diff options
Diffstat (limited to 'doc/rfc/rfc4987.txt')
-rw-r--r-- | doc/rfc/rfc4987.txt | 1067 |
1 files changed, 1067 insertions, 0 deletions
diff --git a/doc/rfc/rfc4987.txt b/doc/rfc/rfc4987.txt new file mode 100644 index 0000000..636c337 --- /dev/null +++ b/doc/rfc/rfc4987.txt @@ -0,0 +1,1067 @@ + + + + + + +Network Working Group W. Eddy +Request for Comments: 4987 Verizon +Category: Informational August 2007 + + + TCP SYN Flooding Attacks and Common Mitigations + +Status of This Memo + + This memo provides information for the Internet community. It does + not specify an Internet standard of any kind. Distribution of this + memo is unlimited. + +Copyright Notice + + Copyright (C) The IETF Trust (2007). + +Abstract + + This document describes TCP SYN flooding attacks, which have been + well-known to the community for several years. Various + countermeasures against these attacks, and the trade-offs of each, + are described. This document archives explanations of the attack and + common defense techniques for the benefit of TCP implementers and + administrators of TCP servers or networks, but does not make any + standards-level recommendations. + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 + 2. Attack Description . . . . . . . . . . . . . . . . . . . . . . 2 + 2.1. History . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2.2. Theory of Operation . . . . . . . . . . . . . . . . . . . 3 + 3. Common Defenses . . . . . . . . . . . . . . . . . . . . . . . 6 + 3.1. Filtering . . . . . . . . . . . . . . . . . . . . . . . . 6 + 3.2. Increasing Backlog . . . . . . . . . . . . . . . . . . . . 7 + 3.3. Reducing SYN-RECEIVED Timer . . . . . . . . . . . . . . . 7 + 3.4. Recycling the Oldest Half-Open TCB . . . . . . . . . . . . 7 + 3.5. SYN Cache . . . . . . . . . . . . . . . . . . . . . . . . 8 + 3.6. SYN Cookies . . . . . . . . . . . . . . . . . . . . . . . 8 + 3.7. Hybrid Approaches . . . . . . . . . . . . . . . . . . . . 10 + 3.8. Firewalls and Proxies . . . . . . . . . . . . . . . . . . 10 + 4. Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 + 5. Security Considerations . . . . . . . . . . . . . . . . . . . 13 + 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13 + 7. Informative References . . . . . . . . . . . . . . . . . . . . 13 + Appendix A. SYN Cookies Description . . . . . . . . . . . . . . . 16 + + + + +Eddy Informational [Page 1] + +RFC 4987 TCP SYN Flooding August 2007 + + +1. Introduction + + The SYN flooding attack is a denial-of-service method affecting hosts + that run TCP server processes. The attack takes advantage of the + state retention TCP performs for some time after receiving a SYN + segment to a port that has been put into the LISTEN state. The basic + idea is to exploit this behavior by causing a host to retain enough + state for bogus half-connections that there are no resources left to + establish new legitimate connections. + + This SYN flooding attack has been well-known to the community for + many years, and has been observed in the wild by network operators + and end hosts. A number of methods have been developed and deployed + to make SYN flooding less effective. Despite the notoriety of the + attack, and the widely available countermeasures, the RFC series only + documented the vulnerability as an example motivation for ingress + filtering [RFC2827], and has not suggested any mitigation techniques + for TCP implementations. This document addresses both points, but + does not define any standards. Formal specifications and + requirements of defense mechanisms are outside the scope of this + document. Many defenses only impact an end host's implementation + without changing interoperability. These may not require + standardization, but their side-effects should at least be well + understood. + + This document intentionally focuses on SYN flooding attacks from an + individual end host or application's perspective, as a means to deny + service to that specific entity. High packet-rate attacks that + target the network's packet-processing capability and capacity have + been observed operationally. Since such attacks target the network, + and not a TCP implementation, they are out of scope for this + document, whether or not they happen to use TCP SYN segments as part + of the attack, as the nature of the packets used is irrelevant in + comparison to the packet-rate in such attacks. + + The majority of this document consists of three sections. Section 2 + explains the SYN flooding attack in greater detail. Several common + mitigation techniques are described in Section 3. An analysis and + discussion of these techniques and their use is presented in + Section 4. Further information on SYN cookies is contained in + Appendix A. + +2. Attack Description + + This section describes both the history and the technical basis of + the SYN flooding attack. + + + + + +Eddy Informational [Page 2] + +RFC 4987 TCP SYN Flooding August 2007 + + +2.1. History + + The TCP SYN flooding weakness was discovered as early as 1994 by Bill + Cheswick and Steve Bellovin [B96]. They included, and then removed, + a paragraph on the attack in their book "Firewalls and Internet + Security: Repelling the Wily Hacker" [CB94]. Unfortunately, no + countermeasures were developed within the next two years. + + The SYN flooding attack was first publicized in 1996, with the + release of a description and exploit tool in Phrack Magazine + [P48-13]. Aside from some minor inaccuracies, this article