Introduction
Distributed Denial of Service (DDoS) attacks are among the most significant threats to web security today. These attacks aim to overwhelm a target system with an excessive amount of traffic, causing it to slow down or become completely unresponsive. Two common types of DDoS attacks are SYN Flood and UDP Flood. Amazon Web Services (AWS) provides AWS Shield, a managed DDoS protection service, to help protect applications running on AWS. This document provides an overview of SYN/UDP Floods and explains how AWS Shield can mitigate these threats.
SYN Flood Attacks
Overview
A SYN Flood attack exploits the TCP handshake process. When a client wants to establish a TCP connection with a server, it sends a SYN (synchronize) packet. The server responds with a SYN-ACK (synchronize-acknowledge) packet, and then the client responds with an ACK (acknowledge) packet, completing the handshake. In a SYN Flood attack, the attacker sends numerous SYN packets but does not respond to the server’s SYN-ACK packets. This leaves the server with many half-open connections, consuming its resources and potentially leading to a denial of service.
Characteristics
- Target Protocol: TCP
- Impact: Exhaustion of server resources (memory and connection tables)
- Symptoms: Slow performance, inability to handle legitimate traffic
UDP Flood Attacks
Overview
A UDP Flood attack involves sending a large number of UDP (User Datagram Protocol) packets to random ports on a target server. Since UDP is a connectionless protocol, the server must process each incoming packet. If the server is unable to find an application listening on the targeted ports, it will respond with ICMP Destination Unreachable packets. This process consumes significant network bandwidth and server resources, leading to a denial of service.
Characteristics
- Target Protocol: UDP
- Impact: Network bandwidth consumption, server resource exhaustion
- Symptoms: Increased latency, packet loss, network congestion
AWS Shield
AWS Shield is a managed DDoS protection service that safeguards applications running on AWS. It provides two levels of protection: AWS Shield Standard and AWS Shield Advanced.
AWS Shield Standard
AWS Shield Standard is automatically included at no extra cost for all AWS customers. It provides protection against most common, smaller-scale DDoS attacks. AWS Shield Standard uses various techniques to detect and mitigate SYN and UDP Floods, including:
- Traffic Engineering: Analyzing and managing incoming traffic to filter out malicious packets.
- Rate Limiting: Limiting the number of requests from a single source to prevent resource exhaustion.
- Packet Filtering: Inspecting packets to identify and drop those that match known attack patterns.
AWS Shield Advanced
AWS Shield Advanced offers additional protections for more sophisticated attacks and provides 24/7 access to the AWS DDoS Response Team (DRT). It includes all the features of AWS Shield Standard, plus:
- Advanced Mitigation: Enhanced capabilities to handle large-scale attacks, including advanced algorithms for traffic analysis and anomaly detection.
- Cost Protection: Financial safeguards to help absorb the costs associated with scaling your infrastructure in response to an attack.
- Real-time Visibility: Detailed metrics and reports on DDoS attacks, allowing for better understanding and response.
- DDoS Cost Protection: Financial safeguards against DDoS-related scaling charges.
How AWS Shield Protects Against SYN/UDP Floods
AWS Shield employs multiple strategies to defend against SYN and UDP Flood attacks:
- Monitoring and Detection: Continuous monitoring of network traffic to detect abnormal patterns indicative of SYN or UDP Flood attacks.
- Automatic Mitigation: Immediate activation of mitigation measures upon detection of an attack, including rate limiting and traffic filtering.
- Adaptive Protection: Dynamic adaptation of defenses based on real-time traffic analysis to handle evolving attack vectors.
- Collaboration with AWS Services: Integration with other AWS services like Amazon CloudFront and AWS WAF (Web Application Firewall) to provide comprehensive protection.
Impact of SYN Flood Attacks
Exhaustion of Server Resources
Each SYN request consumes a tiny portion of the server’s memory and resources. Here are specific examples:
- Connection Table Entries: When a server receives a SYN request, it allocates an entry in its connection table to keep track of the state of the connection. Each entry consumes memory.
- Technical Detail: A typical TCP connection table entry might consume around 280 bytes of memory.
- Impact: If an attacker sends 10,000 SYN requests, it would consume roughly 2.8 MB of memory just for these half-open connections. On a server with limited memory, this can quickly exhaust available resources.
- CPU Processing: Each SYN request requires the server to perform a series of processing steps, consuming CPU cycles.
- Technical Detail: The server must process the incoming SYN packet, create a SYN-ACK response, and manage the state of the connection in the kernel.
- Impact: Handling thousands of SYN requests per second can significantly increase CPU usage, slowing down the server and reducing its ability to handle legitimate traffic.
- Port Exhaustion: Servers have a limited number of ports available for new connections. Each SYN request targets a specific port, and if the server allocates resources for these requests, it can exhaust the available ports.
- Technical Detail: Most operating systems limit the number of simultaneous open connections per port.
- Impact: An attacker sending many SYN requests to different ports can prevent legitimate users from establishing new connections, as the server runs out of available ports to allocate.
- Connection Timeouts: The server must maintain half-open connections for a period of time before timing them out. During this time, these connections consume resources.
- Technical Detail: The default timeout period for half-open connections can be several seconds to a few minutes.
