A successful SYN flood occurs when the number of simultaneous SYNs
exceeds the capacity of the victim's TCP Listen queue and the rate of SYNs exceeds the victim's ability to clear
the SYN_RCVDs in an interval less than the SYN+ACK RTT. The objective of the attack is to crowd out valid
SYN_RCVDs before the client's ACK has a chance to get to the server. If an ACK is received, and there is no
available SYN_RCVD waiting, the connection fails and the DoS is successful, as depicted in Figure 7-3.
Figure 7-3. SYN Flooding
In summary, to successfully SYN-flood, the attacker must achieve the following:
Fill and overflow the TCP server's memory so that the oldest SYN_RVCD entries are flushed.
Fill the TCP queue faster than the typical SYN+ACK RTT so that valid customer SYN_RVCD entries are
crowded out.
Example 7-4 shows an extended access list with permit statements to identify a TCP SYN attack. The TCP permit
statement has several other options, such as matching FIN, URG, RST flags or established connections, or
checking fragment packets.
Example 7-4. Characterizing a TCP SYN Attack
access-list 101 permit tcp any any syn
access-list 101 permit ip any any
!
interface
ip access-group 101 in
Use the show ip access-list command to display the access-list packet match statistics to identify the SYN
attack.
Pages:
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363