Vous êtes sur la page 1sur 13

How to Stop a SYN Flood Attack

A SYN flood attack is a type of denial of service attack in which the recipient's server is
overloaded with TCP requests. A TCP request is a stream of information from one
computer to another. In normal communication between a client and a server, the client
sends a SYN message. The server returns a message called an ACK, which stands for
acknowledged, to the client. The client then returns an ACK message back to the server.
This is known as a three-way handshake. A SYN attack is one in which the client sends

waves of SYN messages to the server using a spoofed, or fake, IP address . Since the
IP address is spoofed, the server sends an ACK message that is never returned. The
server waits for the ACK message from the client and uses resources in the process.
Flooding the server with ACK messages causes its resources to dwindle, and the server
becomes slow or unresponsive to other clients. The Internet Information Server (IIS)
hosts the applications that hackers attempt to infiltrate. Protecting your IIS server from
SYN attacks is accomplished by adding settings to the Windows registry.

Instructions

1. Step 1

Click the Windows "Start" button and select "Run." Enter "regedit" in the text box

and click the "Enter" key. This opens the Windows registry , where you will
add the settings.

2. Step 2

Navigate to the folder


"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" in the
registry. New values for this key will be added to prevent the server from using
resources during a SYN attack.

3. Step 3
Right-click the "Services" folder and select "New Key" and choose "DWORD" as
the value. Enter "SynAttackProtect" for the key name. Enter "2" as the value. This
provides the best defense against a SYN attack by making the connection time out
more quickly. The "2" represents the amount of time the IIS server will wait
before it stops expecting a reply from the client. By stopping this time sooner, it
frees up resources sooner and stops the server from waiting too long, saving
websites from poor performance during SYN attacks. This is the recommended
value by Microsoft.

4. Step 4

Right-click the "Service" folder and select "New Key" and choose "DWORD" for
the type. Enter "EnableDeadGWDetect" for the name. Enter the value of "0" in
the text box. This disables the host from sending traffic to an unintended gateway,
which could cause a breach in security.

5. Step 5

Right-click the "Service" folder and select "New Key" and choose "DWORD" for
the type. Enter "EnablePMTUDiscovery" as the name and enter "0" for the value.
This disables the use of high amounts of resources on the computer, protecting it
from memory overload and crashes.

6. Step 6

Close the registry and reboot the computer for the changes to take effect.

How to Stop IRC Flood Kicks


Banning a Flooder

1. Step 1

Determine from which host mask the attacks are coming. You can do this by
typing /who is Attacker Name, where Attacker Name is one of the usernames of
the attacker. If the attacker has left already, you can try /who was instead of /who
is .

2. Step 2

Ban the hostname from the chat room. Use /mode #Channelname (#channelname
being the channel you're in) +b to do this. You'll want to ban the general region of
the attacker so others with the ISP can visit the room. For example, if the
attacker's host mask is Flooder!jerk@123456.north.someisp.com, you'll want to
type /mode #channelname +b *!*@*.north.someisp.com in the prompt of your
IRC program.

3. Step 3

Ban the entire ISP from the chat room. You'll want to do this if the person has a
different host mask each time they connect (instead of north.someisp.com, it's
south.someisp.com or another combination.) In this case, you'll want to type
/mode #Channelname +b *!*@*.someisp.com into the prompt.

Using Chat Modes to Stop IRC Floods

4. Step 1

Use /mode #Channelname +i in the chat box. This will make the chat room an
invite-only chat room, meaning someone in the chat room has to invite a person in
in order to join the room. You can usually type /invite, then the username, to
invite that person into the room.

5. Step 2

Type /mode #channelname +l (Number) to limit the amount of people who can be
in the chat room, depending on the number you used.

6. Step 3

Try /mode #channelname +k (Password) in the prompt. This will keep anyone
who doesn't know the Password used out of the chat room. To get in, users must
type /join #channelname (Password) into their text box. To undo this, type /mode
#Channelname -k (Password).

7. Step 4

Type /mode #Channelname -(mode type) in the prompt when you feel that the
chat room is safe from attackers.

Ads by Google
Flood Barrier
Protect your property with the Self Closing Flood Barrier
www.floodbarrier.nl

The DDOS Specialist


Identify and block DDOS attacks automatically and in real time.
www.riorey.com
Become Hacking Expert
Network Cracking & IT Security Assured High Salary Job. Join Now
www.appinonline.com/Hacking

Flood
24/7 Emergency response service Call 0800 195 6776
www.atlasrestoration.co.uk

Types of Attacks on Web Servers


Newspapers Internet magazines came with cover stories when Denial of service (DoS)
attacks assaulted a number of large and very successful companies' websites last year.
Those who claim to provide security tools were under attack. If Yahoo, Amazon, CNN
and Microsoft feel victim to DoS attacks, can any site-owner feel safe?

