Home / server / Questions / 142301
Accepted
Rob
Asked: 2010-05-15 09:11:44 +0800 CST

SYN flooding still a threat to servers?

  • 772

Well recently I've been reading about different Denial of Service methods. One method that kind of stuck out was SYN flooding. I'm a member of some not-so-nice forums, and someone was selling a python script that would DoS a server using SYN packets with a spoofed IP address.

However, if you sent a SYN packet to a server, with a spoofed IP address, the target server would return the SYN/ACK packet to the host that was spoofed. In which case, wouldn't the spoofed host return an RST packet, thus negating the 75 second long-wait, and ultimately failing in its attempt to DoS the server?

python tcp denial-of-service

1 Answers

  1. Best Answer

    There are several cases in which this might not happen.

    • The spoofed host might not exist.
    • It might exist, but be configured to silently drop a SYN/ACK that does not match a SYN packet that the host sent out.
    • It might exist and respond, but not have enough bandwidth to handle all incoming SYN/ACKs from the host under attack.

    SYN cookies can be used as a defense against SYN floods, by removing all server-side state during the handshake. (Check out how they work if you don't know, it's quite a brilliant hack that does not break the TCP spec.) SYN cookies are enabled on my Ubuntu Lucid system by default, so I'd expect that most servers use them nowadays.

    • 2