As concluded in the last article, in order to avoid allocating space for TCB, the attacked device needs to reject TCP SYN packets sent by clients. In this article I will explain how a system can do this without causing service disruption, and more specifically I will explain how this work in BIG-IP.
Since attacked device need to alter default TCP 3WHS behaviour the best option is implementing SYN Cookie countermeasure in an intermediate device, so you offload your servers from this task. In this way if connection is not legitimate then it is just never forwarded to the backend server and therefore it will not waste any kind of extra resourcess. Since BIG-IP is already in charge of handling application traffic directed towards servers it is the best place to implement SYN Cookie.
What BIG-IP does is adding an extra layer, which we can call SYN Cookie Agent, that basically implement a stateless buffer between client and BIG-IP TCP stack. This agent is in charge of handling client’s TCP SYN packets by modifying slightly the standard behaviour of TCP 3WHS, this modification comes in two flavours depending on what type of routing role BIG-IP is playing between client and server.
This is the typical situation. In this environment BIG-IP is sited in the middle of the TCP conversation and all the traffic from/to server pass through it. The SYN Cookie operation in this case is briefly described below:
1. Client sends a TCP SYN packet to BIG-IP.
2. BIG-IP generates the 32 bits sequence number which will be included in SYN/ACK packet sent to the client.
a. BIG-IP encodes essential and mandatory information of the connection in 24 bits.
b. BIG-IP hashes the previous encoded information.
c. BIG-IP also encodes other values like MSS in the remaining bits.
3. BIG-IP generates the SYN/ACK response packet and includes the hash and other encoded information as sequence number for the packet. This is the so called SYN Cookie.
4. BIG-IP sends SYN/ACK to client.
5. BIG-IP removes all information related to this TCP connection. At this point no memory has been allocated for TCP connection (TCB).
6. Client sends correct ACK to BIG-IP acknowledging BIG-IP’s sequence number.
7. BIG-IP subtracts one to this ACK, so it can confirm ACK is correct and also it can decode needed information.
8. BIG-IP validates ACK.
9. BIG-IP builds TCB entry.
10. BIG-IP increase related SYN Cookie stats.
11. BIG-IP starts and complete a TCP 3WHS with backend server on behalf of the client since we are sure that client is legitimate.
12. Now traffic for the connection is proxied by BIG-IP as usual attending to configured L4 profile in the virtual server.
13. [If ACK packet received by BIG-IP is a spurious ACK then BIG-IP will discard it].
Since attackers will never send a correct response to a SYN/ACK then you can be sure that TCB entries are never created for them. Only legitimate clients will use BIG-IP resources as shown in diagram:
Fig4. TCP SYN Flood attack with SYN Cookie countermeasure
In an asymmetric environment, also called nPath or DSR, you face a different problem because Big-IP cannot establish a direct TCP 3WHS with the server (point 11 in last section). As you can see in below diagram SYN/ACK packet sent from server to client would not traverse Big-IP, so method used for symmetric routing cannot be used in this case. You need another way to trust in clients and discard them as attackers, so clients then can complete TCP 3WHS directly with the server.
Fig5. TCP state diagram section for asymmetric routing + FastL4
In order to circumvent this problem BIG-IP takes the advantage of the fact that applications will try to start a second TCP connection if a first TCP 3WHS is RST by the server. What BIG-IP does in asymmetric routing environments is completing the TCP three way handshake with client, issuing SYN Cookie as I described for symmetric routing, and once BIG-IP confirms that client is trustworthy it will add its IP to SYN Cookie Whitelist, it will send a RST to the client and it will close the TCP connection. At this point client will try to start a new connection and this time BIG-IP will let the client talk directly to the server as it would do under normal circumstances (see diagram above).
The process is briefly described below:
1. Client sends a TCP SYN packet to BIG-IP.
2. BIG-IP generates sequence number as explained for symmetric routing.
3. BIG-IP generates the SYN/ACK response packet and includes the calculated sequence number for the packet.
4. BIG-IP sends SYN/ACK to client and then remove all information related to this TCP connection. At this point no memory has been allocated for TCP connection (TCB).
5. Client sends correct ACK to BIG-IP acknowledging sequence number.
6. BIG-IP substract one to this ACK so it can decode needed information.
7. BIG-IP validates ACK.
8. BIG-IP increase related SYN Cookie stats.
9. BIG-IP sends a RST to client and discards TCP connection.
10. Big-IP adds client’s IP to Whitelist.
11. Clients starts a new TCP connection.
12. BIG-IP lets client to start this new TCP connection directly to the server.
13. [If ACK packet received by client is a spurious ACK then BIG-IP will discard it].
Fig6. TCP 3WHS flow in asymmetric routing
DSR whitelist has some important characteristics you need to take into account:
When a TCP connection is initiated the TCP SYN packet sent by the client specify certain values that define the connection, some of these values are mandatory, like source and destination IP and port, otherwise you would not be able to identify the correct connection when packets arrive. Some other values are optional and they are used to improve performance, like TCP options or WAN optimizations. Under normal circumstances, upon TCP SYN reception the system creates a TCB entry where all this information is saved. BIG-IP will use this information to set up the TCP connection with the backend server.
The problem we face is that when SYN Cookie is in play device does not create the TCB entry, only a limited piece of connection information is collected, so the information that BIG-IP has about the TCP connection is limited.
Remember that SYN Cookie is not handled by TCP stack but by the stateless SYN Cookie Agent, so we cannot save the connection details. What BIG-IP does instead is encoding key information in 24 bits, this left only some bits for the rest of data. While there is no room for values like Window Scale information, however we have space for other values, for example 3 bits reserved for MSS value. This limits MSS possible values to 8, the most commonly used values, and the one chosen will the nearest to the original MSS value.
However, note that MSS limitation has a workaround through configuration in FastL4 profile that it can help in some cases. The option SYN Cookie MSS in this profile specifies a value that overrides the SYN cookie maximum segment size (MSS) value in the SYN-ACK packet that is returned to the client. Valid values are 0, and values from 256 through 9162. The default is 0, which means no override. You might use this option if backend servers use a different MSS value for SYN cookies than the BIG-IP system does.
If this is not enough for some customers, BIG-IP overcomes this problem by using TCP timestamp space to save extra information about TCP connection, in other words we create a second extra SYN Cookie. This space is used to record the client and server side Window Scale values, or the SACK info which are then made available to the TCP stack via this cookie if the connection is accepted. Note that TCP connection will only be accepted if both SYN Cookies (standard and Timestamp) are correct.
So all this means that if the client starts a connection with TCP TS set then Big-IP will have more space to encode information and hence the performance will be improved when under TCP SYN flood attack.
NOTE: SYN Cookie Timestamp extension (software or hardware) only work for standard virtual servers currently. FastL4 virtual servers only supports MMS option in SYN Cookie mode.
Now you know how SYN Cookie works under the hoods. In next article I will describe when SYN Cookie is activated and I will give specific details of BIG-IP SYN Cookie operation.
Note that limitations related to SYN Cookie commented in this article are not caused specifically by BIG-IP SYN Cookie implementation but by SYN Cookie standard itself. In fact, F5 Networks implements some improvements on SYN Cookie to get a better performance and provide some extra features.