In this article we'll try to make site owners understand the "In and Outs" of DoS and
DDoS attack methods, vulnerabilities, and potential solutions to these problems.
Webmasters are usually seen searching for solutions to new security threats and ways of
patching-up before it is too late.

DoS:

In a Denial of Service (DoS) attack, the attacker sends a stream of requests to a service on
the server machine in the hope of exhausting all resources like "memory" or consuming
all processor capacity.
DoS Attacks Involve:

* Jamming Networks
* Flooding Service Ports
* Misconfiguring Routers
* Flooding Mail Servers
DDoS:

In Distributed DoS (DDoS) attack, a hacker installs an agent or daemon on numerous


hosts. The hacker sends a command to the master, which resides in any of the many hosts.
The master communicates with the agents residing in other servers to commence the
attack. DDoS are harder to combat because blocking a single IP address or network will
not stop them. The traffic can derive from hundred or even thousands of individual
systems and sometimes the users are not even aware that their computers are part of the
attack.
DDoS Attacks Involve:

* FTP Bounce Attacks


* Port Scanning Attack
* Ping Flooding Attack
* Smurf Attack
* SYN Flooding Attack
* IP Fragmentation/Overlapping Fragment Attack
* IP Sequence Prediction Attack
* DNS Cache Poisoning
* SNMP Attack
* Send Mail Attack
Some of the more popular attack methods are described below.

FTP Bounce Attack

FTP (File Transfer Protocol) is used to transfer documents and data anonymously from
local machine to the server and vice versa. All administrators of FTP servers should
understand how this attack works. The FTP bounce attack is used to slip past application-
based firewalls.

In a bounce attack, the hacker uploads a file to the FTP server and then requests this file
be sent to an internal server. The file can contain malicious software or a simple script
that occupies the internal server and uses up all the memory and CPU resources.

To avoid these attacks, the FTP daemon on the Web servers should be updated regularly.
The site FTP should me monitored regularly to check whether any unknown file is
transferred to the Web server. Firewalls also help by filtering content and commands.
Some firewalls block certain file extensions, a technique that can help block the upload of
malicious software.

Port Scanning Attack

A port scan is when someone is using software to systematically scan the entry points on
other person ?s machine. There are legitimate uses for this software in managing a
network.

Most hackers enter another ?s computer to leave unidentifiable harassing messages


,capture passwords or change the set-up configuration. The defense for this is through,
consistent network monitoring. There are free tools that monitor for port scans and related
activity.

Ping Flooding Attack

Pinging involves one computer sending a signal to another computer expecting a response
back. Responsible use of pinging provides information on the availability of a particular
service. Ping Flooding is the extreme of sending thousands or millions of pings per
second. Ping Flooding can cripple a system or even shut down an entire site.
A Ping Flooding Attack floods the victim ?s network or machine with IP Pingpackets. At
least 18 operating systems are vulnerable to this attack, but the majority can be patched.
There are also numerous routers and printers that are vulnerable. Patches cannot currently
be applied throughout a global network easily.

Smurf Attack

A Smurf Attack is modification of the "ping attack" and instead of sending pings directly
to the attacked system, they are sent to a broadcast address with the victim ?s return
address. A range of IP addresses from the intermediate system will send pings to the
victim, bombarding the victim machine or system with hundreds or thousands of pings.

One solution is to prevent the Web server from being use das a broadcast. Routers must
be configured to deny IP-Directed broadcasts fro mother networks into the network.
Another helpful measure is to configure the router to block IP spoofing from the network
to be saved. Routers configured as such will block any packets that donor originate in the
Network .To be effective this must be done to all routers on the network.

SYN Flooding Attack

This attack exploits vulnerability in the TCP/IP communications protocol. This attack
keeps the victim machine responding back to a non-existent system. The victim is sent
packets and asked to response to a system or machine with an incorrect IP address. As it
responds, it is flooded with the requests. The requests wait for a response until the packets
begin to time out and are dropped. During the waiting period, the victim system is
consumed by the request and cannot respond to legitimate requests.

When a normal TCP connection starts, a destination host receives a SYN


(synchronize/start) packet from a source host and sends back a SYN ACK (synchronize
acknowledge) response. The destination host must the hear an acknowledgement, or
ACK packet, of the SYN ACK before the connection is established. This is referred as the
"TCP three-way handshake?

Decreasing the time-out waiting period for the three way handshake can help to reduce
the risk of SYN flooding attacks, as will increasing the size of the connection queue (the
SYN ACK queue). Applying service packs to upgrade older operating systems is also a
good countermeasure. More recent operating systems are resistant to these attacks.

