Is SYN flooding still a threat?
Well recently I've been reading about different Denial of Service methods. One method that kind of stuck out was SYN flooding. I'm a member of some not-so-nice forums, and someone was selling a python script that would DoS a server using SYN packets with a spoofed IP address.
However, if you sent a SYN packet to a server, with a spoofed IP address, the target server would return the SYN/ACK packet to the host that was spoofed. In which case, wouldn't the spoofed host return an RST packet, thus negating the 75 second long-wait, and ultimately failing in its attempt to DoS the server?
EDIT: And what if I'm not using SYN cookies?
thanks to syncookies, the threat of syn flooding is kind of minimal these days. http://en.wikipedia.org/wiki/SYN_cookies
basically when a syn packet is received, the server sends a cookie, and if the guest responds with the proper response, the connection is established.
syn_flooding used to cause issues, because the servers had to keep the connections open, waiting for the rest of the handshake.
I believe recent OSes will support Syn Cookies which aid in preventing this sort of attack. You can enable it with /proc/sys/net/ipv4/tcp_syncookies
in Linux.