2022 was the year the world experienced an unprecedented rise in DDoS attacks. As networks become more complex, so too DDoS attacks are evolving and becoming more sophisticated and malicious. Various DDoS attack vectors can be so effective that they overload the network to the point of crashing, thus resulting in downtime for the organization. One of the most common DDoS attack vectors is the SYN flood. Although the SYN flood isn’t a new attack vector, it is one of the most “reliable” for DDoS threat actors, and it’s constantly evolving. An organization that wishes to maintain true DDoS resilience must understand the risks and implications of the SYN flood attack vector.
What is SYN Flood?
A SYN (Synchronization) flood, generally caused by botnets, targets server resources via the firewall or perimeter defenses. It exploits a weakness in the TCP connection sequence (also known as the “three-way handshake”) to consume server resources and prevent legitimate traffic from being accepted. Threat actors use SYN flood to disrupt services by sending many SYN (Short for synchronize) packets to a targeted server, and in many cases, they use fake IP addresses. This happens as the perpetrator sends a message to the targeted server. The target will respond with an “SYN-ACK” (synchronize acknowledgment) message signaling receipt. The target will then wait for the requesting machine (the perpetrator) to complete the connection.
But the target server receives multiple, apparently legitimate requests to establish communication, and it responds to each attempt with a unique SYN-ACK packet from each open port. Thus, before the connection can time out, more SYN packets arrive, which leaves an increasingly large number of connections half-open. This will create a flooded environment, therefore the name SYN flood. A SYN flood attack can happen in a manner of seconds: sometimes, 10 seconds is enough for over 400 PPS (packets per second). And in recent years, the numbers have tended to be much higher, consuming bandwidth and server resources to disrupt service.
What can be typically done to block a SYN flood?
Traditionally, there are several mitigation practices used against the DDoS SYN flood attack vector:
SYN cookies
The target network server will create a cookie file, and the server will respond with the SYN-ACK response that will be included in the acknowledgment packet. Because of the cookie file, the network server can identify the ACK and ensure the network connection.
RST cookies
When the target network server receives the connection request, it will send a wrong or invalid SYN-ACK. The client-server will then automatically respond with an RST, reset packet. Once receiving the RST packet, the target network server identifies the request as genuine, allowing the client entry and the overall connection.
TCP Interception
The TCP interception is a transparent proxy to protect a target server against a SYN flood attack. The proxy stops incoming traffic and accepts client requests. Once done, the proxy connects to the server to receive the ACK and essentially acts as the “three-way handshake” with the proxy’s involvement.
The problem with traditional SYN flood blocking
As with many DDoS attack vectors, traditional mitigation can mitigate the threat, but only once acknowledging its existence. Most enterprises with mitigation solutions become aware of SYN floods only after they have happened. By then, it is already too late, with disruption to production and downtime already happening because of the DDoS attack. In some cases, only a portion of the DDoS SYN flood attack is blocked, but this is futile as the number of packets increases. Thus, the network will eventually be flooded. Other cases have shown that recycling the half-open connection might help to prevent the DDoS SYN flood attack, but again, if the traffic volume speed increases, the attack will continue and eventually succeed.
To properly set up mitigation layers to be DDoS resilient, organizations must be proactive and constantly perform DDoS tests, exposing the vulnerabilities in the DDoS attack surface and performing prioritized remediation actions. These steps can be taken quickly and effectively, preventing downtime, reputational damage, and disruption to production. By testing all known DDoS attack vectors, including SYN flood, against all targets, continuously and non-disruptively, an organization can uncover and remediate unknown DDoS mitigation vulnerabilities for over 200% average improvement in DDoS resilience.
