Preventing Connection Table Flooding using SYN-Cookies


To avoid filling up its connection table during SYN-flood-based Denial of Service (DoS) attacks, the CSM uses SYN-cookies, which were covered briefly in Chapter 4. With SYN-flood attacks, the attacker sets random source IP addresses in numerous SYN packets that it sends to its victim. The victim receives the SYN packet, creates an entry in its connection table, responds with a TCP SYN-ACK packet, and awaits the final ACK segment from the sender. The final segment never arrives. Thus, the victim's connection fills very quickly with incomplete TCP connection entries.

However, with SYN-cookies, instead of allocating a record for every SYN segment from its clients, the CSM sends SYN-ACK segments with carefully constructed sequence numbers generated as a hash of connection's 4-tuple, the Maximum Segment Size, and a secret that continuously changes as time goes by. The connection 4-tuple contains the source and destination IP addresses and source and destination ports. When valid clients respond to the SYN-ACK with an ACK, they will include this special sequence number, which the CSM can verify before creating the connection entry. Without SYN-cookies, the CSM creates connection entries when it receives the initial SYN packet from clients. With SYN-cookies, the CSM creates the connection when it verifies the client's ACK segment to complete the connection. Because SYN-flood attackers typically do not respond to SYN-ACK segments, the SYN-flood traffic will not flood the CSM's connection table. Figure 11-7 illustrates SYN-cookies in practice.

Figure 11-7. Using SYN-Cookies to Prevent SYN-Flood Traffic from Flooding the CSM Connection Table




Content Networking Fundamentals
Content Networking Fundamentals
ISBN: 1587052407
EAN: 2147483647
Year: N/A
Pages: 178

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net