datatracker.ietf.org
Sign in
Version 5.6.1.p1, 2014-07-16
Report a bug

TCP SYN Flooding Attacks and Common Mitigations
RFC 4987

Document type: RFC - Informational (August 2007)
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 4987 (Informational)
Responsible AD: Lars Eggert
Send notices to: tcpm-chairs@tools.ietf.org, weddy@grc.nasa.gov

Network Working Group                                            W. Eddy
Request for Comments: 4987                                       Verizon
Category: Informational                                      August 2007

            TCP SYN Flooding Attacks and Common Mitigations

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   This document describes TCP SYN flooding attacks, which have been
   well-known to the community for several years.  Various
   countermeasures against these attacks, and the trade-offs of each,
   are described.  This document archives explanations of the attack and
   common defense techniques for the benefit of TCP implementers and
   administrators of TCP servers or networks, but does not make any
   standards-level recommendations.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
   2.  Attack Description . . . . . . . . . . . . . . . . . . . . . .  2
     2.1.  History  . . . . . . . . . . . . . . . . . . . . . . . . .  3
     2.2.  Theory of Operation  . . . . . . . . . . . . . . . . . . .  3
   3.  Common Defenses  . . . . . . . . . . . . . . . . . . . . . . .  6
     3.1.  Filtering  . . . . . . . . . . . . . . . . . . . . . . . .  6
     3.2.  Increasing Backlog . . . . . . . . . . . . . . . . . . . .  7
     3.3.  Reducing SYN-RECEIVED Timer  . . . . . . . . . . . . . . .  7
     3.4.  Recycling the Oldest Half-Open TCB . . . . . . . . . . . .  7
     3.5.  SYN Cache  . . . . . . . . . . . . . . . . . . . . . . . .  8
     3.6.  SYN Cookies  . . . . . . . . . . . . . . . . . . . . . . .  8
     3.7.  Hybrid Approaches  . . . . . . . . . . . . . . . . . . . . 10
     3.8.  Firewalls and Proxies  . . . . . . . . . . . . . . . . . . 10
   4.  Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
   5.  Security Considerations  . . . . . . . . . . . . . . . . . . . 13
   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13
   7.  Informative References . . . . . . . . . . . . . . . . . . . . 13
   Appendix A.  SYN Cookies Description . . . . . . . . . . . . . . . 16

Eddy                         Informational                      [Page 1]
RFC 4987                    TCP SYN Flooding                 August 2007

1.  Introduction

   The SYN flooding attack is a denial-of-service method affecting hosts
   that run TCP server processes.  The attack takes advantage of the
   state retention TCP performs for some time after receiving a SYN
   segment to a port that has been put into the LISTEN state.  The basic
   idea is to exploit this behavior by causing a host to retain enough
   state for bogus half-connections that there are no resources left to
   establish new legitimate connections.

   This SYN flooding attack has been well-known to the community for
   many years, and has been observed in the wild by network operators
   and end hosts.  A number of methods have been developed and deployed
   to make SYN flooding less effective.  Despite the notoriety of the
   attack, and the widely available countermeasures, the RFC series only
   documented the vulnerability as an example motivation for ingress
   filtering [RFC2827], and has not suggested any mitigation techniques
   for TCP implementations.  This document addresses both points, but
   does not define any standards.  Formal specifications and
   requirements of defense mechanisms are outside the scope of this
   document.  Many defenses only impact an end host's implementation
   without changing interoperability.  These may not require
   standardization, but their side-effects should at least be well
   understood.

   This document intentionally focuses on SYN flooding attacks from an
   individual end host or application's perspective, as a means to deny
   service to that specific entity.  High packet-rate attacks that
   target the network's packet-processing capability and capacity have
   been observed operationally.  Since such attacks target the network,
   and not a TCP implementation, they are out of scope for this
   document, whether or not they happen to use TCP SYN segments as part
   of the attack, as the nature of the packets used is irrelevant in
   comparison to the packet-rate in such attacks.

   The majority of this document consists of three sections.  Section 2
   explains the SYN flooding attack in greater detail.  Several common
   mitigation techniques are described in Section 3.  An analysis and
   discussion of these techniques and their use is presented in
   Section 4.  Further information on SYN cookies is contained in
   Appendix A.

[include full document text]