitation by Active and Intrusion attacks.
It is easy for an attacker on an IP network to determine those TCP/IP services present using simple techniques and/or software. Once the TCP/IP services are detected, it is often easy to exploit and/or attack them. For example, denial of service attacks are possible.
Denial of service (DoS) attacks cost businesses millions of dollars each year and are now a serious threat to any system or network connected to a public network. These costs are related to system downtime, lost revenues and the labour involved in identifying and reacting to such attacks. Essentially, a DoS attack disrupts or completely denies services to legitimate users, networks, systems or other resources. The intent of such attacks is usually malicious and often takes little skill or resources because the requisite tools are readily available.
In the case of TCP/IP, attacks normally focus on the way systems handle handshaking and connection initiation. FIG. 1 is a schematic diagram of a data communications system using the normal 3-way handshaking used in TCP to process connection requests.
A SYN packet is sent from a specific port on a source 10 to the same port at a destination 20. Upon receipt of the SYN packet, the destination 20 then sends an SYN/ACK packet to the source 10. Upon receipt of the SYN/ACK packet, the source 10 then sends an ACK packet to the destination 20 and the connection is then considered established (also referred to as open). Data can then be communicated between the source 10 and destination 20.
The packets discussed above have a predetermined format, as is defined in RFC0793 available from ftp://ftp.rfc-editor.org/in-notes/rfc793.txt, and is incorporated herein by reference.
One such DoS attack is referred to as an SYN flood attack. While the standard 3-way handshake works well most of the time, most systems have only a finite number of resources available for setting up connections and potential. While most systems can sustain hundreds of concurrent connections to a specific port, it may only take a dozen or so potential connection requests to exhaust all resources allocated to setting up connections. It is this weakness that attackers use to disable a system.
When a SYN flood attack is initiated, attackers send a SYN packet from a source to a destination, as is normal in the handshaking procedure. However, the attackers commonly spoof the source address, selecting an address that does not exist. When the destination tries to send the SYN/ACK packet to the spoofed address, it receives no response. Typically, the destination system places each pending connection request in a connection queue to await the ACK packet. In the case of a SYN flood attack, the ACK packet never arrives. The resources allocated for the spoofed request will only be released when a timer associated with the connection queue expires. In standard configurations of systems, timer settings vary from 75 seconds up to as much as 23 minutes or more and the size of the connection queue is often very small. Thus, attackers only need to send a small number of SYN packets to completely disable a specific port. The system under attack will never be able to clear the queue before receiving new SYN requests.
Various mechanisms have been employed to counter such attacks, such as implementing firewalls or other ways of blocking some or all ports. However, if a TCP/IP system is to communicate successfully with another at least one port must be left open and this in itself creates a vulnerability when the connection is over a public network.