is of + high enough quality to be useful, and code from the article was + widely distributed and used. + + By September of 1996, SYN flooding attacks had been observed in the + wild. Particularly, an attack against one ISP's mail servers caused + well-publicized outages. CERT quickly released an advisory on the + attack [CA-96.21]. SYN flooding was particularly serious in + comparison to other known denial-of-service attacks at the time. + Rather than relying on the common brute-force tactic of simply + exhausting the network's resources, SYN flooding targets end-host + resources, which require fewer packets to deplete. + + The community quickly developed many widely differing techniques for + preventing or limiting the impact of SYN flooding attacks. Many of + these have been deployed to varying degrees on the Internet, in both + end hosts and intervening routers. Some of these techniques have + become important pieces of the TCP implementations in certain + operating systems, although some significantly diverge from the TCP + specification and none of these techniques have yet been standardized + or sanctioned by the IETF process. + +2.2. Theory of Operation + + As described in RFC 793, a TCP implementation may allow the LISTEN + state to be entered with either all, some, or none of the pair of IP + addresses and port numbers specified by the application. In many + common applications like web servers, none of the remote host's + information is pre-known or preconfigured, so that a connection can + be established with any client whose details are unknown to the + server ahead of time. This type of "unbound" LISTEN is the target of + SYN flooding attacks due to the way it is typically implemented by + operating systems. + + For success, the SYN flooding attack relies on the victim host TCP + implementation's behavior. In particular, it assumes that the victim + allocates state for every TCP SYN segment when it is received, and + that there is a limit on the amount of such state than can be kept at + + + +Eddy Informational [Page 3] + +RFC 4987 TCP SYN Flooding August 2007 + + + any time. The current base TCP specification, RFC 793 [RFC0793], + describes the standard processing of incoming SYN segments. RFC 793 + describes the concept of a Transmission Control Block (TCB) data + structure to store all the state information for an individual + connection. In practice, operating systems may implement this + concept rather differently, but the key is that each TCP connection + requires some memory space. + + Per RFC 793, when a SYN is received for a local TCP port where a + connection is in the LISTEN state, then the state transitions to SYN- + RECEIVED, and some of the TCB is initialized with information from + the header fields of the received SYN segment. In practice, many + operating systems do not alter the TCB in LISTEN, but instead make a + copy of the TCB and perform the state transition and update on the + copy. This is done so that the local TCP port may be shared amongst + several distinct connections. This TCB-copying behavior is not + actually essential for this purpose, but influences the way in which + applications that wish to handle multiple simultaneous connections + through a single TCP port are written. The crucial result of this + behavior is that, instead of updating already-allocated memory, new + (or unused) memory must be devoted to the copied TCB. + + As an example, in the Linux 2.6.10 networking code, a "sock" + structure is used to implement the TCB concept. By examination, this + structure takes over 1300 bytes to store in memory. In other systems + that implement less-complex TCP algorithms and options, the overhead + may be less, although it typically exceeds 280 bytes [SKK+97]. + + To protect host memory from being exhausted by connection requests, + the number of TCB structures that can be resident at any time is + usually limited by operating system kernels. Systems vary on whether + limits are globally applied or local to a particular port number. + There is also variation on whether the limits apply to fully + established connections as well as those in SYN-RECEIVED. Commonly, + systems implement a parameter to the typical listen() system call + that allows the application to suggest a value for this limit, called + the backlog. When the backlog limit is reached, then either incoming + SYN segments are ignored, or uncompleted connections in the backlog + are replaced. The concept of using a backlog is not described in the + standards documents, so the failure behavior when the backlog is + reached might differ between stacks (for instance, TCP RSTs might be + generated). The exact failure behavior will determine whether + initiating hosts continue to retransmit SYN segments over time, or + quickly cease. These differences in implementation are acceptable + since they only affect the behavior of the local stack when its + resources are constrained, and do not cause interoperability + problems. + + + + +Eddy Informational [Page 4] + +RFC 4987 TCP SYN Flooding August 2007 + + + The SYN flooding attack does not attempt to overload the network's + resources or the end host's memory, but merely attempts to exhaust + the backlog of half-open connections associated with a port number. + The goal is to send a quick barrage of SYN segments from IP addresses + (often spoofed) that will not generate replies to the SYN-ACKs that + are produced. By keeping the backlog full of