IP Fragmentation/Overlapping Fragment Attack

To facilitate IP transmission over comparatively congested networks. IP packets can be


reduced in size or broken into smaller packets. By making the packets very small, routers
and intrusion detection systems cannot identify the packets contents and will let them
pass through without any examination. When a packet is reassembled at the other end, it
overflows the buffer. The machine will hang, reboot or may exhibit no effect at all.
In an Overlapping Fragment Attack, the reassembled packet starts in the middle of
another packet. As the operating system receives these invalid packets, it allocates
memory to hold them. This eventually uses all the memory resources and causes the
machine to reboot or hang.

IP Sequence Prediction Attack

Using the SYN Flood method, a hacker can establish connection with a victim machine
and obtain the IP packet sequence number in an IP Sequence Prediction Attack .With this
number, the hacker can control the victim machine and fool it in to believing it ?s
communicating with another network machines. The victim machine will provide
requested services. Most operating systems now randomize their sequence numbers to
reduce the possibility of prediction.

DNS Cache Poisoning

DNS provides distributed host information used for mapping domain names and IP
addresses. To improve productivity, the DNS server caches the most recent data for quick
retrieval. This cache can be attacked and the information spoofed to redirect a network
connection or block access to the Web sites),a devious tactic called DNS cache poisoning.

The best defense against problems such as DNS cache poisoning is to run the latest
version of the DNS software for the operating system in use. New versions track pending
and serialize them to help prevent spoofing.

SNMP Attack

Most network devices support SNMP because it is active by default. An SNMP Attack
can result in the network being mapped, and traffic can be monitored and redirected.

The best defense against this attack is upgrading toSNMP3, which encrypts passwords
and messages. Since SNMP resides on almost all network devices, routers, hubs,
switches, Servers and printers, the task of upgrading is huge. Some vendors now offer an
SNMP Management tool that includes upgrade distribution for global networks.

UDP Flood Attack

AUDP Flood Attacks links two unsuspecting systems. By Spoofing, the UDP flood hooks
up one system ?s UDP service (which for testing purposes generates a series of characters
for each packet it receives) with another system ?s UDP echo service (which echoes any
character it receives in an attempt to test network programs). As a result a non-stop flood
of useless data passes between two systems.

Send Mail Attack

In this attack, hundreds of thousands of messages are sent in a short period of time; a
normal load might only be 100 or1000 messages per hour. Attacks against Send Mail
might not make the front page ,but downtime on major websites will.

For companies whose reputation depends on the reliability and accuracy of their Web-
Based transactions, a DoS attack can be a major embarrassment and a serious threat to
business.

Conclusion

Frequent denial-of-service attacks and a change in strategy by "Black-Hat Hackers" are


prompting enterprises to demand technology that proactively blocks malicious traffic.

Tools and services that reflect approaches to combat such DoS attacks have been
introduced with time. These are normally upgrades to what was produced before. No
solution is ever said to be an ultimate solution to defend DoS attacks. Despite the new
technology coming everyday, the attacks are likely to continue.

How to Prevent Denial of Service (DoS) Attack

The denial of service (DoS) attack is statistically the most used malicious attack out of
them all. This stems from the ease of use of the attack, as well as the alarming lethality.
Literally anyone can bring down a website with a simple command prompt. The question
is- how do you protect against an attack that can cripple your network or website in a
matter of minutes?

Types of Denial of Service (DoS) Attack

If you are going to protect against an attack, you first have to know how it works. You
must familiarize yourself with the different variations, methods, and plans of attacks that
hackers use. Surprisingly, there are at least seven different classifications of denial of
service (DoS) attacks known today.

Ping Flood

The most basic of attacks is the ping flood attack. It relies on the ICMP echo command,
more popularly known as ping . In legitimate situations the ping command is used by
network administrators to test connectivity between two computers. In the ping flood
attack, it is used to flood large amounts of data packets to the victim’s computer in an
attempt to overload it. You can see an example of the ping flood attack below.
Two Exploitable Commands Using Ping

• 1. The –n command tells the prompt to send the request a specified amount of
times. The default is four packets, but we sent five.

• 2. The –l command tells the prompt how much data to send for each packet. The
maximum is 65,500 bytes, while the default is just 32.

This type of attack is generally useless on larger networks or websites. This is because
only one computer is being used to flood the victim’s resources. If we were to use a
group of computers, then the attack would become a distributed denial of service (DoS)
attack, or DDoS.

The most common cure to the ping flood attack is to simply ban the IP address from
accessing your network. A distributed denial of service (DoS) attack is a bit more
complex, but we will take a look at them later on.

Ping of Death

The ping of death attack, or PoD, can cripple a network based on a flaw in the TCP/IP
system. The maximum size for a packet is 65,535 bytes. If one were to send a packet
larger than that, the receiving computer would ultimately crash from confusion.
Sending a ping of this size is against the rules of the TCP/IP protocol, but hackers can
bypass this by cleverly sending the packets in fragments. When the fragments are
assembled on the receiving computer, the overall packet size is too great. This will cause
a buffer overlflow and crash the device.

