During the past few years, service providers have been implementing more proactive defenses, using automated sensors and blocking technology to look for unusual traffic patterns that are often associated with a DDoS attack. Mechanisms, implemented in tools like Arbor Networks Inc.'s Peakflow, Cisco Systems Inc.'s Guard DDoS mitigation appliances and Mazu Networks Inc.'s Enforcer, look for the tell-tale sign of a SYN flood.
Before discussing SYN flood detection mechanisms, it'll be useful to review the process of a Transmission Control Protocol (TCP) connection. When a client attempts to connect with a server, the server must first perform a passive open, where it first binds to a port and initiates it for connections. Then a client may open and establish a connection. TCP, however, requires what is often referred to as a three-way handshake:
The client and server have then received an acknowledgement of the connection.
With a SYN flood, the attacker launches a barrage of session initiation packets, specifically TCP SYN packets, but never completes the connection. Detection tools sense the SYN from the attacking bots, the SYN-ACK from the victim, but the final leg of the three-way handshake never occurs, a distinct pattern that indicates a likely flood. Some ISPs will block packets once they detect such a pattern.
In an attempt to dodge ISP pattern-recognition filters, some attackers are moving from SYN floods to HTTP floods. HTTP floods, unlike SYN floods, actually complete the three-way handshake. With an HTTP flood, the attacking machine sends a SYN, and the victim responds with a SYN-ACK. The attacker completes the three-way handshake with an ACK and then issues an HTTP GET request for a common page on the target (such as index.html). An HTTP flood resembles the patterns of normal Web surfing, making it harder for automated tools to differentiate. As usual for the information security space, the ISPs have raised the bar in proactive DDoS defenses, while the attackers are working hard to jump over it.
Dig Deeper on Denial of Service (DoS) Attack Prevention-Detection and Analysis
Related Q&A from Ed Skoudis, Contributor
At Black Hat 2006, researcher Joanna Rutkowska unveiled a piece of machine-based malware called the Blue Pill. But is it a serious threat to your ...continue reading
There are some rare forms of malware that antivirus software doesn't pick up on, but there are some good tools to remove all sorts of malware.continue reading
By viewing a page's HTML source code and writing malicious scripts to a drop-down list, hackers may be able to re-post the malicous page to the ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.