bogus half-opened + connections, legitimate requests will be rejected. Three important + attack parameters for success are the size of the barrage, the + frequency with which barrages are generated, and the means of + selecting IP addresses to spoof. + + Barrage Size + + To be effective, the size of the barrage must be made large enough + to reach the backlog. Ideally, the barrage size is no larger than + the backlog, minimizing the volume of traffic the attacker must + source. Typical default backlog values vary from a half-dozen to + several dozen, so the attack might be tailored to the particular + value determined by the victim host and application. On machines + intended to be servers, especially for a high volume of traffic, + the backlogs are often administratively configured to higher + values. + + Barrage Frequency + + To limit the lifetime of half-opened connection state, TCP + implementations commonly reclaim memory from half-opened + connections if they do not become fully opened after some time + period. For instance, a timer of 75 seconds [SKK+97] might be set + when the first SYN-ACK is sent, and on expiration cause SYN-ACK + retransmissions to cease and the TCB to be released. The TCP + specifications do not include this behavior of giving up on + connection establishment after an arbitrary time. Some purists + have expressed that the TCP implementation should continue + retransmitting SYN and SYN-ACK segments without artificial bounds + (but with exponential backoff to some conservative rate) until the + application gives up. Despite this, common operating systems + today do implement some artificial limit on half-open TCB + lifetime. For instance, backing off and stopping after a total of + 511 seconds can be observed in 4.4 BSD-Lite [Ste95], and is still + practiced in some operating systems derived from this code. + + To remain effective, a SYN flooding attack needs to send new + barrages of bogus connection requests as soon as the TCBs from the + previous barrage begin to be reclaimed. The frequency of barrages + are tailored to the victim TCP implementation's TCB reclamation + timer. Frequencies higher than needed source more packets, + potentially drawing more attention, and frequencies that are too + + + +Eddy Informational [Page 5] + +RFC 4987 TCP SYN Flooding August 2007 + + + low will allow windows of time where legitimate connections can be + established. + + IP Address Selection + + For an effective attack, it is important that the spoofed IP + addresses be unresponsive to the SYN-ACK segments that the victim + will generate. If addresses of normal connected hosts are used, + then those hosts will send the victim a TCP reset segment that + will immediately free the corresponding TCB and allow room in the + backlog for legitimate connections to be made. The code + distributed in the original Phrack article used a single source + address for all spoofed SYN segments. This makes the attack + segments somewhat easier to identify and filter. A strong + attacker will have a list of unresponsive and unrelated addresses + that it chooses spoofed source addresses from. + + It is important to note that this attack is directed at particular + listening applications on a host, and not the host itself or the + network. The attack also attempts to prevent only the establishment + of new incoming connections to the victim port, and does not impact + outgoing connection requests, nor previously established connections + to the victim port. + + In practice, an attacker might choose not to use spoofed IP + addresses, but instead to use a multitude of hosts to initiate a SYN + flooding attack. For instance, a collection of compromised hosts + under the attacker's control (i.e., a "botnet") could be used. In + this case, each host utilized in the attack would have to suppress + its operating system's native response to the SYN-ACKs coming from + the target. It is also possible for the attack TCP segments to + arrive in a more continuous fashion than the "barrage" terminology + used here suggests; as long as the rate of new SYNs exceeds the rate + at which TCBs are reaped, the attack will be successful. + +3. Common Defenses + + This section discusses a number of defense techniques that are known + to the community, many of which are available in off-the-shelf + products. + +3.1. Filtering + + Since in the absence of an army of controlled hosts, the ability to + send packets with spoofed source IP addresses is required for this + attack to work, removing an attacker's ability to send spoofed IP + packets is an effective solution that requires no modifications to + TCP. The filtering techniques described in RFCs 2827, 3013, and 3704 + + + +Eddy Informational [Page 6] + +RFC 4987 TCP SYN Flooding August 2007 + + + represent the best current practices for packet filtering based on IP + addresses [RFC2827][RFC3013][RFC3704]. While perfectly effective, + end hosts should not rely on filtering policies to prevent attacks + from spoofed segments, as global deployment of filters is neither + guaranteed nor likely. An attacker with the ability to use a group + of compromised hosts or to rapidly change between different access + providers will also make filtering an impotent solution. + +3.2. Increasing Backlog + + An obvious attempt at a defense is for end hosts to use a larger + backlog. Lemon has shown that in FreeBSD 4.4, this tactic has some + serious negative aspects as the size of the backlog grows [Lem02]. + The implementation has not been designed to scale past backlogs of a + few hundred, and the data structures and search algorithms that it + uses are inefficient with larger backlogs. It is reasonable to + assume that other TCP implementations have similar design factors + that limit their performance with large backlogs, and there seems to + be no compelling reason why stacks should be re-engineered to support + extremely large backlogs, since other solutions are available. + However, experiments with large backlogs using efficient data + structures and search algorithms have not been conducted, to our + knowledge. + +3.3. Reducing SYN-RECEIVED Timer + + Another quickly implementable defense is shortening the timeout + period between receiving a SYN and reaping the created TCB for lack + of progress. Decreasing the timer that limits the lifetime of TCBs + in SYN-RECEIVED is also flawed. While a shorter timer will keep + bogus connection attempts from persisting for as long in the backlog, + and thus free up space for legitimate connections sooner, it can + prevent some fraction of legitimate connections from becoming fully + established. This tactic is also ineffective because it only + requires the attacker to increase the barrage frequency by a linearly + proportional amount. This timer reduction is sometimes implemented + as a response to crossing some threshold in the backlog occupancy, or + some rate of SYN reception. + +3.4. Recycling the Oldest Half-Open TCB + + Once the entire backlog is exhausted, some implementations allow + incoming SYNs to overwrite the oldest half-open TCB entry. This + works under the assumption that legitimate connections can be fully + established in less time than the backlog can be filled by incoming + attack SYNs. This can fail when the attacking packet rate is high + and/or the backlog size is small, and is not a robust defense. + + + + +Eddy Informational [Page 7] + +RFC 4987 TCP SYN Flooding August 2007 + + +3.5. SYN Cache + + The SYN cache, best described by Lemon [Lem02], is based on + minimizing the amount of state that a SYN allocates, i.e., not + immediately allocating a full TCB. The full state allocation is + delayed until the connection has been fully established. Hosts + implementing a SYN cache have some secret bits that they select from + the incoming SYN segments. The secret bits are hashed along with the + IP addresses and TCP ports of a segment, and the hash value + determines the location in a global hash table where the incomplete + TCB is stored. There is a bucket limit for each hash value, and when + this limit is reached, the oldest entry is dropped. + + The SYN cache technique is effective because the secret bits prevent + an attacker from being able to target specific hash values for + overflowing the bucket limit, and it bounds both the CPU time and + memory requirements. Lemon's evaluation of the SYN cache shows that + even under conditions where a SYN flooding attack is not being + performed, due to the modified processing path, connection + establishment is slightly more expedient. Under active attack, SYN + cache performance was observed to approximately linearly shift the + distribution of times to establish legitimate connections to about + 15% longer than when not under attack [Lem02]. + + If data accompanies the SYN segment, then this data is not + acknowledged or stored by the receiver, and will require + retransmission. This does not affect the reliability of TCP's data + transfer service, but it does affect its performance to some small + extent. SYNs carrying data are used by the T/TCP extensions + [RFC1644]. While T/TCP is implemented in a number of popular + operating systems [GN00], it currently seems to be rarely used. + Measurements at one site's border router [All07] logged 2,545,785 SYN + segments (not SYN-ACKs), of which 36 carried the T/TCP CCNEW option + (or 0.001%). These came from 26 unique hosts, and no other T/TCP + options were seen. 2,287 SYN segments with data were seen (or 0.09% + of all SYN segments), all of which had exactly 24 bytes of data. + These observations indicate that issues with SYN caches and data on + SYN segments may not be significant in deployment. + +3.6. SYN Cookies + + SYN cookies go a step further and allocate no state at all for + connections in SYN-RECEIVED. Instead, they encode most of the state + (and all of the strictly required) state that they would normally + keep into the sequence number transmitted on the SYN-ACK. If the SYN + was not spoofed, then the acknowledgement number (along with several + other fields) in the ACK that completes the handshake can be used to + reconstruct the state to be put into the TCB. To date, one of the + + + +Eddy Informational [Page 8] + +RFC 4987 TCP SYN Flooding August 2007 + + + best references on SYN cookies can be found on Dan Bernstein's web + site [cr.yp.to]. This technique exploits the long-understood low + entropy in TCP header fields [RFC1144][RFC4413]. In Appendix A, we + describe the SYN cookie technique, to avoid the possibility that the + web page will become unavailable. + + The exact mechanism for encoding state into the SYN-ACK sequence + number can be implementation dependent. A common consideration is + that to prevent replay, some time-dependent random bits must be + embedded in the sequence number. One technique used 7 bits for these + bits and 25 bits for the other data [Lem02]. One way to encode these + bits has been