0:04
Hi everybody.
Ed Emaroso.
And I want to talk to you today about something called a SYN flood.
SYN, S-Y-N being the first packet in the TCP three step sequence.
Now, in the context of distributed denial of service attacks, there is so
much misconception, particularly in the popular media and
even amongst technologists about where Denial-of-Service attacks come from.
And we all know for the most part there's bot nets involved, we get that.
But there's really two cases for any type of entity trying to flood another,
and in the context of TCP/IP, let me tell you what those two cases are.
The first case is where you're not willing to give up who you are.
You're not going to say it's really coming from me.
You're going to lie about your source IP address, and
in the second case, you're going to be perfectly comfortable saying yep,
it's me, this is where I'm going to set up a session.
Now let's think about the pros and cons of those two.
Now if I'm only willing to just send a packet as somebody else,
then that's as far as I'm going to get.
I'll put a diagram here up of a bunch of SYNs.
A's source IP address is 10.1.2.3 but
uses the source IP address and some other thing 192.1.2.3.4.
So what happens is I send a SYN, I send another SYN,
I send another SYN that's the essence of a flood or Denial-of-Service attack.
I keep sending them.
Think of it as like a gun boom, boom, boom, boom.
I'm sending the SYN packets where the response is going.
They've not coming to you, they're going to somebody else.
Now the irony is sometimes that is the ultimate victim.
Sometimes you think, I'm going to hit you, you're going to respond to him, and
that's what I'm trying to DDAS like if you're a DNS Server.
And I want the DNS response to come back that's sometimes the purpose.
Other times you're the one I'm trying to attack with a SYN Flood and
maybe I'm changing up my source IP so
you're spraying out all the responses all over the place.
You the Internet attacker, I hope you're not an Internet attacker, but
you get the idea.
Whoever's designing these things has to think through what do you want to do?
So the first case is you're lying, we call that a SYN Flood.
The second case is much more powerful.
Because, if I send a SYN, you send SYN ACK, I send ACK, we have a session set up.
I can now do application level things.
I can login to you, I can send commands, I can ask
to download stuff, whatever depending on what it is your on to your web server.
I get on now.
I start downloading things to try to create a very busy condition for
your website or whatever but I'm doing it, I'm exposing the source site IP.
So generally, when that's the case, it's always preceded by
first breaking in to someone else's machine and that's how Botnets are set up.
But as we've discussed and as I'm sure many of you are already familiar with,
a whole botnet that's designed and
3:17
created and recruited and I can have all my box do that.
I really don't care that they expose who they are.
It's not my computer.
Scattered the world probably.
So you know that it's somebody's mom's PC connected to broadband.
It's attacking you.
What are you going to do?
Again in popular media there is this misconception that when you see these
attacks coming that are exposing source IPs, we'll just hack them back.
But in a bot net who are you hacking?
You're hacking somebody who's already been hacked and is probably innocent,
probably unaware that it happened, and in many cases you're just making it worse.
Suppose it's a children's hospital that's been infected with bot software and
is not attacking you, what are you going to do?
Attack them back?
It's a symptom of great ignorance that I hope as you study cyber security,
as we go through these lectures we can help to rectify, so keep that in mind.
Now got a little quiz that'll test our understanding of this.
So think about those three.
I think you'll come to the conclusion that it's the middle answer, it's B, right?
So the response in SYN packets for flood are going to go somewhere else.
So it gives you a nice a comfortable if you lie about your source IP,
you're now getting all these pesky SYN ACKs coming back.
You can [INAUDIBLE] the result of maybe making your own connection a little busy.
Better to make somebody else's connections busy as part of the attack.
So I hope you don't do these things, but it's important for us as we learn cyber
security to know the difference between the different elements of these attacks.
I'll see you in the next video.
Dr. Edward G. AmorosoResearch Professor, NYU and CEO, TAG Cyber LLC
