Hi everybody.
Ed Emaroso.
And I want to talk to you today about something called a SYN flood.
SYN, S-Y-N being the first packet in the TCP three step sequence.
Now, in the context of distributed denial of service attacks, there is so
much misconception, particularly in the popular media and
even amongst technologists about where Denial-of-Service attacks come from.
And we all know for the most part there's bot nets involved, we get that.
But there's really two cases for any type of entity trying to flood another,
and in the context of TCP/IP, let me tell you what those two cases are.
The first case is where you're not willing to give up who you are.
You're not going to say it's really coming from me.
You're going to lie about your source IP address, and
in the second case, you're going to be perfectly comfortable saying yep,
it's me, this is where I'm going to set up a session.
Now let's think about the pros and cons of those two.
Now if I'm only willing to just send a packet as somebody else,
then that's as far as I'm going to get.
I'll put a diagram here up of a bunch of SYNs.
A's source IP address is 10.1.2.3 but
uses the source IP address and some other thing 192.1.2.3.4.
So what happens is I send a SYN, I send another SYN,
I send another SYN that's the essence of a flood or Denial-of-Service attack.
I keep sending them.
Think of it as like a gun boom, boom, boom, boom.
I'm sending the SYN packets where the response is going.
They've not coming to you, they're going to somebody else.
Now the irony is sometimes that is the ultimate victim.
Sometimes you think, I'm going to hit you, you're going to respond to him, and
that's what I'm trying to DDAS like if you're a DNS Server.
And I want the DNS response to come back that's sometimes the purpose.
Other times you're the one I'm trying to attack with a SYN Flood and
maybe I'm changing up my source IP so
you're spraying out all the responses all over the place.
You the Internet attacker, I hope you're not an Internet attacker, but
you get the idea.
Whoever's designing these things has to think through what do you want to do?
So the first case is you're lying, we call that a SYN Flood.
The second case is much more powerful.
Because, if I send a SYN, you send SYN ACK, I send ACK, we have a session set up.
I can now do application level things.
I can login to you, I can send commands, I can ask
to download stuff, whatever depending on what it is your on to your web server.
I get on now.
I start downloading things to try to create a very busy condition for
your website or whatever but I'm doing it, I'm exposing the source site IP.
So generally, when that's the case, it's always preceded by
first breaking in to someone else's machine and that's how Botnets are set up.
But as we've discussed and as I'm sure many of you are already familiar with,
a whole botnet that's designed and