- Impact: With thousands of half-open connections being maintained, the server’s ability to manage new connections is impaired, leading to potential denial of service for legitimate users.
Real-World Analogy
Imagine you are hosting a dinner party and have a limited number of seats at your table (representing the server’s resources). Each guest (SYN request) takes a seat and places their order (initiates a connection). However, some guests (attackers) take a seat and never place an order (never complete the handshake), but you still have to reserve the seat for them (allocate resources).
- Impact: If too many seats are occupied by these non-ordering guests, your real guests (legitimate users) have nowhere to sit, and you can’t serve them properly.
Port Exhaustion
Overview
Port exhaustion occurs when a server runs out of available ports to allocate for new connections due to a large number of half-open connections caused by SYN Flood attacks. Each connection attempt, whether legitimate or malicious, consumes a port. When the number of available ports is exhausted, the server cannot accept new connections, leading to a denial of service for legitimate users.
Technical Details
- Port Range:
- Servers typically use a range of ports for incoming connections, from port 0 to port 65535.
- Ports 0-1023 are reserved for well-known services (e.g., HTTP on port 80, HTTPS on port 443), so servers usually allocate ports starting from 1024 for ephemeral (temporary) connections.
- Ephemeral Ports:
- These are temporary ports used for new connections.
- The operating system dynamically allocates ephemeral ports for outbound connections or new incoming connections.
- On many systems, the range of ephemeral ports is configurable, but by default, it might be something like 1024 to 65535, providing about 64,511 ports.
- Connection States:
- SYN-RECEIVED: When a server receives a SYN packet and responds with a SYN-ACK, the connection is in the SYN-RECEIVED state until the final ACK from the client is received.
- During a SYN Flood attack, many connections remain in this SYN-RECEIVED state, consuming ports but never transitioning to an established connection.
- Port Reuse and TIME_WAIT:
- After a connection is closed, the port enters a TIME_WAIT state to ensure any delayed packets are properly handled before the port can be reused.
- This further limits the availability of ports for new connections during an attack.
Impact of Port Exhaustion
- Service Unavailability:
- When all ephemeral ports are in use, the server cannot accept new incoming connections, leading to service unavailability for legitimate users.
- For example, a web server might not be able to handle new HTTP requests.
- Performance Degradation:
- As the server struggles to manage numerous half-open connections, overall system performance degrades.
- Legitimate users experience slow response times, dropped connections, or complete inability to connect.
- Resource Exhaustion:
- Port exhaustion can lead to increased CPU and memory usage as the server maintains state information for numerous half-open connections.
- This exacerbates the denial of service, as critical resources are tied up by the attack.
Real-World Example
Imagine a busy call center with 64,511 phone lines (analogous to ports). Each phone line can handle one call at a time. During normal operation, incoming and outgoing calls use these lines, and lines are quickly freed up once calls are completed.
- Normal Operation: Calls are made and received, and phone lines are freed up quickly for new calls.
- During an Attack: Thousands of prank calls flood the call center, and each phone line is occupied by these prank calls that never complete. As a result, legitimate calls cannot get through because all phone lines are busy with these fake calls.
Mitigation with AWS Shield
AWS Shield helps prevent port exhaustion through several techniques:
- Traffic Filtering:
- AWS Shield can identify and filter out malicious traffic patterns associated with SYN Flood attacks, preventing them from reaching the server.
- Rate Limiting:
- By rate limiting the number of new connection attempts from a single source, AWS Shield reduces the likelihood of port exhaustion.
- Connection Management:
- AWS Shield uses advanced connection management techniques to ensure that half-open connections are handled efficiently, freeing up ports for legitimate users.
- Integration with AWS Services:
- Integration with other AWS services like AWS WAF (Web Application Firewall) and Amazon CloudFront helps distribute and absorb attack traffic, further mitigating the risk of port exhaustion.
Impact of UDP Flood Attacks
UDP Flood attacks overwhelm a server with a large number of UDP packets, consuming bandwidth and server resources.
- Network Bandwidth Consumption: The server must process each incoming UDP packet, even if it’s meaningless.
- Technical Detail: Each UDP packet requires the server to check if there’s an application listening on the targeted port.
- Impact: If no application is found, the server responds with an ICMP Destination Unreachable packet, consuming additional bandwidth and processing power.
- Server Resource Exhaustion: Similar to handling prank calls in a shop, the server spends its resources responding to meaningless requests.
- Impact: Legitimate users experience increased latency, packet loss, and overall degraded network performance.
Real-World Analogy
Think of a small shop where customers walk in and ask for items. Now, imagine a group of people comes in and repeatedly asks for random items that the shop doesn’t have. The shopkeeper spends all their time responding with “Sorry, we don’t have that,” and can’t attend to actual customers.
- Impact: The shopkeeper (server) is overwhelmed and can’t serve real customers (legitimate users).
Conclusion
SYN and UDP Floods are serious threats that can disrupt online services and applications. AWS Shield offers robust protection against these types of attacks, leveraging advanced detection and mitigation techniques to ensure the availability and performance of applications running on AWS. By utilizing AWS Shield, organizations can enhance their security posture and reduce the risk of downtime caused by DDoS attacks.