|
Friday, 23 September 2005 |
|
Flood SYN- packets - the most known method "to drive in" information channel. Let us recall how works TCP/IP in the case entering of shchikh of connections. System answers arrived C-paket S-SYN/cACCK- packet, it converts session to state SYN_.RECEIVED and will bring in it in the turn. If in the course of preset time from the client S, does not arrive, connection is moved away from the turn, otherwise the connection is transferred into state ESTABLISHED.When the turn of incoming trunks is already filled on RFC, and system obtains SYN- packet, which invites to the installation of connection, it will be silently ignored.
SYN flood is based on the overcrowding of the turn of server, after which the server ceases to answer the demands of users. In different systems the work with the turn is realized in different ways. Afterward the expiration of a certain time (it depends on realization) system moves away demands from the turn. However, nothing is prevented hacker from sending the new portion of demands. Thus, even being located to connection 2400 bps, hacker can send each of one-and-a-half minute on 20-30 packets on server, supporting him in the no operating state.
Attack is usually directed on the specific, concrete service, for example telnet or ftp. it consists in the transfer of the packets of establishing connection to the port, which corresponds to the attacked service. With obtaining of demand the system separates resources for the new connection, after which it attempts to answer the demand (to send "Syn-ack") with the inaccessible address. On silence NT of versions 3.5-4.0 will attempt to repeat the confirmation of 5 times - through 3, 6, 12, 24 and 48 seconds. After this, the system can expect answer already 96 seconds, and only after this it will free the resources, isolated for the future connection. Total time of the employment of resources - 189 seconds. |
Security information 