10/03/2008
TCP/IP flaw and Syn cookies attack (version 2): more stuff to read
DISABLING SYN COOKIES MAKES THE PROBLEM WORSE AND YOU MORE VULNERABLE
Syn Cookies (which were made to defend systems against Syn Flood attacks) seem to be in SOME cases (depending on their implementation) the cause of the problem. Although It would be interesting to see if this is only one of their techniques of attacks and if there are others. They speak of 5 developed ones and more to come. The BIG question is if Syn Cookies is their METHOD (on which you make techniques) or their TECHNIQUE (made on a methode that is not yet known so far)
but this commentator says it may be a technique because there are other methods to do the same thing. "This is simply the naphta attack. They don't really need to "use syn cookies". They could simply ACK any SYN/ACK they receive, and that's it"
see this interpretation (and interesting article)
"Which means that the Sockstress (their attack tool) gathers enough data to crack the hash function sent in last 24 bits of a SYN cookie. After that it can send as many ACK packets as it wishes and the server will accept them, because with SYN cookies no information on given connection attempt is stored on the server (it's gathered from SYN cookie). "
So this interpretation shows that maybe the hash function is not hard enough, but here is also the problem that the harder the hash the more resources you would need while the purpose of the attack is to limit or kill resources. So if the defense does the same thing what is the use.... We go on reading and Googling
* Hardening the TCP/IP stack to SYN attacks
SYN cookies protection is especially useful when the system is under a SYN flood attack and source IP addresses of SYN packets are also forged. There is also a good Cisco document about this And before you activate Syn Cookies you will have to read this comment on the Cisco article "But the article in the Cisco Journal points out much more specifically that "The downside is that not all TCB data can fit into the 32-bit Sequence Number field, so some TCP options required for high performance might be disabled." This means that options such as selective ACKs and TCP Window Scaling won't work if you turn on SYN Cookies, even if your server isn't currently under attack. This doesn't matter too terribly much for most people but on a lossy high speed connection, or just a lossy connection in general could suffer."
* This is a course with Syn Cookies against Syn DDOS attacks (against linux) * Enable TCP SYN Cookie Protection (Red Hat guide in fact, but here is an example) * RFC 4987 - TCP SYN Flooding Attacks and Common Mitigations 2007 very good and as a reminder how it can bring IDS down |
and to finish with an interesting article about how to improve the functionality of those cookies (version 2 update)
11:49 | Permalink | Comments (0) | Email this
| 
| 
del.icio.us
|
| 
Digg | 
Facebook
Post a comment