SYN Attack - Cisco ASA 5510

Hi All,

Can someone explain to me what a SYN attack is?

On my firewall in ASDM, it is showing me "Top 10 protected servers under SYN attack" what exactly does this mean?

Thanks.

Find more posts tagged with

Comments

chrisone

SYN flood - Wikipedia, the free encyclopedia

instant000

RS_MCP wrote: »

Hi All,

Can someone explain to me what a SYN attack is?

On my firewall in ASDM, it is showing me "Top 10 protected servers under SYN attack" what exactly does this mean?

Thanks.

SYN attack takes advantage of the TCP handshake.

When a system runs TCP, it interprets the receipt of a SYN as the beginning of a communication, so it will, then respond with a SYN/ACK, and thus form a half-open TCP connection. It is, of course expecting the other station to respond with an ACK, and thus complete the handshake, and then begin passing data.

The half-open session will timeout eventually, but until that occurs, one of the available TCP sessions on the system will be occupied.

The key problem is that the SYN attack isn't designed to form actual TCP connections, but just making a bunch of half-open connections (thousands of them), which can basically cause a denial-of-service type condition, and can really wreck up some equipment that can't handle it.

It's a protocol exploit, basically.

As the prior poster said, you would be well served to research up a bit on this one, as an insecure network won't do you much good.

EDIT: Consider the Security+. You might laugh at its being entry-level, but I do recall that it covered common network attacks.

Hope this helps.

Coolhandluke

instant000 wrote: »

SYN attack takes advantage of the TCP handshake.

When a system runs TCP, it interprets the receipt of a SYN as the beginning of a communication, so it will, then respond with a SYN/ACK, and thus form a half-open TCP connection. It is, of course expecting the other station to respond with an ACK, and thus complete the handshake, and then begin passing data.

The half-open session will timeout eventually, but until that occurs, one of the available TCP sessions on the system will be occupied.

The key problem is that the SYN attack isn't designed to form actual TCP connections, but just making a bunch of half-open connections (thousands of them), which can basically cause a denial-of-service type condition, and can really wreck up some equipment that can't handle it.

It's a protocol exploit, basically.

As the prior poster said, you would be well served to research up a bit on this one, as an insecure network won't do you much good.

EDIT: Consider the Security+. You might laugh at its being entry-level, but I do recall that it covered common network attacks.

Hope this helps.

This is pretty much spot on. It's simply a means to leave the destination hanging on for thousands of fake connection attempts that never get created. Once the destination host has exceeded its maximum TCP sessions/memory the rest of the sessions get denied, this includes authentic hosts.

Syn floods ain't as common as they used to be, probably due to hardware/bandwidth increases and security improvements (Firewalls and IDS).

GAngel

Cisco Security Appliance Command Line Configuration Guide, Version 8.0 - Preventing Network Attacks [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems

Cisco is pretty good for explaining what there equipment does.

Ahriakin

Don't forget the ASA uses Syn Cookies, while this attack can affect resources (it still has to decode the SYN and issue the SYN/ACK cookie) it won't tie up the connection table itself.