to XOR the initial sequence number received with a + truncated cryptographic hash of the IP address and TCP port number + pairs, and secret bits. In practice, this hash has been generated + using MD5 [RFC1321]. Any similar one-way hash could be used instead + without impacting interoperability since the hash value is checked by + the same host who generates it. + + The problem with SYN cookies is that commonly implemented schemes are + incompatible with some TCP options, if the cookie generation scheme + does not consider them. For example, an encoding of the Maximum + Segment Size (MSS) advertised on the SYN has been accommodated by + using 2 sequence number bits to represent 4 predefined common MSS + values. Similar techniques would be required for some other TCP + options, while negotiated use of other TCP options can be detected + implicitly. A timestamp on the ACK, as an example, indicates that + Timestamp use was successfully negotiated on the SYN and SYN-ACK, + while the reception of a Selective Acknowledgement (SACK) option at + some point during the connection implies that SACK was negotiated. + Note that SACK blocks should normally not be sent by a host using TCP + cookies unless they are first received. For the common + unidirectional data flow in many TCP connections, this can be a + problem, as it limits SACK usage. For this reason, SYN cookies + typically are not used by default on systems that implement them, and + are only enabled either under high-stress conditions indicative of an + attack, or via administrative action. + + Recently, a new SYN cookie technique developed for release in FreeBSD + 7.0 leverages the bits of the Timestamp option in addition to the + sequence number bits for encoding state. Since the Timestamp value + is echoed back in the Timestamp Echo field of the ACK packet, any + state stored in the Timestamp option can be restored similarly to the + way that it is from the sequence number / acknowledgement in a basic + SYN cookie. Using the Timestamp bits, it is possible to explicitly + store state bits for things like send and receive window scales, + SACK-allowed, and TCP-MD5-enabled, for which there is no room in a + typical SYN cookie. This use of Timestamps to improve the + compromises inherent in SYN cookies is unique to the FreeBSD + + + +Eddy Informational [Page 9] + +RFC 4987 TCP SYN Flooding August 2007 + + + implementation, to our knowledge. A limitation is that the technique + can only be used if the SYN itself contains a Timestamp option, but + this option seems to be widely implemented today, and hosts that + support window scaling and SACK typically support timestamps as well. + + Similarly to SYN caches, SYN cookies do not handle application data + piggybacked on the SYN segment. + + Another problem with SYN cookies is for applications where the first + application data is sent by the passive host. If this host is + handling a large number of connections, then packet loss may be + likely. When a handshake-completing ACK from the initiator is lost, + the passive side's application layer never is notified of the + connection's existence and never sends data, even though the + initiator thinks that the connection has been successfully + established. An example application where the first application- + layer data is sent by the passive side is SMTP, if implemented + according to RFC 2821, where a "service ready" message is sent by the + passive side after the TCP handshake is completed. + + Although SYN cookie implementations exist and are deployed, the use + of SYN cookies is often disabled in default configurations, so it is + unclear how much operational experience actually exists with them or + if using them opens up new vulnerabilities. Anecdotes of incidents + where SYN cookies have been used on typical web servers seem to + indicate that the added processing burden of computing MD5 sums for + every SYN packet received is not significant in comparison to the + loss of application availability when undefended. For some + computationally constrained mobile or embedded devices, this + situation might be different. + +3.7. Hybrid Approaches + + The SYN cache and SYN cookie techniques can be combined. For + example, in the event that the cache becomes full, then SYN cookies + can be sent instead of purging cache entries upon the arrival of new + SYNs. Such hybrid approaches may provide a strong combination of the + positive aspects of each approach. Lemon has demonstrated the + utility of this hybrid [Lem02]. + +3.8. Firewalls and Proxies + + Firewall-based tactics may also be used to defend end hosts from SYN + flooding attacks. The basic concept is to offload the connection + establishment procedures onto a firewall that screens connection + attempts until they are completed and then proxies them back to + protected end hosts. This moves the problem away from end hosts to + become the firewall's or proxy's problem, and may introduce other + + + +Eddy Informational [Page 10] + +RFC 4987 TCP SYN Flooding August 2007 + + + problems related to altering TCP's expected end-to-end semantics. A + common tactic used in these firewall and proxy products is to + implement one of the end host based techniques discussed above, and + screen incoming SYNs from the protected network until the connection + is fully established. This is accomplished by spoofing the source + addresses of several packets to the initiator and listener at various + stages of the handshake [Eddy06]. + +4. Analysis + + Several of the defenses discussed in the previous section rely on + changes to behavior inside the network; via router filtering, + firewalls, and proxies. These may be highly effective, and often + require no modification or configuration of end-host software. Given + the mobile nature and dynamic connectivity of many end hosts, it is + optimistic for TCP implementers to assume the presence of such + protective devices. TCP implementers should provide some means of + defense to SYN flooding attacks in end-host implementations. + + Among end-host modifications, the SYN cache and SYN cookie approaches + seem to be the only viable techniques discovered to date. Increasing + the backlog and reducing the SYN-RECEIVED timer are measurably + problematic. The SYN cache implies a higher memory footprint than + SYN cookies; however, SYN cookies may not be fully compatible with + some TCP options, and may hamper development of future TCP extensions + that require state. For these reasons, SYN cookies should not be + enabled by default on systems that provide them. SYN caches do not + have the same negative implications and may be enabled as a default + mode of processing. + + In October of 1996, Dave Borman implemented a SYN cache at BSDi for + BSD/OS, which was given to the community with no restrictions. This + code seems to be the basis for the SYN cache implementations adopted + later in other BSD variants. The cache was used when the backlog + became full, rather than by default, as we have described. A note to + the tcp-impl mailing list explains that this code does not retransmit + SYN-ACKs [B97]. More recent implementations have chosen to reverse + this decision and retransmit SYN-ACKs. It is known that loss of SYN- + ACK packets is not uncommon [SD01] and can severely slow the + performance of connections when initial retransmission timers for + SYNs are overly conservative (as in some operating systems) or + retransmitted SYNs are lost. Furthermore, if a SYN flooding attacker + has a high sending rate, loss of retransmitted SYNs is likely, so if + SYN-ACKs are not retransmitted, the chance of efficiently + establishing legitimate connections is reduced. + + + + + + +Eddy Informational [Page 11] + +RFC 4987 TCP SYN Flooding August 2007 + + + In 1997, NetBSD incorporated a modified version of Borman's code. + Two notable differences from the original code stem from the decision + to use the cache by default (for all connections). This implied the + need to perform retransmissions for SYN-ACKs, and to use larger + structures to keep more complete data. The original structure was 32 + bytes long for IPv4 connections and 56 bytes with IPv6 support, while + the current FreeBSD structure is 196 bytes long. As previously + cited, Lemon implemented the SYN cache and cookie techniques in + FreeBSD 4.4 [Lem02]. Lemon notes that a SYN cache structure took up + 160 bytes compared to 736 for the full TCB (now 196 bytes for the + cache structure). We have examined the OpenBSD 3.6 code and + determined that it includes a similar SYN cache. + + Linux 2.6.5 code, also by examination, contains a SYN cookie + implementation that encodes 8 MSS values, and does not use SYN + cookies by default. This functionality has been present in the Linux + kernel for several years previous to 2.6.5. + + When a SYN cache and/or SYN cookies are implemented with IPv6, the + IPv6 flow label value used on the SYN-ACK should be consistent with + the flow label used for the rest of the packets within that flow. + There have been implementation bugs that caused random flow labels to + be used in SYN-ACKs generated by SYN cache and SYN cookie code + [MM05]. + + Beginning with Windows 2000, Microsoft's Windows operating systems + have had a "TCP SYN attack protection" feature, which can be toggled + on or off in the registry. This defaulted to off, until Windows 2003 + SP1, in which it is on by default. With this feature enabled, when + the number of half-open connections and half-open connections with + retransmitted SYN-ACKs exceeds configurable thresholds, then the + number of times that SYN-ACKs are retransmitted before giving up is + reduced, and the "Route Cache Entry" creation is delayed, which + prevents some features (e.g., window scaling) from being used + [win2k3-wp]. + + Several vendors of commercial firewall products sell devices that can + mitigate SYN flooding's effects on end hosts by proxying connections. + + Discovery and exploitation of the SYN flooding vulnerability in TCP's + design provided a valuable lesson for protocol designers. The Stream + Control Transmission Protocol [RFC2960], which was designed more + recently, incorporated a 4-way handshake with a stateless cookie- + based component for the listening end. In this way, the passive- + opening side has better evidence that the initiator really exists at + the given address before it allocates any state. The Host Identity + Protocol base exchange [MNJH07] is similarly designed as a 4-way + handshake, but also involves a puzzle sent to the initiator that must + + + +Eddy Informational [Page 12] + +RFC 4987 TCP SYN Flooding August 2007 + + + be solved before any state is reserved by the responder. The general + concept of designing statelessness into protocol setup to avoid + denial-of-service attacks has been discussed by Aura and Nikander + [AN97]. + +5. Security Considerations + + The SYN flooding attack on TCP has been described in