SYN cookie in DDoS prevention
SYN cookie
The role of SYN Cookie in DDoS prevention in case of SYN Flood attacks. A server can use SYN cookies to avoid dropping connections when its SYN queue fills up, according to the technique’s primary inventor Daniel J. Bernstein. In particular, SYN cookies allow a server to avoid dropping connections when it fills up its SYN queue. The sequence number sent in the SYN+ACK response encodes the SYN queue entry instead of storing additional connections. Following a subsequent ACK response from the client with the increased sequence number, the server is able to reconstruct the SYN queue entry using the information encoded in the TCP sequence number and proceed with the connection.
How TCP Connections Are Established:
TCBs (Transmission Control Blocks) are created when a TCP entity opens a connection. A TCB contains the entire connection state. Connection state includes:
- Local sequence number.
- Sequence number sent by the remote client.
The number of ‘half-open’ TCP connections (TCP connections in the SYN RCVD state) was most commonly limited to 100 until the mid-1990s in order to prevent the entity’s memory from overflowing. Therefore, a server could only have 100 ‘half-open’ TCP connections. When the limit was reached, the TCP entity stopped accepting new SYN segments.
Transmission Control Blocks (TCBs) must be maintained for every established TCP connection. Sending and receiving segments require all the information in a TCB. Following is a list of them:
- Local IP address.
- Remote IP address.
- Local TCP port number.
- Remote TCP port number.
- Current state of the TCP FSM.
- Maximum segment size (MSS).
What is a SYN flood attack?
Cloudflare reported in 2022 Q2 DDoS report on Network-layer DDoS attacks:
- In 2022 Q2, network-layer DDoS attacks increased by 109% YoY. Attacks of 100 Gbps and larger increased by 8% QoQ, and attacks lasting more than 3 hours increased by 12% QoQ.
- The top attacked industries were Telecommunications, Gaming / Gambling and the Information Technology and Services industry.
- Organizations in the US were the most targeted, followed by China, Singapore, and Germany.
SYN flood (half-open attack) is a form of Network-Layer denial-of-service (DDoS) attack. A malicious attacker can overwhelm all available ports on a targeted server machine by repeatedly sending initial connection request (SYN) packets, causing the machine to respond slowly or not at all to legitimate traffic.
SYN Flood Attack Prevention
There are several ways to prevent SYN Flood attacks. SYN cookies can be used as one method.
IP Spoofing attacks can be mitigated by crafted SYN-ACK responses to SYN requests, without creating a new TCP TCB. SYN cookies work by having the server reply to SYN requests with crafted SYN-ACK responses. Only when the client replies to this crafted response is a TCB created for the respective TCP connection. When a server receives a TCP SYN flood, this technique prevents its resources from being overloaded.
How SYN cookies are used in DDoS prevention against SYN Flood attack:
This problem is solved by SYN Cookies method, which uses a function that calculates a random initial sequence number using data from both client and server SYN packets. In an SYN + ACK message, let’s say we send this number as y-1 to the client. The reverse function can verify that a sequence number y is valid if the acknowledgement packet is received with a sequence number y. Connections are established if the TCB is valid. Connections are refused if they are invalid. In contrast to TCBs, SYN cookies don’t require that the server creates and stores a TCB upon receiving a SYN segment.
A firewall (Cisco ASAv Firewall ) can be used to step in as a TCP server and refuse to allow so many half-form sessions to reach the server. It is up to the Firewall to set the threshold. If there are more than a threshold number of half-open TCP sessions, sometimes referred to as embryonic connections, the firewall will take action.