The Dark Side of SYN Cookies: Port Scanning Vulnerability Enabled

Abstract

SYN Cookies are a Network Security countermeasure to avoid a specific DoS Attack, SYN Flooding. Unfortunately, this countermeasure violates the TCP Protocol, not allowing to store all the necessary information of the connection requests, thus breaking some functionalities. This behaviour is somehow accepted when it comes to still being able to provide a valuable service to legitimate users, but what if this solution could be exploited to gather additional information related to which web resources users are granted access to? This project aims to identify a port scanning vulnerability, enabled by the use of SYN Cookies, which, by construction, are not able to store all the necessary information/parameters of connection requests. This makes additional parameters' value fall back to their default one, allowing the identification of the activation state of SYN-Cookies. This actually reveals more than you think, in particular it allows to infer/determine firewall rules applied to specific IP addresses (and related subnets), understanding to which services external users can have access to. This scenario will be analysed in a programmatically way, making the experiment reproducible and by providing empirical and numerical evidence of the abovementioned vulnerability.