numerous other + publications, and the details and code needed to perform the attack + have been easily available for years. Describing the attack in this + document does not pose any danger of further publicizing this + weakness in unmodified TCP stacks. Several widely deployed operating + systems implement the mitigation techniques that this document + discusses for defeating SYN flooding attacks. In at least some + cases, these operating systems do not enable these countermeasures by + default; however, the mechanisms for defeating SYN flooding are well + deployed, and easily enabled by end-users. The publication of this + document should not influence the number of SYN flooding attacks + observed, and might increase the robustness of the Internet to such + attacks by encouraging use of the commonly available mitigations. + +6. Acknowledgements + + A conversation with Ted Faber was the impetus for writing this + document. Comments and suggestions from Joe Touch, Dave Borman, + Fernando Gont, Jean-Baptiste Marchand, Christian Huitema, Caitlin + Bestler, Pekka Savola, Andre Oppermann, Alfred Hoenes, Mark Allman, + Lars Eggert, Pasi Eronen, Warren Kumari, David Malone, Ron Bonica, + and Lisa Dusseault were useful in strengthening this document. The + original work on TCP SYN cookies presented in Appendix A is due to + D.J. Bernstein. + + Work on this document was performed at NASA's Glenn Research Center. + Funding was partially provided by a combination of NASA's Advanced + Communications, Navigation, and Surveillance Architectures and System + Technologies (ACAST) project, the Sensis Corporation, NASA's Space + Communications Architecture Working Group, and NASA's Earth Science + Technology Office. + +7. Informative References + + [AN97] Aura, T. and P. Nikander, "Stateless Connections", + Proceedings of the First International Conference on + Information and Communication Security, 1997. + + [All07] Allman, M., "personal communication", February 2007. + + + + + +Eddy Informational [Page 13] + +RFC 4987 TCP SYN Flooding August 2007 + + + [B96] Bennahum, D., "PANIX ATTACK", MEME 2.12, October 1996, + <http://memex.org/meme2-12.html>. + + [B97] Borman, D., "Re: SYN/RST cookies (was Re: a quick + clarification...)", IETF tcp-impl mailing list, + June 1997. + + [CA-96.21] CERT, "CERT Advisory CA-1996-21 TCP SYN Flooding and IP + Spoofing Attacks", September 1996. + + [CB94] Cheswick, W. and S. Bellovin, "Firewalls and Internet + Security", ISBN: 0201633574, January 1994. + + [Eddy06] Eddy, W., "Defenses Against TCP SYN Flooding Attacks", + Cisco Internet Protocol Journal Volume 8, Number 4, + December 2006. + + [GN00] Griffin, M. and J. Nelson, "T/TCP: TCP for + Transactions", Linux Journal, February 2000. + + [Lem02] Lemon, J., "Resisting SYN Flood DoS Attacks with a SYN + Cache", BSDCON 2002, February 2002. + + [MM05] McGann, O. and D. Malone, "Flow Label Filtering + Feasibility", European Conference on Computer Network + Defense 2005, December 2005. + + [MNJH07] Moskowitz, R., Nikander, P., Jokela, P., and T. + Henderson, "Host Identity Protocol", Work in Progress, + June 2007. + + [P48-13] daemon9, route, and infinity, "Project Neptune", Phrack + Magazine, Volume 7, Issue 48, File 13 of 18, July 1996. + + [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, + RFC 793, September 1981. + + [RFC1144] Jacobson, V., "Compressing TCP/IP headers for low-speed + serial links", RFC 1144, February 1990. + + [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", + RFC 1321, April 1992. + + [RFC1644] Braden, B., "T/TCP -- TCP Extensions for Transactions + Functional Specification", RFC 1644, July 1994. + + + + + + +Eddy Informational [Page 14] + +RFC 4987 TCP SYN Flooding August 2007 + + + [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering: + Defeating Denial of Service Attacks which employ IP + Source Address Spoofing", BCP 38, RFC 2827, May 2000. + + [RFC2960] Stewart, R., Xie, Q., Morneault, K., Sharp, C., + Schwarzbauer, H., Taylor, T., Rytina, I., Kalla, M., + Zhang, L., and V. Paxson, "Stream Control Transmission + Protocol", RFC 2960, October 2000. + + [RFC3013] Killalea, T., "Recommended Internet Service Provider + Security Services and Procedures", BCP 46, RFC 3013, + November 2000. + + [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for + Multihomed Networks", BCP 84, RFC 3704, March 2004. + + [RFC4413] West, M. and S. McCann, "TCP/IP Field Behavior", + RFC 4413, March 2006. + + [SD01] Seddigh, N. and M. Devetsikiotis, "Studies of TCP's + Retransmission Timeout Mechanism", Proceedings of the + 2001 IEEE International Conference on Communications + (ICC 2001), volume 6, pages 1834-1840, June 2001. + + [SKK+97] Schuba, C., Krsul, I., Kuhn, M., Spafford, E., Sundaram, + A., and D. Zamboni, "Analysis of a Denial of Service + Attack on TCP", Proceedings of the 1997 IEEE Symposium + on Security and Privacy 1997. + + [Ste95] Stevens, W. and G. Wright, "TCP/IP Illustrated, Volume + 2: The Implementation", January 1995. + + [cr.yp.to] Bernstein, D., "SYN cookies", visited in December 2005, + <http://cr.yp.to/syncookies.html>. + + [win2k3-wp] Microsoft Corporation, "Microsoft Windows Server 2003 + TCP/IP Implementation Details", White Paper, July 2005. + + + + + + + + + + + + + + +Eddy Informational [Page 15] + +RFC 4987 TCP SYN Flooding August 2007 + + +Appendix A. SYN Cookies Description + + This information is taken from Bernstein's web page on SYN cookies + [cr.yp.to]. This is a rewriting