# SYN flooding caused by IE and Windows firewall



## DdB (Mar 30, 2006)

I have a situation where the Windows XP firewall (SP2), in conjuction with Internet Explorer is effectively causing a SYN flooding attack on our web server when loading a certain web page.

With the Windows Firewall disabled, Ethereal can see Internet Explorer is sending a number of SYN packets in quick succession to our web server, which we acknowledge with SYN-ACK packets. The Windows client then issues a RST for all but the last SYN, for which the connection is correctly established by an ACK. This is all OK (if a bit unnecessary).

If you then enable the Windows XP firewall and do the same, Internet Explorer issues the SYN packets as before, which our web server acknowledges with SYN-ACKs, as can be seen in Ethereal. In this case however, though the last SYN gets acknowledged with an ACK to complete the connection, nothing further can be seen for the preceding connection attempts (previously aborted by RST). The web server is in effect subject to a SYN attack on these connections as it has issued a SYN-ACK but not received a SYN-ACK or RST, and is sitting there waiting for the connections to complete.

I can see in the Windows firewall log that it is dropping the SYN-ACK packets that were seen by Ethereal (I assume Ethereal must register these before they reach the firewall?). There is no sign of the RST packets that could be seen with the firewall disabled, either in Ethereal or any mention of them being dropped in the firewall log. The firewall log does however register that the connection was closed. This all happens in quick succession (few ms), so unfortunately the firewall log is not much help with the overall flow as its entries get jumbled up at this scale (it can for example log the close of a connection before the open). I am guessing perhaps it is seeing the connections as dropped before the SYN-ACKs arrive, and thus the firewall is rejecting them. This also may explain why RST packets were seen without the firewall.

Note Internet Explorer only seems to trigger this behaviour when it is set to check for newever versions of stored pages on every visit to the page. It can be overcome by changing the setting to Automatic, however some users may require this setting. I think what is happening here is IE is attempting to load the same image multiple times (when the style is modified by a script that runs after the page has loaded), and when it tries a new reload it is abandoning previous attempts.

Is there some Windows Firewall setting that can be changed to avoid this scenario (other than disabling it completely), or is there some known bug in IE or the Windows Firewall ?


----------



## johnwill (Sep 26, 2002)

Well, you certainly have a lot of detail there, and I think you're right onto the problem. I don't see anything in a quick look at the firewall settings that sounds like it would solve this issue. Since this machine is behind a NAT layer I would imagine, can't you allow all traffic from the subnet?


----------

