What are Syn Cookies and how are they used in DDoS Attacks?

Transcription

In this video, Solutions Architect, Syed Danial Zaidi, looks at what SYN cookies are and how they can be used for TCP authentication to protect against SYN flood denial-of-service (DDoS) attacks.

AI Transcript:

This is Danial and I’m the Thunder Threat Protection System (TPS) Solutions architect at A10 and in this session we’re going to talk about Syn Cookies.

Syn cookies is actually one of the means of providing TCP authentication.

So this is a special technique or a mechanism used by many TCP softwares to generate the initial sequence number.

And this technique is actually used by many DDOS protection engines and load balancers to provide protection against the syn flood attacks.

Let’s take a look at it. How does it actually work?

Well, in a normal operation,  let’s say we have a client here …

We have a server here.

The Syn comes in. The server responds with a Syn-ack.

Now at this point of time, the server actually needs to maintain the state information in the TCP stack, or you can call it a TCP buffer.

I’ll just write it down. Until it receives an acknowledgement, right? And this is a normal process. Now imagine when you are under DDoS attack.

A simple, what I would say, a simple syn flood attack coming in from various spoofed sources, can actually end up consuming all the TCP memory available on the server. And because the server needs to maintain the state information for all the half open connections, which are there actually, right?

And since this state table is finite, the server will eventually stop accepting new connections and we’ll start denying service for the legitimate users.

And this is where actually the syn cookies comes into the picture.

Now, I’m just going to draw the client and server one more time with the same cookie in place.

What will happen is upon receiving a Syn, the server is going to respond again with a syn-ack. But now at this point of time, the sequence number that has been used in the syn-ack response by the server is going to be generated using a secret mathematical function. And at that point of time, it doesn’t need to maintain the state information in the TCP stack.

The moment it’s going to receive an acknowledgement from the client, at this point of time, it’s going to go and check the sequence number against a mathematical function that it actually use. And if that applies legit, that session information will be reconstructed and the connection will proceed as normal.

One thing I would like to highlight here is that how the syn cookies computation actually works.

As we all know, the sequence number is 32-bit value.

So, the way it works is the first five bits are used for actually timestamp.

It’s a slowly incrementing timestamp.

The next 3 bits are actually used for MSS value that server may have used in the syn-ack and perhaps stored in the TCP Syn queue entry.

And finally, the 24-bit value for the cryptographic hash function.

And this cryptographic hash function is actually computed on source IP, DST-IP, source port, DST-Port, and the value of “T.”

So, now same scenario … when the server ends up receiving an ack, it’s going to re-compute the value of T. It’s going to check it against the current time and just to see if the session ionformation is valid or has it expired? It’s going to decode the value of the MSS and finally it’s going to take a look at the value of “S.”

It’s going to re-compute this value, which is actually corresponds to the syn cookies. And if this value turns out to be legit, the session information again will be reconstructed and the connection will proceed as normal, as I said.

Now one thing I would like to highlight here is that whenever any device–whether It’s a DDOS mitigator or a load balancer and it is performing syn cookies–then the device needs to be in-line because it’s acting as a proxy and it needs to stretch both client and server side sessions.

And this is where A10 I would say, add ads, its value.

So, irrespective of whether you have asymmetric reactive or asymmetric proactive, kind of a deployment, we do have other means of doing TCP authentication.

Thank you for watching this video. I hope you liked it and I’ll see you in the next session.