Am I being Dos'd?

[Opus00]

I'm not too familiar with these things, but if someone was being flooded by 10,000 connections, wouldn't that overload the TCP Intercept and in essence satisfy the DoS attack as well?

This is how the SYN attack works. The tcp 3 way hand shake. remote sends a SYN, you send a SYN/ACK back and wait for a period of time(3 seconds) if you do not get an ACK back, you resend the SYN/ACK and wait,(now 6 seconds) This happens about 4 times, holding a socket open for apprximately a minute or so.

Now if you receive 10,000 SYN's eventually all of your file descriptors for sockets get used up and can no longer service sockets.

What TCP Intercept does is keep track of the number of opened connections(those without a corresponding ACK). IF any IP sends lets say 5 open connections and does not receive an ACK , TCP Intercept will no longer accept connections from that IP and will not use any more resources for that IP.(I think the term Cisco uses for this is embryonic or something close to that)

Now if it is 10,000 connections from 10,000 different IPs, TCP intercept only sees 1 open connection from each IP and will not shun them until the limit of 5 open connections are seen whith would then need to be 50,000 connections and you are toast by then anyways

[Ippersiel]

Thanks for the explination Opus00.

So from my understanding, if you're being DDos'd from a small group of people, lets say, like a script kiddies "clan" then the ACK back method would shield someone from being overloaded.

But if you have a bot net that's flooding your gates, your router will be locked up with too many waits for ACK backs.

Another question about this: If the router gets those 10,000 packets and gets held up waiting for 50,000 backs, does it lock up and require a reboot or can it eventually process all 50,000 and start to ignore all 10,000 IPs?

[The_Captain]

Thanks for the explination Opus00.

So from my understanding, if you're being DDos'd from a small group of people, lets say, like a script kiddies "clan" then the ACK back method would shield someone from being overloaded.

But if you have a bot net that's flooding your gates, your router will be locked up with too many waits for ACK backs.

Another question about this: If the router gets those 10,000 packets and gets held up waiting for 50,000 backs, does it lock up and require a reboot or can it eventually process all 50,000 and start to ignore all 10,000 IPs?

Even the most basic firewall or routing devices wouldn't have any problem handling the types of syn attacks mentioned by Opus00. The firewall or device will normally have a setting for the embryonic limit which basically means how many half open (or waiting) connections can someone try to open into one of my internal machines.

All firewalls (normally) then have an embryonic connection timeout period where all connections are simply dropped. There is no attempt to process any more data, just toss it in the bit bucket, or if you've configured it to send it to a log file of some sort.

Hope this helps, but if it's too simply explained please feel free to make your eyes bleed reading:

http://www.cisco.com/en/US/tech/tk82...800f67d5.shtml

[c1sc0m4n]

Exactly right Opus, at layer 3---tcp syn attacks are at the transport layer, though. An acl could easily avoid spoofing attacks as you have stated (deny ip 10.x to your network, as well as 172.16.x.x/12 and 192.168.x.x/16).
First off,limiting the number of 1/2 open TCP connections (TCP-SYN requests that have not yet been SYN-ACK'd by an answering node) to 500 would prevent the 10,000 TCP-SYN requests from flooding the border router. Also, limiting the inbound and outbound TCP keepalives helps. A decent router that is capable of TCP Intercept (or a similar technology) can proxy answer tcp syn requests all day long, especially coming from not so many different IP addresses---once a syn request is not answered by the attacking host, not only is the packet dropped, but the router may also be configured to then block the IP address on the fly by way of CBAC, or Context-Based Access Control.

Tim

[Ippersiel]

First off,limiting the number of 1/2 open TCP connections (TCP-SYN requests that have not yet been SYN-ACK'd by an answering node) to 500 would prevent the 10,000 TCP-SYN requests from flooding the border router. Also, limiting the inbound and outbound TCP keepalives helps.

A follow-up question. Would this not also make it hard for a legitimate request from coming in? Wouldn't the 500 be busy dealing with the bogus requests that the legitime user be missed, or just receive a slow response?

[The_Captain]

A follow-up question. Would this not also make it hard for a legitimate request from coming in? Wouldn't the 500 be busy dealing with the bogus requests that the legitime user be missed, or just receive a slow response?

The CBAC that he mentioned does give a small performance hit on any router. This is just due to the fact that you're doing all your processing in software and the more you do the more you slow your router (Routers are not specifically designed as a firewall, but do a good enough job, sometimes).

This type of attack would not noticably hurt even the CBAC system, but this is because of the way traffic is handled by any gateway device (the old name for a firewall). See traffic is not automatically allowed into your network, in fact traffic that does adhere to your specific set of rules (or your access lists) does not even get the curtosy of being examined further or fowarded, it is simply dropped.

To the question of legitimate traffic, well that's defined two ways. Either by your rules that I just mentioned, or by dynamically created access lists that are created as a packet leaves and only remain open for a specific time frame. These (very simplified) work something like this: (forgive me if I don't want to build a real packet, that would require opening an old college book)

sender's IP :to: destination IP :using: port number

The router will only allow something to come back in that looks like

destination IP :to: sender IP :using: (port number expected by router)


So what I'm trying to say is that properly configured gateway devices do not suffer in the event of most dos, ddos or syn attacks as they do not suffer the attackers (yes, it's a play on words).