The following text is copyright 1996 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.

the SYNs of the vandals

Nothing annoys some people more than a normally running system. To these people an undisrupted environment is a target of opportunity, like a blank wall being an irresistible canvas for graffiti "artists", or a quiet cemetary being a chance to desecrate. The most recent large-scale example of this type of vandalism on the Internet has been the wide spread "SYN" attacks on hosts and servers world-wide.

For those of you who have not heard, this attack consists of bombarding a TCP/IP host with requests to initiate new communications sessions. When one of these requests, in the form of a packet containing a SYN (for synchronize) flag, is received, an acknowledgment is sent back to the requester and the information from the packet is saved in a buffer pending a second packet from the requester to complete the handshake needed to establish a new session. The information is deleted from the buffer when a session is established. If one were to flood a host with SYN packets with random source addresses the buffer would fill up since there would be no actual requesting host to send the second handshake-completing packet. If the buffer fills, the establishment of new legitimate sessions is blocked. Programs that can be used to mount this type of attack have been posted on two of the so called "hacker" mailing lists, apparently to make it easy for any twit with a predilection towards vandalism to do this.

There have been two types of defenses developed against this attack. You can prevent the attack from reaching its target or you can make the target less vulnerable to the attack. An example of the first type is to have Internet service providers (ISPs) add filters to their routers to make sure that packets inbound from a particular customer have source addresses from that customer's assigned set of IP addresses. But with thousands of ISPs, some quite clue challenged, it is unlikely this strategy can be all that effective. An example of the second is called Early Random Drop (ERD); the host software is changed to delete a random entry from the buffer whenever a new SYN packet would cause the buffer to overflow. If the buffer is a reasonable size then the chance that a legitimate entry would be dropped is small and a legitimate request will generally be repeated by the initiating host. A number of vendors have revised their host software to do this, including Tenon, the maker of MachTen, the UNIX system I use on my Macintoshes.

I do not claim to understand the psychology (or pathology) of vandalism but it is clear that the users of the Internet have to worry about people of this sort. Many sites have been attacked using the SYN approach in the last few weeks including, I think, my own machine -- thus my request to Tenon for a fixed version. These attacks have not taken down the 'Net but there has been much local pain and must be taken as a message by system operators, equipment vendors and ISPs to keep the vandals in mind when designing and operating devices and systems. Communication is also critical. Fast, reliable communication via the 'Net led to the quick development of defenses to the SYN attack. It does not help if information about problems is withheld. If you own a Cisco router and want an example of what a vendor (and you) should do take a look at

disclaimer: Twits don't make it into Harvard, at least through the admissions process, in any case, the above reflects my own irritation.