Luckily, most devices created after 1998 are immune to this kind of attack. If you are
running a network with outdated devices this will indeed be a possible threat to your
network. In this case, upgrade your devices if possible.

Smurf / Smurfing

When conducting a smurf attack, attackers will use spoof their IP address to be the same
as the victim’s IP address. This will cause great confusion on the victim’s network, and a
massive flood of traffic will be sent to the victim’s networking device, if done correctly.

Most firewalls protect against smurf attacks, but if you do notice one, there are several
things you can do. If you have access to the router your network or website is on, simply
tell it to not forward packets to broadcast addresses. In a Cisco router, simply use the
command: no ip directed-broadcast.

This won’t necessarily nullify the smurf attack, but it will greatly reduce the impact and
also prevent your network or website from attacking others by passing on the attack.
Optionally, you could upgrade your router to newer Cisco routers, which automatically
filter out the spoofed IP addresses that smurf attacks rely on.

Fraggle

A Fraggle attack is exactly the same as a smurf attack, except that it uses the user
datagram protocol, or UDP, rather than the more common transmission control protocol,
or TCP. Fraggle attacks, like smurf attacks, are starting to become outdated and are
commonly stopped by most firewalls or routers.

If indeed you think you are being plagued by a fraggle attack, simply block the echo port,
located at port 7. You may also wish to block port 19, which is another commonly used
fraggle exploitable port. This attack is generally less powerful than the smurf attack,
since the TCP protocol is much more widely used than the UDP protocol.

SYN Flood

The SYN flood attack takes advantage of the TCP three-way handshake. This method
operates two separate ways. Both methods attempt to start a three-way handshake, but not
complete it. You can view the proper three-way handshake below.

The first attack method can be achieved when the attacker sends a synchronize request, or
SYN, with a spoofed IP address. When the server tries to send back a SYN-ACK request,
or synchronize-acknowledge request, it will obviously not get a response. This means that
the server never obtains the client’s ACK request, and resources are left half-open.

Alternatively, the attacker can just choose to not send the acknowledgement request. Both
of these methods stall the server, who is patiently waiting for the ACK request.
Thankfully, this hole in the three-way handshake has been patched for years, just like the
ping of death attack. Should you suspect that your older devices are the subject of this
attack, upgrade them immediately.

Teardrop

In the teardrop attack, packet fragments are sent in a jumbled and confused order. When
the receiving device attempts to reassemble them, it obviously won’t know how to handle
the request. Older versions of operating systems will simply just crash when this occurs.
Operating systems such as Windows NT, Windows 95, and even Linux versions prior to
version 2.1.63 are vulnerable to the teardrop attack. As stated earlier, upgrading your
network hardware and software is the best way to stay secure from these types of attacks.

Distributed Denial of Service (DDoS)

This is by far the most deadly of all denial of service (DoS) attacks, since an easy fix is
hard to come by. Instead of just installing the latest hardware and software, network
administrators will usually need extra help with these types of attacks.

A distributed denial of service (DoS) attack, or DDoS, is much like the ping flood
method, only multiple computers are being used. In this instance, the computers that are
being used may or may not be aware of the fact that they are attacking a website or
network. Trojans and viruses commonly give the hacker control of a computer, and thus,
the ability to use them for attack. In this case the victim computers are called zombies.

A DDoS attack is very tough to overcome. The first thing to do is to contact your hosting
provider or internet service provider, depending on what is under attack. They will
usually be able to filter out the bulk of the traffic based on where it’s coming from. For
more large-scale attacks, you’ll have to become more creative.

If you have access to your router, and are running a Cisco brand, enter the following
command into your router command prompt: No ip verify unicast reverse-path.

This will ensure that attackers can’t spoof their IP address. This will still be a problem for
zombie computers however, since those IP addresses aren’t spoofed at all. In this case,
you can do one of several things.
Options in DDoS Prevention

• 1. Hire a security company to assess and repair the damage

• 2. Buy an intrusion detection system (IDS) ,For example, Ax3soft Sax2

As a last resort, the traffic can be routed to a sink hole, which will route all traffic
elsewhere until a solution can be obtained. This will route good traffic and bad traffic- so
this is usually not a good choice.

Closing Comments

As you can tell, the majority of denial of service (DoS) attacks can be prevented through
simply upgrading to the latest hardware and software. In the case of distributed denial of
service (DoS) attacks, we have less simplistic options to work with.

Even giants such as Microsoft have fallen victim to the DoS attack. Generally, it’s a
good idea to not make many enemies- and keep a sharp watch on your network at all
times. And in the event that you do track an attacker down, keep two things in mind.
First, it may be a spoofed IP address, and thus, a false lead. Second, never attack back.
Simply contact the authorities and wait for the justice system to do its work.