When a system receives a TCP SYN packet, the TCP stack uses a process called Half-Open Connection or Full-Open Connections slots. There are limited number of Half-open connections and it’s easy to overwhelm the target with a relatively small number of packets.
1. One SYN places a Half-Open connection in the que.
2. The machine responds with a SYN/ACK if the port is open and listening. (RST if closed)
3. If you’re under a SYN flood, your half open connection queue will fill up and no other connections are possible until the half-open ones expire in about 60 seconds.
4. Some operating systems reduce the expire clock if the queue starts to fill up in response to floods. This frees up other connections for other connection attempts, fraudulent or otherwise.
This is one of two resource starvation attacks. The other is a simple SYN flood in an attempt to overwhelm the bandwidth on the target.
You can determine if you are under one of these attacks by:
– If they’re trying to overwhelm your half-open connection queue, check the status of netstat to see if there are a ton of SYN RECEIVED. If so, they’re trying to overrun your connection queue.
– If your router indicates a maxed out interface, they’re trying to flood to squash the interface.
If the sources are small enough, you can simply block them at your border router.
If it’s too many sources to block, call your ISP.
You can also trace them back to the source ISP and have them kicked off, if all goes well.
Count the number of half-open connections to determine if you are under a Half-open connection flood.
Depending upon the operating system you are using, there are between 128, 500, 1000, or 1024 available connection slots per port (e.g., 80/TCP).
Microsoft implemented a smart process for dealing with Syn floods by reducing the timeout in the half-open connection queue when it detects a syn flood thereby trying to mitigate the threat. Good deal.