Checkpoint plays sentry

Checkpoint Software becomes the second company to issue a patch to stop the so-called SYN flood attacks that have been shutting down Internet sites.

CNET News staff
3 min read
Checkpoint Software Technologies today became the second company this week to issue a patch to stop the so-called SYN flood attacks that have been shutting down Internet sites.

Checkpoint, which claims to have more than 40 percent of the firewall market, today posted a patch that works with its FireWall-1 product to stop the attacks, the latest trend among hackers who are exploiting a basic vulnerability of the Internet.

This patch comes on the heels of an announcement yesterday that Berkeley Software Design plans to release a fix tomorrow for assaults, known as "denial of service" attacks.

Both patches are free of charge and can be downloaded from the companies' Web sites. And both fixes claim to render the attacks impotent.

Systems providers worldwide have been vulnerable and frustrated by the attacks in the past few weeks. While it is simple to perpetrate, often requiring nothing more than the ability to copy computer code from hacker publications available to anyone, the offense has been virtually impossible to stop.

Under a SYN flood assault, an attacker sends bogus connection requests to the server, keeping it busy trying to verify each request. Because of memory constraints, the server fills up quickly and thereby cannot handle any requests from legitimate users. (See illustration below)

The Berkeley Software patch allows the server to accept thousands more connections at once so that a system can undergo an attack and still have enough space for real users to get on.

Checkpoint has put out two types of fixes, both using its firewall to screen connection requests before sending them off to the server. This prevents the server from filling up with too many incomplete connection requests, said Bradley Brown, manager of business development.

In a normal connection request, a three-way handshake takes place between the user and the server. In a SYN attack, however, the perpetrator uses a phony return address so that the second part of the handshake won't work, as the server cannot find the user. This ties up a server because it waits to verify these bogus connections.

In the first fix, called SYN Defender Gateway, the firewall essentially completes the three-way handshake for the server, Brown said. Then it sends the connections--complete or not--onto the server, where there is plenty of room for them to wander aimlessly without clogging the system. The firewall then tracks the connections and dumps any incomplete ones.

In the second fix, called a SYN Defender Relay, the firewall actually does the three-way handshake with the person trying to get on the server to establish that the connection is valid. It then sends only good connections to the server, which in turn performs its own three-way handshake, Brown said.

The firewall has the ability to accept a huge amount of connections at once so that it does not stop the server from working. This fix takes more time, but it is a good solution for a server already under attack, Brown said.

"We could have 10,000 connections coming at once," he said.

In a typical connection, the user sends a message asking the server to authenticate it. The server returns the authentication approval to the user. The user acknowledges this approval and then is allowed onto the server.

In a "denial of service" attack, the user sends several authentication requests to the server, filling it up. All requests have false return addresses, so the server can't find the user when it tries to send the authentication approval. The server waits, sometimes more than a minute, before closing the connection. When it does close the connection, the attacker sends a new batch of forged requests, and the process begins again--tying up the service indefinitely.