(8 Points) Describe the SMURF attack and the SYN flooding attack. SMURF attack •

Question

(8 Points) Describe the SMURF attack and the SYN flooding attack. SMURF attack • The attacker sends a lot of PING packets on the broadcast IP address, and sets the source IP address in the packets to be your victim • All hosts will reflexively respond to the PING at the victim • The victim will be crushed under the load SYN flooding attack is one form of DOS attack in which a victim server or firewall receives SYM packets at very high packet rates that can overwhelm the victim by making the system unresponsive to legitimate traffic.

Explanation / Answer

Here I am going to explain about the SMURF Attack and SYN Flooding Attack.Before knowing the things ahead lets see a brief discussion about these attacks.

So basically these two attacks comes under DOS(Denial of Service) Attack.So lets head towards what is SMURF Attack.

SMURF Attack:
Definition:
A smurf attack is a type of denial of service attack in which a system is flooded with spoofed ping messages. This creates high computer network traffic on the victim’s network, which often renders it unresponsive.

Smurfing takes certain well-known facts about Internet Protocol and Internet Control Message Protocol (ICMP) into account. ICMP is used by network administrators to exchange information about network state, and can also be used to ping other nodes to determine their operational status. The smurf program sends a spoofed network packet that contains an ICMP ping. The resulting echo responses to the ping message are directed toward the victim’s IP address. Large number of pings and the resulting echoes can make the network unusable for real traffic.

The following steps lead to a smurf attack:

1.Huge numbers of ICMP requests are sent to the victim's IP address
2.The source destination IP address is spoofed
3.The hosts on the victim's network respond to the ICMP requests
4.This creates a significant amount of traffic on the victim’s network, resulting in consumption of bandwidth and ultimately causing the victim’s server to crash.
To prevent a smurf attack, individual hosts and routers can be configured to be non-responsive to external ping requests or broadcasts. Routers can also be configured to ensure that packets directed to broadcast addresses are not forwarded.

A Smurf attack scenario can be broken down as follows:

1.Smurf malware is used to generate a fake Echo request containing a spoofed source IP, which is actually the target server address.
2.The request is sent to an intermediate IP broadcast network.
3.The request is transmitted to all of the network hosts on the network.
4.Each host sends an ICMP response to the spoofed source address.
5.With enough ICMP responses forwarded, the target server is brought down.

The amplification factor of the Smurf attack correlates to the number of the hosts on the intermediate network. For example, an IP broadcast network with 500 hosts will produce 500 responses for each fake Echo requests. Typically, each of the relies is of the same size as the original ping request.

It should be noted that, during the attack, the service on the intermediate network is likely to be degraded.

In addition to showing good internet citizenship, this should incentivize operators to prevent their networks from being unwitting Smurf attack participants.

To accomplish this you can:

1.Disable IP-directed broadcasts on your router.
2.Reconfigure your operating system to disallow ICMP responses to IP broadcast requests.
3.Reconfigure the perimeter firewall to disallow pings originating from outside your network.

Mitigation Methods:

Smurf attack mitigation relies on a combination of capacity overprovisioning (CO) and an existence of filtering services to identify and block illegal ICMP responses.

Through inspection of incoming traffic, all illegal packets—including unsolicited ICMP responses—are identified and blocked outside of your network.

SYN Flooding:

TCP SYN flood (also known as SYN flood) is a type of Distributed Denial of Service (DDoS) attack that exploits part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive.

Essentially, with SYN flood DDoS, the offender sends TCP connection requests faster than the targeted machine can process them, causing network saturation.

Attack description:

When a client and server establish a normal TCP three-way handshake, the exchange looks like this:

1.Client requests connection by sending SYN (synchronize) message to the server.
2.Server acknowledges by sending SYN-ACK (synchronize-acknowledge) message back to the client.
3.Client responds with an ACK (acknowledge) message, and the connection is established.

In a SYN flood attack, the attacker sends repeated SYN packets to every port on the targeted server, often using a fake IP address. The server, unaware of the attack, receives multiple, apparently legitimate requests to establish communication. It responds to each attempt with a SYN-ACK packet from each open port.

The malicious client either does not send the expected ACK, or if the IP address is spoofed,never receives the SYN-ACK in the first place. Either way, the server under attack will wait for acknowledgement of its SYN-ACK packet for some time.

During this time, the server cannot close down the connection by sending an RST packet, and the connection stays open. Before the connection can time out, another SYN packet will arrive. This leaves an increasingly large number of connections half-open and indeed SYN flood attacks are also referred to as “half-open” attacks. Eventually, as the server’s connection overflow tables fill, service to legitimate clients will be denied, and the server may even malfunction or crash.

While the classic SYN flood described above tries to exhaust network ports, SYN packets can also be used in DDoS attacks that try to clog your pipes with fake packets to achieve network saturation. The type of packet is not important. Still, SYN packets are often used because they are the least likely to be rejected by default.

Methods of Mitigation:

While modern operating systems are better equipped to manage resources, which makes it more difficult to overflow connection tables, servers are still vulnerable to SYN flood attacks.

There are a number of common techniques to mitigate SYN flood attacks, including:

Micro blocks:

Administrators can allocate a micro-record (as few as 16 bytes) in the server memory for each incoming SYN request instead of a complete connection object.

SYN cookies:

Using cryptographic hashing, the server sends its SYN-ACK response with a sequence number (seqno) that is constructed from the client IP address, port number, and possibly other unique identifying information. When the client responds, this hash is included in the ACK packet. The server verifies the ACK, and only then allocates memory for the connection.

RST cookies:

For the first request from a given client, the server intentionally sends an invalid SYN-ACK. This should result in the client generating an RST packet, which tells the server something is wrong. If this is received, the server knows the request is legitimate, logs the client, and accepts subsequent incoming connections from it.

Stack tweaking:

Administrators can tweak TCP stacks to mitigate the effect of SYN floods. This can either involve reducing the timeout until a stack frees memory allocated to a connection, or selectively dropping incoming connections.

All of the above mentioned methods rely on the target network's ability to handle large-scale volumetric DDoS attacks, with traffic volumes measured in tens of Gigabits (and even hundreds of Gigabits) per second.

Hope this answer helped you.

Related Questions

Navigate

• Browse (All)
• Browse #
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.