SYN attack

prashantrecon · ‎11-27-2011

Hi All,

I have router and inside interface is connected to firewall.

Last week i had attack one of my internal server and i also loosing connectivity to inside interface of the firewall.

But today suddenly internet was down when checked link was up but i also not able to ping to router inerface.

When checked in firewall there was a log indicating SYN attack but source and destination ip was not mentioned.

Can anybody suggest.

hobbe · ‎11-27-2011

Hi

A SYN attack is most likely spoofed SYN packets.

That means that it is not the real address sending them and that the ip address contained within the packet is not correct.

it seems like there is someone having it in for you.

Good luck

HTH

prashantrecon · ‎11-27-2011

Hi

Is there any way to prevent attack on routers.

hobbe · ‎11-27-2011

Prevent the attack itself ?

No

Mitigate the impact on services ?

to some extent yes. read the link below

The agressor can always oversaturate your internetlink.

It is just a numbers game, a SYN packet size is X your link has size Y and can traverse Z packets per second.

Then the agressor just needs to send enough syn packets through to eat up the resources of Y or Z wichever comes first.

However that is not the normal way of using syn attacks since there are faster ways to oversaturate the link.

the normal way of using syn attacks is to steal resources away from the server that is under attack by not establishing a full tcp connection.

This is mitigated in the firewall who sits inbetween the agressor and the server and answers the Syn packets and only lets through the ones that are legit.

http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-4/syn_flooding_attacks.html

Good luck

HTH

fb_webuser · ‎11-28-2011

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00809763ea.shtml#tcp

This might help you.

---

Posted by WebUser Sooraj Prasad

prashantrecon · ‎11-28-2011

can we apply embryonic connection for particular acess-list