Withstanding the Flood
May 30, 2011
You never know when an attack is coming. But, if you're not ready, your systems will get flooded and shut down.
A typical such attack is a SYN flooding. "SYN" stands for an instruction to "synchronize" systems-which is a normal handshake for granting access to a server, when requested by a remote computer. Too many requests and you go down.
Such a flooding attack was blocked this spring by Quadron.
"I was going through firewall logs when I noticed a large number of connection attempts in a 30-minute time period which were left open for longer than usual," said Senior Systems Administrator Jason Simons. "This can be indicative of a SYN flood attack."
In making a connection, making the handshake goes like this:
* A remote computer sends a synchronize or SYN message to a server.
* The server sends an acknowledgment, aka SYN-ACK, back.
* The client responds with its own acknowledgment, or ACK, and the connection is made.
Such attacks have become less and less effective than they used to be, Simons said. But if resources are low, filtering is not occurring properly or a system is misconfigured, they can still be problematic.
In this case, "our firewall was able to correctly identify these packets coming from the same [Internet protocol source] as invalid traffic, thus blocking them and not allowing them to use up the firewall's connection resources." But checking logs frequently also helps.