For users who deploy IPFire in a data center, a new interesting feature has arrived: SYN Flood Protection. In this article, I would like to give an introduction to Denial-of-Service attacks and what old and new mitigations IPFire has in stock against them.
(Distributed) Denial-of-Service Attacks

Denial-of-Service attacks are a common thing on the internet. They are basically designed to take down a website - or even a whole data center - by overwhelming a system. There are many ways for this, either by sending a complicated request that keeps the system busy, or simply by sending an insanely large amount of requests a system cannot cope with in short time. There is a very generic way to archive the latter, just open as many connections as possible, but never send any real data. The server side might sooner or later run out of memory as each connection needs to have its state stored somewhere and will therefore refuse to accept legitimate connections. This is called a SYN Flood attack.
What is a SYN Flood?

To understand a SYN Flood attack, we have to understand first how a TCP connection works. It all starts with a Three-Way-Handshake. The client sends a SYN packet to the server which receives the packet, allocates some memory to store the new connection and responds with a SYN-ACK packet. The client then responds with a final ACK packet and the connection has now been completely established and is ready to transfer data.
Client Server
| |
| SYN -------------------> | [Creates a new socket]
| |
| |
| |
| [Connection Established] |
| |
| |
| |
| |
| |

Both, the server and client have exchanged some basic data about the connection. They know the IP addresses and ports to use to communicate with each other and have synchronised a sequence number - hence the packet is called SYN. Although this data is only a few kilobytes, with thousands or millions of connections, this can consume a significant amount of memory.
But this is not only expensive for the server, the client will have to store the state, too. To launch a proper attack, this will become too expensive and will have to be cheaper. But how to do this? How about just firing the SYN packet at the server and immediately forget that we sent it? That way, we won't have to use any resources apart from network bandwidth, but the server will still respond with a SYN-ACK packet and wait for the final ACK.
Attacker Server
| |
| SYN -------------------> | [Creates a new socket]
| x | [Creates a new socket]
| x | [Creates a new socket]
| x | [Creates a new socket]
| x | |
| | |
| | [Creates a CT entry ] |
| | SYN -------------------> | [Creates a new socket]
| | |
| | |
| | |
| [Connection Established] |

The firewall performs the entire three-way handshake on behalf of the server and only forwards the connection once it has been fully established. That is amazing, because we can use this to mitigate Denial-of-Service attacks! If an attacker sends a large number of SYN packets, the firewall will respond with SYN-ACK packets that contain a SYN cookie. The attacker won't ever respond to those packets, but a legitimate client will and therefore the firewall can easily open the connection to the server. The server itself is entirely oblivious that an attack is happening because the firewall is smart enough to filter it all away.
Attacker Firewall Server
| | |
| SYN -------------------> | |
| x | |
| x | |
| x | |
| | [Creates a CT entry ] |
| | SYN -------------------> | [Creates a new socket]
| | |
| [Connection Established] |

(Distributed) Denial-of-Service Attacks In The Real World

We are living in times where bandwidth is cheap. Assuming that the most common uplink in a data center is one Gigabit, an attacker only needs to generate one Gigabit of SYN packets a second to saturate your uplink and your service is offline. Since every cloud server comes with one Gigabit or more, this is neither difficult nor expensive to do. Once they send more packets than your internet connection can handle, there is nothing IPFire can do, because the legitimate packets have been dropped long before they reach the firewall.
So, you will need a bigger pipe than your attackers. But where to get that from? It does not seem to be a good investment of money to upgrade your internet connection only to accept malicious traffic. The attacker side might also do the same, so you are very quickly back to square one. But there is one option where you can rent a large amount of resources for any time you need: The Cloud!
Deploying DoS Protection in the Cloud

IPFire supports Amazon's Graviton Instances which - in the current network-optimised generation - support a network bandwidth of up to a whopping 200 GBit/s (C7gn). With IPFire's support for Amazon's Elastic Network adapter, that kind of high bandwidth isn't a problem to handle. It is the perfect pair to build your own DoS Protection in the Cloud! If that still isn't enough (and your budget allows) you can deploy many of these instances even in other regions instead of just the one.
The setup would work as follows: An instance of IPFire is being deployed in the cloud and you will direct all your users to it. With the SYN Flood protection enabled, you can forward all legitimate connections to your own infrastructure which may also be hosted on AWS or elsewhere (bonus points if you connect it using IPsec for extra security). Illegitimate connections might be blocked by the SYN Flood protection, but also by any of the other features that IPFire has to offer like our Intrusion Prevention System.
Clients Amazon Web Service Your Infrastructure
| | |
| Requests ------> |--------------------| Legitimate Requests ---> |
| ---------------> | | -----------------------> |
| ---------------> | IPFire | |
| | | |
Attackers | | |
| ---------------> | [Blocked] | |
| |--------------------| |

This is not even the end: Due to the large amount of features that IPFire offers, you could enable SYN Flood protection selectively by only using it for a couple of origins like bad actors that you have identified before, or by country. You could even direct traffic from certain places to one service that receives more legitimate requests and all the rest where you are not sure to another service. There are plenty of options and they will protect your infrastructure from those bad guys out there.
We Are Here To Help

As the landscape of cybersecurity threats becomes more complex, businesses have to build more robust defences against them. Our new SYN Flood protection feature offers Enterprise users a solution to mitigate the risks of downtime due to such attacks and brings you peace of mind. The Lightning Wire Labs Support Team is here to help you with the implementation and fine-tuning of IPFire's advanced features - whether you are a seasoned IT professional or just starting to fortify your network - don't hesitate to reach out to us. Together, we can tailor a solution to your specific needs and help safeguard your business. Get in touch today.


More...