Countermeasures
There are a number of well-known countermeasures listed in RFC 4987including:
- Filtering
- Increasing Backlog
- Reducing SYN-RECEIVED Timer
- Recycling the Oldest Half-Open TCB
- SYN Cache
- SYN cookies
- Hybrid Approaches
- Firewalls and Proxies
SYN cookies provide protection against the SYN flood by eliminating the resources allocated on the target host.
Limiting new connections per source per timeframe is not a general solution since the attacker can spoof the packets to have multiple sources.
Some systems can mis-detect a SYN Flood when being scanned for open proxies, as commonly done by IRC servers and services. These are not SYN Floods, merely an automated system designed to check the connecting IP.
Read more about this topic: SYN Flood
Related Phrases
Related Words