Breaking TCP/IP
Attempts to whack your system using TCP/IP weaknesses also abound. The most popular of these is the SYN attack. SYN works by taking advantage of the protocol handshake between two Internet applications. It's designed to work by starting an application session by sending a TCP SYN (synchronisation) packet to another program. That application then replies with a TCP SYN-ACK acknowledgment packet; the first program then responds with an ACK (acknowledgment). Once the applications have made their handshake, they're ready to work with each other.
A SYN attack overwhelms its victim with a flood of TCP SYN packets. Every SYN packet forces the targeted server to produce a SYN-ACK response and then wait for the appropriate ACK. This quickly leads to a situation where outstanding SYN-ACKs pile up behind each other in a backlog queue. When the backlog queues fill up, the system stops acknowledging incoming SYN requests.
If the SYN attack includes SYN packets with bad source IP addresses, the situation grows worse more quickly. In such a case, when the SYN-ACKs are sent out, the ACK never comes back. The quickly overfilling backlog queue usually puts an end to legitimate application SYN requests getting through.
Adding insult to injury, the similar Land attack employs spoofed SYN packets, with IP addresses forged to look like they come from within your network. Now, the SYN attacks appear to be coming from within your firewall, adding to your problems.
Most up-to-date operating systems and firewalls can stop SYNing in its tracks. Another easy way to prevent SYNing is to set your firewall to block all incoming packets with known bad source IP addresses. This list should include external packets that bear spoofed IP addresses from the following IP ranges, which are reserved for internal use only: 10.0.0.0 to 10.255.255.255, 127.0.0.0 to 127.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255.
