+ Reply to Thread
Results 1 to 6 of 6
  1. Senior Member RS_MCP's Avatar
    Join Date
    Mar 2008
    Location
    London, UK
    Posts
    354

    Certifications
    CCNA, CCNA Security, CCSP, CCIE Security Written.
    #1

    Default SYN Attack - Cisco ASA 5510

    Hi All,

    Can someone explain to me what a SYN attack is?

    On my firewall in ASDM, it is showing me "Top 10 protected servers under SYN attack" what exactly does this mean?

    Thanks.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member chrisone's Avatar
    Join Date
    Nov 2009
    Location
    Los Angeles
    Posts
    1,582

    Certifications
    SpecterOps: Powershell Adversary Tactics, SilentBreakSecurity - DarkSideOps, CISSP, CCDP, CCNP R/S, CCNP Security (Secure, FW) , C|EH , PA ACE
    #2
    2017 Goals: Dark Side OPS: Custom Pentesting (complete), SpecterOps: PowerShell Adversary Tactics (completed), eCPPT (2nd attempt), LFCS (4th attempt ), OSCP (Ah next year...)
    Reply With Quote Quote  

  4. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #3
    Quote Originally Posted by RS_MCP View Post
    Hi All,

    Can someone explain to me what a SYN attack is?

    On my firewall in ASDM, it is showing me "Top 10 protected servers under SYN attack" what exactly does this mean?

    Thanks.

    SYN attack takes advantage of the TCP handshake.

    When a system runs TCP, it interprets the receipt of a SYN as the beginning of a communication, so it will, then respond with a SYN/ACK, and thus form a half-open TCP connection. It is, of course expecting the other station to respond with an ACK, and thus complete the handshake, and then begin passing data.

    The half-open session will timeout eventually, but until that occurs, one of the available TCP sessions on the system will be occupied.

    The key problem is that the SYN attack isn't designed to form actual TCP connections, but just making a bunch of half-open connections (thousands of them), which can basically cause a denial-of-service type condition, and can really wreck up some equipment that can't handle it.

    It's a protocol exploit, basically.

    As the prior poster said, you would be well served to research up a bit on this one, as an insecure network won't do you much good.

    EDIT: Consider the Security+. You might laugh at its being entry-level, but I do recall that it covered common network attacks.

    Hope this helps.
    Last edited by instant000; 05-20-2011 at 05:21 PM.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Feb 2010
    Location
    UK
    Posts
    117

    Certifications
    BSc Software Engineering, Network+, CCENT, CCNA, CCNP (1/3)
    #4
    Quote Originally Posted by instant000 View Post
    SYN attack takes advantage of the TCP handshake.

    When a system runs TCP, it interprets the receipt of a SYN as the beginning of a communication, so it will, then respond with a SYN/ACK, and thus form a half-open TCP connection. It is, of course expecting the other station to respond with an ACK, and thus complete the handshake, and then begin passing data.

    The half-open session will timeout eventually, but until that occurs, one of the available TCP sessions on the system will be occupied.

    The key problem is that the SYN attack isn't designed to form actual TCP connections, but just making a bunch of half-open connections (thousands of them), which can basically cause a denial-of-service type condition, and can really wreck up some equipment that can't handle it.

    It's a protocol exploit, basically.

    As the prior poster said, you would be well served to research up a bit on this one, as an insecure network won't do you much good.

    EDIT: Consider the Security+. You might laugh at its being entry-level, but I do recall that it covered common network attacks.

    Hope this helps.

    This is pretty much spot on. It's simply a means to leave the destination hanging on for thousands of fake connection attempts that never get created. Once the destination host has exceeded its maximum TCP sessions/memory the rest of the sessions get denied, this includes authentic hosts.

    Syn floods ain't as common as they used to be, probably due to hardware/bandwidth increases and security improvements (Firewalls and IDS).
    Reply With Quote Quote  

  6. Senior Member
    Join Date
    Jun 2009
    Location
    Canada
    Posts
    702

    Certifications
    Most Recent: CISSP & CCDA
    #5
    Reply With Quote Quote  

  7. SupremeNetworkOverlord Moderator Ahriakin's Avatar
    Join Date
    Oct 2005
    Location
    ::1/128
    Posts
    1,798

    Certifications
    CCIE #23276-Sec, JNCIE-Sec #105, TCSE #2343,MCSE 2003-Sec,LPIC-1
    #6
    Don't forget the ASA uses Syn Cookies, while this attack can affect resources (it still has to decode the SYN and issue the SYN/ACK cookie) it won't tie up the connection table itself.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks