During the past few years, service providers have been implementing more proactive defenses, using automated sensors and blocking technology to look for unusual traffic patterns that are often associated with a DDoS attack. Mechanisms, implemented in tools like Arbor Networks Inc.'s Peakflow, Cisco Systems Inc.'s Guard DDoS mitigation appliances and Mazu Networks Inc.'s Enforcer, look for the tell-tale sign of a SYN flood.
Before discussing SYN flood detection mechanisms, it'll be useful to review the process of a Transmission Control Protocol (TCP) connection. When a client attempts to connect with a server, the server must first perform a passive open, where it first binds to a port and initiates it for connections. Then a client may open and establish a connection. TCP, however, requires what is often referred to as a three-way handshake:
The client and server have then received an acknowledgement of the connection.
With a SYN flood, the attacker launches a barrage of session initiation packets, specifically TCP SYN packets, but never completes the connection. Detection tools sense the SYN from the attacking bots, the SYN-ACK from the victim, but the final leg of the three-way handshake never occurs, a distinct pattern that indicates a likely flood. Some ISPs will block packets once they detect such a pattern.
In an attempt to dodge ISP pattern-recognition filters, some attackers are moving from SYN floods to HTTP floods. HTTP floods, unlike SYN floods, actually complete the three-way handshake. With an HTTP flood, the attacking machine sends a SYN, and the victim responds with a SYN-ACK. The attacker completes the three-way handshake with an ACK and then issues an HTTP GET request for a common page on the target (such as index.html). An HTTP flood resembles the patterns of normal Web surfing, making it harder for automated tools to differentiate. As usual for the information security space, the ISPs have raised the bar in proactive DDoS defenses, while the attackers are working hard to jump over it.
This was first published in April 2007