SYN Attack - Cisco ASA 5510

RS_MCPRS_MCP Member Posts: 352
Hi All,

Can someone explain to me what a SYN attack is?

On my firewall in ASDM, it is showing me "Top 10 protected servers under SYN attack" what exactly does this mean?

Thanks.

Comments

  • chrisonechrisone Member Posts: 2,278 ■■■■■■■■■□
    Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
    2023 Cert Goals: SC-100, eCPTX
  • instant000instant000 Member Posts: 1,745
    RS_MCP wrote: »
    Hi All,

    Can someone explain to me what a SYN attack is?

    On my firewall in ASDM, it is showing me "Top 10 protected servers under SYN attack" what exactly does this mean?

    Thanks.


    SYN attack takes advantage of the TCP handshake.

    When a system runs TCP, it interprets the receipt of a SYN as the beginning of a communication, so it will, then respond with a SYN/ACK, and thus form a half-open TCP connection. It is, of course expecting the other station to respond with an ACK, and thus complete the handshake, and then begin passing data.

    The half-open session will timeout eventually, but until that occurs, one of the available TCP sessions on the system will be occupied.

    The key problem is that the SYN attack isn't designed to form actual TCP connections, but just making a bunch of half-open connections (thousands of them), which can basically cause a denial-of-service type condition, and can really wreck up some equipment that can't handle it.

    It's a protocol exploit, basically.

    As the prior poster said, you would be well served to research up a bit on this one, as an insecure network won't do you much good.

    EDIT: Consider the Security+. You might laugh at its being entry-level, but I do recall that it covered common network attacks.

    Hope this helps.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • CoolhandlukeCoolhandluke Member Posts: 118
    instant000 wrote: »
    SYN attack takes advantage of the TCP handshake.

    When a system runs TCP, it interprets the receipt of a SYN as the beginning of a communication, so it will, then respond with a SYN/ACK, and thus form a half-open TCP connection. It is, of course expecting the other station to respond with an ACK, and thus complete the handshake, and then begin passing data.

    The half-open session will timeout eventually, but until that occurs, one of the available TCP sessions on the system will be occupied.

    The key problem is that the SYN attack isn't designed to form actual TCP connections, but just making a bunch of half-open connections (thousands of them), which can basically cause a denial-of-service type condition, and can really wreck up some equipment that can't handle it.

    It's a protocol exploit, basically.

    As the prior poster said, you would be well served to research up a bit on this one, as an insecure network won't do you much good.

    EDIT: Consider the Security+. You might laugh at its being entry-level, but I do recall that it covered common network attacks.

    Hope this helps.


    This is pretty much spot on. It's simply a means to leave the destination hanging on for thousands of fake connection attempts that never get created. Once the destination host has exceeded its maximum TCP sessions/memory the rest of the sessions get denied, this includes authentic hosts.

    Syn floods ain't as common as they used to be, probably due to hardware/bandwidth increases and security improvements (Firewalls and IDS).
    [CCENT]->[CCNA]->[CCNP-ROUTE]->COLOR=#0000ff]CCNP SWITCH[/COLOR->[CCNP-TSHOOT]
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Don't forget the ASA uses Syn Cookies, while this attack can affect resources (it still has to decode the SYN and issue the SYN/ACK cookie) it won't tie up the connection table itself.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Sign In or Register to comment.