The SYN/ACK attack is a very powerful attack. SYN/ACK packets are also used in TCP hijacking, and the TCP/IP three way handshake. When an application wants to connect with a server somewhere over the net via a TCP connection (connection vs connectionless data transfer (UDP)) it first sends a SYN packet. The SYN packet tells the target machine he wants to make a connection on a certain specified port, and then send data. When the target machine read the SYN packet it replies to the original host with a SYN packet of his own and an ACK (acknowledgement) packet with sequence and ack numbers. These SEQ and ACK numbers are used to synchronize the data transfer, incase one or two packets gets lost or slowed down along its route, it can be assembled again in the correct order. The orignal machine replies again with another SYN ACK packet combination acknowledging the sequencing numbers and then it starts to send data. When it creates this connection a tiny piece of memory is allocated to hold the connection while the packets are in route. Now a SYN/ACK attack would consist of spoofing the source IP address on the original SYN packet. The target receives the request for a connection, reads the spoofed source IP and tries to send its own SYN and ACK packet to a destination that does not exist. Most operating systems will continue to send SYN/ACK packets if they dont receive a reply as a method of error correction and guaranteed data delivery. Just like in the ICMP attack the machine has to wait a few milliseconds before abandoning all hope of reaching the machine. So these tiny allocated spaces of memory are building up with every spoofed packet that arrives at the target. This attack is very powerful and can disable a service running on the target machine in a matter of minutes. Not to mention all the available bandwidth is eaten with thousands and thousands of spoofed packets. So there is the SYN/ACK attack in a brief description.
[zombie machine] --> SYN packet (source IP 1.1.1.1, port = 23 telnet) (seq = 100) --> [target]
[??????????????] <-- SYN/ACK packets sent (seq = 300) (ack = 101) <-- [target]
As you can see from the simple drawing above the target machine has no idea who is sending the SYN packets and the telnet server he is running on port 23 would most likely crash. At best the telnet daemon would not allow any other legitimate traffic through, as it could not gather enough resources (memory, bandwidth) to make the connection due to all the spoofed packets.
Another use of this attack is to disconnect a user from their current TCP session. By spoofing SYN/ACK packets to a server a client is currently using. An attacker would place a "FIN" flag in the packets, this tells the server the client is done sending data. Client uses his connection and attacker walks away undetected, because it only took one packet to accomplish this.
No comments:
Post a Comment