TCP SYN Flooding Attacks and Common Mitigations
RFC 4987
|
| Document |
Type |
|
RFC - Informational
(August 2007; No errata)
|
|
Last updated |
|
2015-10-14
|
|
Stream |
|
IETF
|
|
Formats |
|
plain text
pdf
html
bibtex
|
|
Reviews |
|
|
| Stream |
WG state
|
|
(None)
|
|
Document shepherd |
|
No shepherd assigned
|
| IESG |
IESG state |
|
RFC 4987 (Informational)
|
|
Consensus Boilerplate |
|
Unknown
|
|
Telechat date |
|
|
|
Responsible AD |
|
Lars Eggert
|
|
Send notices to |
|
(None)
|
Network Working Group W. Eddy
Request for Comments: 4987 Verizon
Category: Informational August 2007
TCP SYN Flooding Attacks and Common Mitigations
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
This document describes TCP SYN flooding attacks, which have been
well-known to the community for several years. Various
countermeasures against these attacks, and the trade-offs of each,
are described. This document archives explanations of the attack and
common defense techniques for the benefit of TCP implementers and
administrators of TCP servers or networks, but does not make any
standards-level recommendations.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Attack Description . . . . . . . . . . . . . . . . . . . . . . 2
2.1. History . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. Theory of Operation . . . . . . . . . . . . . . . . . . . 3
3. Common Defenses . . . . . . . . . . . . . . . . . . . . . . . 6
3.1. Filtering . . . . . . . . . . . . . . . . . . . . . . . . 6
3.2. Increasing Backlog . . . . . . . . . . . . . . . . . . . . 7
3.3. Reducing SYN-RECEIVED Timer . . . . . . . . . . . . . . . 7
3.4. Recycling the Oldest Half-Open TCB . . . . . . . . . . . . 7
3.5. SYN Cache . . . . . . . . . . . . . . . . . . . . . . . . 8
3.6. SYN Cookies . . . . . . . . . . . . . . . . . . . . . . . 8
3.7. Hybrid Approaches . . . . . . . . . . . . . . . . . . . . 10
3.8. Firewalls and Proxies . . . . . . . . . . . . . . . . . . 10
4. Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
5. Security Considerations . . . . . . . . . . . . . . . . . . . 13
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13
7. Informative References . . . . . . . . . . . . . . . . . . . . 13
Appendix A. SYN Cookies Description . . . . . . . . . . . . . . . 16
Eddy Informational [Page 1]
RFC 4987 TCP SYN Flooding August 2007
1. Introduction
The SYN flooding attack is a denial-of-service method affecting hosts
that run TCP server processes. The attack takes advantage of the
state retention TCP performs for some time after receiving a SYN
segment to a port that has been put into the LISTEN state. The basic
idea is to exploit this behavior by causing a host to retain enough
state for bogus half-connections that there are no resources left to
establish new legitimate connections.
This SYN flooding attack has been well-known to the community for
many years, and has been observed in the wild by network operators
and end hosts. A number of methods have been developed and deployed
to make SYN flooding less effective. Despite the notoriety of the
attack, and the widely available countermeasures, the RFC series only
documented the vulnerability as an example motivation for ingress
filtering [RFC2827], and has not suggested any mitigation techniques
for TCP implementations. This document addresses both points, but
does not define any standards. Formal specifications and
requirements of defense mechanisms are outside the scope of this
document. Many defenses only impact an end host's implementation
without changing interoperability. These may not require
standardization, but their side-effects should at least be well
understood.
This document intentionally focuses on SYN flooding attacks from an
individual end host or application's perspective, as a means to deny
service to that specific entity. High packet-rate attacks that
target the network's packet-processing capability and capacity have
been observed operationally. Since such attacks target the network,
and not a TCP implementation, they are out of scope for this
document, whether or not they happen to use TCP SYN segments as part
of the attack, as the nature of the packets used is irrelevant in
comparison to the packet-rate in such attacks.
The majority of this document consists of three sections. Section 2
explains the SYN flooding attack in greater detail. Several common
mitigation techniques are described in Section 3. An analysis and
discussion of these techniques and their use is presented in
Section 4. Further information on SYN cookies is contained in
Appendix A.
2. Attack Description
This section describes both the history and the technical basis of
the SYN flooding attack.
Eddy Informational [Page 2]
Show full document text