THE NT 'SYN' FLOOD ATTACK

DOCUMENT:Q142641 07-OCT-1996 [winnt] TITLE :Internet Server Unavailable Because of Malicious SYN Attacks PRODUCT :Microsoft Windows NT PROD/VER:3.51 4.00 OPER/SYS:WINDOWS KEYWORDS:kbnetwork   -------------------------------------------------------------------------- The information in this article applies to: Windows NT Server versions 3.51 and 4.0 -------------------------------------------------------------------------- SYMPTOMS ========   On your computer running the TCP/IP protocol and connected to the Internet, some or all network services are rendered unavailable and error messages such as the following appear on the network client screen:   The connection has been reset by the remote host.   This symptom of all network services being rendered unavailable may also occur on a computer running an operating system other than Windows NT, for example, Unix.   CAUSE =====   Your computer has become the target of a malicious attack known as TCP/IP "SYN Flooding" or "SYN Attacks."   "Computer hackers" can target an entire machine, or a specific TCP service such as web services. The attack is focused on the TCP protocol used by all computers on the Internet, and is not specific to the Windows NT operating system.   How SYN Flooding Works ----------------------   SYN Flooding works as follows: (see also CERT(sm) Advisory CA-96.21 at ftp://info.cert.org/pub/cert_advisories)   - A TCP connection request (SYN) is sent to the target computer. The source IP address in the packet is "spoofed," or replaced with an address that is not in use on the Internet, or that belongs to another computer. An attacker will send many of these TCP SYNs to tie up as many resources as possible on the target computer.   - Upon receiving the connection request, the target computer allocates resources to handle and track the new connection, then responds with a "SYN-ACK". In this case, the response is sent to the "spoofed" non- existent IP address.   - No response is received to the SYN-ACK. A default-configured Windows NT 3.5x or 4.0 computer will retransmit the SYN-ACK 5 times, doubling the time-out value after each retransmission. The initial time-out value is three seconds, so retries are attempted at 3, 6, 12, 24, and 48 seconds. After the last retransmission, 96 seconds are allowed to pass before the computer gives up on receiving a response, and deallocates the resources that were set aside earlier for the connection. The total elapsed time that resources are in use is 189 seconds.   How to Verify Your Computer is Under a SYN Attack -------------------------------------------------   If you suspect that your computer is the target of a SYN attack, you can type the following command at a command prompt to view connections in the "SYN_RECEIVED" state:   netstat -n -p tcp   This command may cause the following text to appear on your screen:   Active Connections   Proto Local Address Foreign Address State TCP 127.0.0.1:1030 127.0.0.1:1032 ESTABLISHED TCP 127.0.0.1:1032 127.0.0.1:1030 ESTABLISHED TCP 10.57.8.190:21 10.57.14.154:1256 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1257 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1258 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1259 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1260 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1261 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1262 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1263 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1264 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1265 SYN_RECEIVED TCP 10.57.8.190:21 10.57.14.154:1266 SYN_RECEIVED TCP 10.57.8.190:4801 10.57.14.221:139 TIME_WAIT   If a large number of connections are in the SYN_RECEIVED state, it is possible that the system is under attack. A network analyzer can be used to track the problem down further, and it may be necessary to contact your Internet Service Provider for assistance in attempting to trace the source.   The effect of tying up connection resources varies, depending upon the TCP/IP stack and applications listening on the TCP port. For most stacks, there is a limit on the number of connections that can be in the half-open (SYN_RECEIVED) state. Once the limit is reached for a given TCP port, the target computer responds with a reset to all further connection requests until resources are freed.   STATUS ======   Microsoft has confirmed the TCP/IP protocol in Windows NT versions 3.51 and 4.0 to be vulnerable to these attacks. A supported update for Windows NT versions 3.51 and 4.0 is now available, but has not been fully regression-tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this update. Contact Microsoft Product Support Services for more information.   KBCategory: kbnetwork kbbug3.51 kbbug4.00 KBSubcategory: nttcp ntsrv Additional reference words: prodnt 3.51 4.00 CERT hack attack flood   THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.   Copyright Microsoft Corporation 1996.