Hi I'm a newbie in networking, still confused with the relationship between three-way handshake and Denial of Service attack.
As we know that if the client does not send an ACK to complete the third step of this 3-way handshake, eventually (often after a minute or more) the server will terminate the halfopen connection and reclaim the allocated resources.
so my questions are:
-
why attackers just do the first step of 3-way handshake? why don't they just complete all three steps of 3-way handshake to be fully connected with the server just like normal users so it is going to take up the resource of the server
-
The classic textbook: Computer Networking : a top-down approach describes TCP's approach to avoid Dos attacks:
The server creates an initial TCP sequence number that is a complicated function (hash function) of source and destination IP addresses and port numbers of the SYN segment, as well as a secret number only known to the server. if the client does not return an ACK segment, then the original SYN has done no harm at the server, since the server hasn’t yet allocated any resources in response to the original bogus SYN.
But if the original SYN has done no harm at the server, why the hash function is needed to create a 'cookie' for the server to identify the user's SYN segment in the first step of 3-way handshake to see whether it is valid?
Best Answer
When just sending a SYN to allocate resources on the server the attacker can spoof the IP address and thus hide its real IP address. To create a full handshake the attacker cannot use IP spoofing because the final ACK must be in response to the servers SYN which the client does not get if the original SYN was IP spoofed.
If only a simple predictable function is used to compute the servers ISN from the clients SYN then the attacker might create the final ACK without seeing the servers actual SYN. In this case the attacker could IP spoof not only the SYN but also the ACK and would thus cause the allocation of even more resources on the server.