of the technical information on that + web page and not a full replacement. There are other slightly + different ways of implementing the SYN cookie concept than the exact + means described here, although the basic idea of encoding data into + the SYN-ACK sequence number is constant. + + A SYN cookie is an initial sequence number sent in the SYN-ACK, that + is chosen based on the connection initiator's initial sequence + number, MSS, a time counter, and the relevant addresses and port + numbers. The actual bits comprising the SYN cookie are chosen to be + the bitwise difference (exclusive-or) between the SYN's sequence + number and a 32 bit quantity computed so that the top five bits come + from a 32-bit counter value modulo 32, where the counter increases + every 64 seconds, the next 3 bits encode a usable MSS near to the one + in the SYN, and the bottom 24 bits are a server-selected secret + function of pair of IP addresses, the pair of port numbers, and the + 32-bit counter used for the first 5 bits. This means of selecting an + initial sequence number for use in the SYN-ACK complies with the rule + that TCP sequence numbers increase slowly. + + When a connection in LISTEN receives a SYN segment, it can generate a + SYN cookie and send it in the sequence number of a SYN-ACK, without + allocating any other state. If an ACK comes back, the difference + between the acknowledged sequence number and the sequence number of + the ACK segment can be checked against recent values of the counter + and the secret function's output given those counter values and the + IP addresses and port numbers in the ACK segment. If there is a + match, the connection can be accepted, since it is statistically very + likely that the other side received the SYN cookie and did not simply + guess a valid cookie value. If there is not a match, the connection + can be rejected under the heuristic that it is probably not in + response to a recently sent SYN-ACK. + + With SYN cookies enabled, a host will be able to remain responsive + even when under a SYN flooding attack. The largest price to be paid + for using SYN cookies is in the disabling of the window scaling + option, which disables high performance. + + Bernstein's web page [cr.yp.to] contains more information about the + initial conceptualization and implementation of SYN cookies, and + archives of emails documenting this history. It also lists some + false negative claims that have been made about SYN cookies, and + discusses reducing the vulnerability of SYN cookie implementations to + blind connection forgery by an attacker guessing valid cookies. + + + + +Eddy Informational [Page 16] + +RFC 4987 TCP SYN Flooding August 2007 + + + The best description of the exact SYN cookie algorithms is in a part + of an email from Bernstein, that is archived on the web site (notice + it does not set the top five bits from the counter modulo 32, as the + previous description did, but instead uses 29 bits from the second + MD5 operation and 3 bits for the index into the MSS table; + establishing the secret values is also not discussed). The remainder + of this section is excerpted from Bernstein's email [cr.yp.to]: + + Here's what an implementation would involve: + + Maintain two (constant) secret keys, sec1 and sec2. + + Maintain a (constant) sorted table of 8 common MSS values, + msstab[8]. + + Keep track of a "last overflow time". + + Maintain a counter that increases slowly over time and never + repeats, such as "number of seconds since 1970, shifted right 6 + bits". + + When a SYN comes in from (saddr,sport) to (daddr,dport) with + ISN x, find the largest i for which msstab[i] <= the incoming + MSS. Compute + + z = MD5(sec1,saddr,sport,daddr,dport,sec1) + + + x + + + (counter << 24) + + + (MD5(sec2,counter,saddr,sport,daddr,dport,sec2) % (1 << + 24)) + + and then + + y = (i << 29) + (z % (1 << 29)) + + Create a TCB as usual, with y as our ISN. Send back a SYNACK. + + Exception: _If_ we're out of memory for TCBs, set the "last + overflow time" to the current time. Send the SYNACK anyway, + with all fancy options turned off. + + When an ACK comes back, follow this procedure to find a TCB: + + + + + + +Eddy Informational [Page 17] + +RFC 4987 TCP SYN Flooding August 2007 + + + (1) Look for a (saddr,sport,daddr,dport) TCB. If it's there, + done. + + (2) If the "last overflow time" is earlier than a few minutes + ago, give up. + + (3) Figure out whether our alleged ISN makes sense. This + means recomputing y as above, for each of the counters + that could have been used in the last few minutes (say, + the last four counters), and seeing whether any of the y's + match the ISN in the bottom 29 bits. If none of them do, + give up. + + (4) Create a new TCB. The top three bits of our ISN give a + usable MSS. Turn off all fancy options. + +Author's Address + + Wesley M. Eddy + Verizon Federal Network Systems + NASA Glenn Research Center + 21000 Brookpark Rd, MS 54-5 + Cleveland, OH 44135 + + Phone: 216-433-6682 + EMail: weddy@grc.nasa.gov + + + + + + + + + + + + + + + + + + + + + + + + + +Eddy Informational [Page 18] + +RFC 4987 TCP SYN Flooding August 2007 + + +Full Copyright Statement + + Copyright (C) The IETF Trust (2007). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND + THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS + OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF + THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + +Eddy Informational [Page 19] + |