description off syn ack folow
Event description
A standard TCP connection is established by sending a SYN packet to the destination host. If the destination host is waiting for a connection on the specified port, it will respond with a SYN/ACK packet. The source host (the initial sender) then replies to the SYN/ACK with an ACK packet, and the connection is established.
When the SYN/ACK packet is sent back to the source host, a block of memory on the destination host is allocated to hold information about the state of the connection that is currently being established. Until the final ACK is received from the source host, or a timeout is reached, this block of memory remains unused, waiting for more information to be received from the source host.
By sending numerous SYN packets to a host, the destination host will exhaust the portion of memory used to manage opening connections. When this memory is exhausted, legitimate connections will no longer be able to connect to the destination host.
This situation can be detected by a flood of SYN packets that do not have accompanying responses. This situation can be corrected by sending the destination host RST packets that correspond to the initial SYN packets. This results in the destination host freeing up that block of memory, allowing for new, legitimate connections.
References
Sun Microsystems, Inc. Security Bulletin #00136 TCP-based "SYN flood" denial-of-service attack http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/136&type=0&nav=sec.sba
SGI Security Advisory 19961202-01-PX TCP SYN and Ping Denial of Service Attacks ftp://patches.sgi.com/support/free/security/advisories/19961202-01-PX
SGI Security Advisory 19960901-01-A TCP SYN Denial of Service Attack ftp://patches.sgi.com/support/free/security/advisories/19960901-01-A
CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoofing Attacks http://www.cert.org/advisories/CA-1996-21.html
Microsoft Knowledge Base Article 142641 Internet Server Unavailable Because of Malicious SYN Attacks http://support.microsoft.com/default.aspx?scid=kb;[LN];142641
IBM Emergency Response Service Security Vulnerability Alert ERS-SVA-E01-1996:006.1
Newly Available Patches for IBM AIX(r) Address `SYN Flood' and `Ping o' Death' Vulnerabilities
http://www-1.ibm.com/services/continuity/recover1.nsf/MSS/ERS-SVA-E01-1996.006.1/$file/ERS-SVA-E01-1996_006_1.txt
Common Vulnerabilities and Exposures
Denial of service when an attacker sends many SYN packets to create multiple connections without ever sending an ACK to complete the connection, aka SYN flood.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0116
[EMAIL PROTECTED] crazy-wilys webmaster
_________________________________________________________________
MSN Search, le moteur de recherche qui pense comme vous ! http://fr.ca.search.msn.com/
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
