Denial-of-service (DoS) attacks just got worse - and easier! DoS is actually a grab bag of a great many techniques (such as worms and SYN flooding), all with the objective of denying legitimate clients access to services running on Internet based servers.
So, let's be specific - this next generation of DoS attacks uses the SYN flooding method but with a twist. It doesn't send millions of SYN packets to the server under attack but 'reflects' them off of any router or server connected to the Internet; and there are millions!
To understand how it works and why you should be very concerned, let's go back to the classroom. The establishment of a TCP connection typically requires the exchange of three Internet packets between two machines in an interchange known as the TCP three-way handshake. Here's how it works:
What Happens During a 'Reflection' Attack?
Traditional SYN flooding DoS attacks are either one-on-one (one machine sending out enough SYN packets to the target machine to effectively choke off access to the other machine) or many-on-one (SYN flooding 'zombie' programs loaded by the attacker into compromised machines and commanded by the attacker to send huge volumes of SYN commands to the target machine). With a reflection SYN flooding attack the attacking machines send out huge volumes of SYN packets but with the IP source address pointing to the target machine. The TCP three-way handshake requires that any TCP based service that receives a SYN packet must respond with a SYN/ACK packet. The servers and routers that receive these fraudulent SYN packets dutifully send out the SYN/ACK packet to the machine pointed to by the SYN packets IP source address. The Internet's most basic protocol and core infrastructure is used against itself!
Since we have been dealing with this for some time, how bad is it really?
Consider this, any general-purpose TCP connection-accepting Internet server could be used to reflect SYN packets. Here is a short list of the more popular TCP ports: 22 (Secure Shell), 23 (Telnet), 53 (DNS) and 80 (HTTP/web). And, virtually all of the Internet's routers will accept TCP connections on port 179. To fully comprehend the potential of this new form of DoS attack consider this:
Generating and Using the 'SYN Packet Reflector' List
A simple script can be constructed to collect a large number of 'SYN packet reflection' capable routers and servers. Well-known web server farms, such as eBay and Yahoo, are easily available. Simple port scans through high bandwidth IP regions will reveal thousands, if not millions, of available TCP servers. Readily available tools such as Trace Route provide the IP address of every Internet router between the tracer and any other IP address.
Given a large list of SYN packet reflectors, each SYN spoofing attack host can distribute its fraudulent SYN packets evenly across every reflector on its list. The big win for the attacker is that since the SYN flooding machine is distributing its packets across a huge number of SYN packet reflectors, none of the innocent reflectors will experience significant levels of incomplete TCP connections. And, since routers generally do not retain any record of previously routed packets, it makes tracking an attack from the victim to the attacker extremely difficult.
Things get worse.
As if ease of attack and ubiquity of reflectors were not bad enough, it turns out that the reflectors will generate three or four times more SYN/ACK packets than the number of SYN packets they receive. Since the TCP connection that receives the SYN command is expecting to receive an ACK back from the machine it sent the SYN/ACK response to, it will send out three or four more SYN/ACK responses over the next few minutes. This TCP protocol feature essentially multiplies the number of malicious SYN/ACK packets being sent to the target machine by a factor of three or four. It also means that the flood of SYN/ACK packets will continue to disable the target site for a minute or two even after the attacker has called off the attack.
The basic connection unit in the Internet is the router. Some routers serve only a small number of machines while other 'aggregation routers' collect and disperse large amounts of packet traffic from smaller networks. During normal operations, the traffic flowing through the aggregation routers can be sorted and forwarded to the router's various lower bandwidth client networks. Now imagine a SYN/ACK flood that is so large that it starts to degrade the performance of the aggregation router. Having to process and disperse so many packets to the client networks, the router will drop and discard a portion of the packets. Legitimate Internet clients, trying to access resources that have nothing to do with the target under attack, will also experience degraded, or complete denial of, service.
What Can Be Done?
Unfortunately there is no short or easy answer. However, here are some defense tactics:
Business and commerce continue to forge ahead with integration to the Internet. The cost of bandwidth and connected machines continues to drop. As the techniques for mounting attacks on Internet residents becomes easier and more powerful, we will undoubtedly see a continued rise in the number and ferocity of attacks. And human ingenuity virtually guarantees that we will see continued innovation in the attack techniques themselves.
Rodney Denno is principal consultant, Open Systems Security (www.opensystemssecurity.com).