Removing SYN flooding in TCP/IP Network

: Transmission Control Protocol (TCP), the most popular transport layer communication protocol for the Internet. It was originally designed for wired networks, where Denial of Service (DoS) attacks are very common. This article analyzes the TCP SYN flood (a.k.a. SYN flood) Issue in TCP, that is a type of Distributed Denial of Service (DoS) attack that exploits part of the normal TCP three-way handshake to consume resources on the targeted server and render it unresponsive. At the end it proposes solution for TCP SYN flood.


I. INTRODUCTION
The entire internet protocol suite --a set of rules and procedures --is commonly referred to as TCP/IP, though others are included in the suite.TCP/IP specifies how data is exchanged over the internet by providing end-to-end communications that identify how it should be broken into packets, addressed, transmitted, routed and received at the destination.TCP/IP requires little central management, and it is designed to make networks reliable, with the ability to recover automatically from the failure of any device on the network.The two main protocols in the internet protocol suite serve specific functions.TCP defines how applications can create channels of communication across a network.It also manages how a message is assembled into smaller packets before they are transmitted over the internet and reassembled in the right order at the destination address.IP defines how to address and route each packet to make sure it reaches the right destination.Each gateway computer on the network checks this IP address to determine where to forward the message.TCP/IP functionality is divided into four layers, each of which include specific protocols.
 The Application Layer: The application layer provides applications with standardized data exchange.Its protocols include the Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Post Office Protocol 3 (POP3), Simple Mail Transfer Protocol (SMTP) and Simple Network Management Protocol (SNMP). The Transport Layer: The transport layer is responsible for maintaining end-to-end communications across the network.
TCP handles communications between hosts and provides flow control, multiplexing and reliability.The transport protocols include TCP and UDP, which is sometimes used instead of TCP for special purposes. The Network Layer: Also called the internet layer, deals with packets and connects independent networks to transport the packets across network boundaries.The network layer protocols are the IP and the ICMP, which is used for error reporting. The Physical Layer: The physical layer consists of protocols that operate only on a link --the network component that interconnects nodes or hosts in the network.The protocols in this layer include Ethernet for LANs and the ARP.
Removing SYN flooding in TCP/IP Network Dr. Kurrum Abbas, Minhaj Uddin Ansari, Ahtisham Ali, Talha Bilal, Yahya   In the next section we explain TCP operation in detail with the help of sequence chart.

II. TCP OPERATIONS
Figure 4 shows the sequence flow of a TCP connection.TCP has following main functions: • Connection setup and teardown (TCP establishes a connection known as a logical circuit between the remote host ports first then link ports or processes, maintains the connection throughout the communication and then tears down the connection when it is no more needed.) • Multiplexing (Multiplexing capability enables TCP to establish and maintain multiple communication paths between two hosts simultaneously) • Data transfer (receives data from upper layer and passes it down to IP (Internet Protocol) for addressing and delivery.On the destination end it takes the packets from IP and sends them to upper layers.) • Flow control (Flow control guarantees that incoming traffic does not overwhelm a host's receive buffer.When congestion occurs, a host reduces its window size and when congestion no longer exists, a host can increase the size.) • Reliability (Reliability comes from TCP's guaranteed delivery of packets.The receiving host does not send an ACK if datagrams become lost in transit.TCP deals with damaged frames through a CRC (Cyclic Redundancy Check) field contained within the TCP header.) • Precedence and security (the higher the precedence level, the higher the security level.)

III. DOS ATTACK
A DoS attack tries to make a resource unavailable to its users by overloading it with malicious requests.That means that during the attack period, regular traffic toward resource will be either slowed down or completely interrupted.

IV. DISTRIBUTED DOS
A DoS attack coming from number of source IP addresses, making it difficult to manually filter or drop traffic from these sources is known as Distributed DoS attack.The source computers behind this type of an attack are often distributed across the globe.
V. PROBLEM When a client and server establish a normal TCP "three-way handshake," the exchange looks like this: 1. Client requests connection by sending SYN (synchronize) message to the server.
2. Server acknowledges by sending SYN-ACK (synchronize-acknowledge) message back to the client.
3. Client responds with an ACK (acknowledge) message, and the connection is established.
In a SYN flood attack, the attacker sends repeated SYN packets to every port on the targeted server, often using a fake IP address.The server, unaware of the attack, receives multiple, apparently legitimate requests to establish communication.It responds to each attempt with a SYN-ACK packet from each open port.The malicious client either does not send the expected ACK, or-if the IP address is spoofed-never receives the SYN-ACK in the first place.Either way, the server under attack will wait for acknowledgement of its SYN-ACK packet for some time.During this time, the server cannot close down the connection by sending an RST packet, and the connection stays open.Before the connection can time out, another SYN packet will arrive.This leaves an increasingly large number of connections half-openand indeed SYN flood attacks are also referred to as "half-open" attacks.Eventually, as the server's connection overflow tables fill, service to legitimate clients will be denied, and the server may even malfunction or crash.While the "classic" SYN flood described above tries to exhaust network ports, SYN packets can also be used in DDoS attacks that try to clog your pipes with fake packets to achieve network saturation.The type of packet is not important.Still, SYN packets are often used because they are the least likely to be rejected by default.

VI. SOLUTIONS
Firewalls can be set up to have simple rules to allow or deny protocols, ports or IP addresses.In the case of a simple attack coming from a small number of unusual IP addresses for instance, one could put up a simple rule to drop all incoming traffic from those attackers.The firewall does not have to use a lot of resources because a SYN request matching a rule with inbound policy is neither logged nor appears in real time status nor in the access cache until it is categorized as a valid TCP connection.
To further protect the server, you can assign limits to the total amount of sessions and the maximum number of sessions coming from one source.If one of the limits are exceeded, further connection attempts are ignored.If DOS attack is from a group of IP address then we can set up a threshold value for that IP addresses.If an IP address fails three times to complete 3-way handshake then block the services for that IP address for specific time Interval.
The third solution is SYN cookies.SYN cookies is a technical attack mitigation technique whereby the server replies to TCP SYN requests with crafted SYN+ACK, without inserting a new record to its SYN Queue.Only when the client replies this crafted response a new record is added.This technique is used to protect the server SYN Queue from filling up under TCP SYN floods.

Comparison:
Firewall rules is the most fast and responsive method against DDOS attacks but it is not much secure because malicious packets are not sometimes so obvious and can pass filters.But it is resource efficient.Session and time limits are a bit more secure than applying rules but they consumes memory because you store the sessions and may be irresponsive to legitimate slow connections.SYN cookies are memory efficient and provide high end security because sessions are stored after validation of IP addresses but it consumes processors and can have delays because you are encrypting/decrypting each SYN+ACK packet.

VII. CONCLUSIONS
This article talked about SYN flooding attacks and discussed two solutions.The first solution was to implement a firewall and the second solution was setting up a threshold on the amount of communications that can take place between client and server.Both solutions solve the problem of SYN flooding attacks effectively.

Figure 1 :
Figure 1: OSI Model.TCP stands for transmission control protocol.It was defined by Internet Engineering Task Force (IETF).It is used in establishing and maintaining communication between applications on different computers and provide full duplex acknowledgement and flow control service to upper layer protocol and application.Figure 2 shows how packets are exchanged with other layers.

Figure 2 :
Figure 2: TCP Packet Exchange.Following are the goals for which TCP is designed, endorsed in Figure 3:  Route should be established for as long as needed. Reliable delivery. Technology should permit dissimilar systems to exchange data. Interconnections across long distances.

Figure 5 :
Figure 5: Progression of a SYN flood.