By 
SYN cookies are a technique used to protect TCP server connections during a SYN flood attack, one of the most basic types of DDoS attacks. In a SYN flood, an attacker sends a rapid succession of TCP connection requests to a server. This overwhelms the server’s connection queue capacity as it tries to allocate resources to each new request, eventually causing it to crash or deny legitimate users access. SYN cookies work by not allocating server-side connection resources until a valid response is received from the client. When a TCP SYN packet requesting a new connection comes in, the server encodes information about that connection into a cryptographic cookie, or SYN cookie, instead of storing it in its connection queue. This cookie returns to the client with the standard TCP SYN-ACK response packet.
Upon receiving the SYN-ACK packet, a legitimate client will send back an ACK packet, confirming the connection. When the server receives this ACK packet, it extracts and decodes the original connection information from the SYN cookie to reconstruct the necessary session state data and allocate resources only to legitimate connections, thus resisting the SYN flood attack. The key benefit of SYN cookies is that they allow servers to avoid resource allocation during the initial TCP 3-way handshake. This eliminates the ability for SYN floods to consume connection capacity.
IP stressers
In contrast to SYN cookies as a defensive technique, IP stressers are tools used to conduct DDoS and related attacks. Also known as booters or booter services, IP stressers provide users with on-demand DDoS attack capabilities for a subscription fee. They work by taking in a target IP address provided by a customer, along with parameters like attack type and duration, then directing an influx of malicious traffic from their servers or an attached botnet against the specified target. Attack vectors that IP stressers may offer include SYN floods, UDP floods, ICMP floods, layer 7 HTTP floods, and more.
In addition to overwhelming targets to silence them, like with traditional DDoS attacks, IP Stresser are also used for more subtle malicious objectives like stress testing, establishing backdoors, sidelining security teams, or creating distractions for concurrent hacking activity. The DDoS-for-hire business is extremely lucrative, with some IP stresser operators making over $100,000 per month in profit. Many jurisdictions are cracking down by shutting sites and arresting operators. Attackers continue innovating with new evasion tactics like rotating domain names, dark web hosting, and incorporating encrypted traffic or legitimate services as attack vectors.
Ongoing cat and mouse game
Defensive technologies like SYN cookies and offensive tools like IP stressers represent just a snapshot of the ongoing cat-and-mouse game between network attackers and defenders. As security teams adapt to combat existing threats, hackers continue probing for and exploiting any weaknesses in new protection systems. Network firewalls, intrusion detection systems, Web Application Firewalls, anti-DDoS services, two-factor authentication protocols, and other defensive hardware and software all introduce layers of protection. The market pressures and bragging rights motivate attackers to relentlessly search for creative new avenues like zero-day exploits or amplification attacks using legitimate platforms.
Comments