TCP SYN Flooding Attacks and Common Mitigations
RFC 4987
Document | Type | RFC - Informational (August 2007; No errata) | |
---|---|---|---|
Author | Wesley Eddy | ||
Last updated | 2015-10-14 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized bibtex | ||
Reviews | |||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4987 (Informational) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Lars Eggert | ||
Send notices to | (None) |
Network Working Group W. Eddy Request for Comments: 4987 Verizon Category: Informational August 2007 TCP SYN Flooding Attacks and Common Mitigations Status of This Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The IETF Trust (2007). Abstract This document describes TCP SYN flooding attacks, which have been well-known to the community for several years. Various countermeasures against these attacks, and the trade-offs of each, are described. This document archives explanations of the attack and common defense techniques for the benefit of TCP implementers and administrators of TCP servers or networks, but does not make any standards-level recommendations. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Attack Description . . . . . . . . . . . . . . . . . . . . . . 2 2.1. History . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2. Theory of Operation . . . . . . . . . . . . . . . . . . . 3 3. Common Defenses . . . . . . . . . . . . . . . . . . . . . . . 6 3.1. Filtering . . . . . . . . . . . . . . . . . . . . . . . . 6 3.2. Increasing Backlog . . . . . . . . . . . . . . . . . . . . 7 3.3. Reducing SYN-RECEIVED Timer . . . . . . . . . . . . . . . 7 3.4. Recycling the Oldest Half-Open TCB . . . . . . . . . . . . 7 3.5. SYN Cache . . . . . . . . . . . . . . . . . . . . . . . . 8 3.6. SYN Cookies . . . . . . . . . . . . . . . . . . . . . . . 8 3.7. Hybrid Approaches . . . . . . . . . . . . . . . . . . . . 10 3.8. Firewalls and Proxies . . . . . . . . . . . . . . . . . . 10 4. Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 5. Security Considerations . . . . . . . . . . . . . . . . . . . 13 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13 7. Informative References . . . . . . . . . . . . . . . . . . . . 13 Appendix A. SYN Cookies Description . . . . . . . . . . . . . . . 16 Eddy Informational [Page 1] RFC 4987 TCP SYN Flooding August 2007 1. Introduction The SYN flooding attack is a denial-of-service method affecting hosts that run TCP server processes. The attack takes advantage of the state retention TCP performs for some time after receiving a SYN segment to a port that has been put into the LISTEN state. The basic idea is to exploit this behavior by causing a host to retain enough state for bogus half-connections that there are no resources left to establish new legitimate connections. This SYN flooding attack has been well-known to the community for many years, and has been observed in the wild by network operators and end hosts. A number of methods have been developed and deployed to make SYN flooding less effective. Despite the notoriety of the attack, and the widely available countermeasures, the RFC series only documented the vulnerability as an example motivation for ingress filtering [RFC2827], and has not suggested any mitigation techniques for TCP implementations. This document addresses both points, but does not define any standards. Formal specifications and requirements of defense mechanisms are outside the scope of this document. Many defenses only impact an end host's implementation without changing interoperability. These may not require standardization, but their side-effects should at least be well understood. This document intentionally focuses on SYN flooding attacks from an individual end host or application's perspective, as a means to deny service to that specific entity. High packet-rate attacks that target the network's packet-processing capability and capacity have been observed operationally. Since such attacks target the network, and not a TCP implementation, they are out of scope for this document, whether or not they happen to use TCP SYN segments as part of the attack, as the nature of the packets used is irrelevant in comparison to the packet-rate in such attacks. The majority of this document consists of three sections. Section 2 explains the SYN flooding attack in greater detail. Several common mitigation techniques are described in Section 3. An analysis and discussion of these techniques and their use is presented in Section 4. Further information on SYN cookies is contained in Appendix A. 2. Attack Description This section describes both the history and the technical basis of the SYN flooding attack. Eddy Informational [Page 2]Show full document text