The principle of SYN Flood attack and the solution of SYN Flood Attack

SYN The principle of flood attack ,syn The solution to the flood attack

SYN Flood Or called SYN The flood 、SYN Flooding is a denial of service attack , Because the attacker sends a series of SYN Request to target system . SYN The flood attack is DDOS One of the most common types of attacks , It's a use of TCP Protocol defect , The attacker sends a large number of forged messages to the attacked host TCP Connection request , Thus, the resources of the host server of the attacked party are exhausted (CPU Full load or out of memory ) How to attack .

SYN The target of the attack is not just the server , Any network device , Could be attacked like this , For network devices SYN Attacks often lead to the paralysis of the whole network .

Normal connection between user and server , The right to perform 3 The second handshake .

When the client tries to establish with the server TCP When the connection , The client and server exchange a set of information under normal circumstances , As shown below ：

1、 The client will SYN Send synchronization information to the server and request connection settings

2、 The server responds to the client SYN-ACK Response request

3、 The client promises ACK And establish a connection

This is in the so-called TCP 3 Use it in your hand once TCP The basis of each connection of the transmission protocol .

Sink flood , Attackers send many packets , But not to the server “ACK”. therefore , Connection half open , Swallow server resources , Due to blocking service attacks , A legitimate user tried to connect to the server but was denied .

SYN Flood Is a well-known attack , In modern networks, it usually doesn't work . This type of attack is only received by the server SYN Before allocating resources , But in this section , It will receive ACK Effective before .

There are two kinds at present SYN Flood attacks , But it and all the servers did not receive ACK The facts about . Malicious users cannot receive ACK, Because the server is fake IP The address to send SYN-ACK, Skip the last one ACK Message or simulation SYN Source IP Address . In both cases , Servers need time to replicate notifications , This can lead to simple network congestion without ACK

If these semi open connections bind server resources , The server can discharge a large amount of... To the server SYN Information . If you reserve all resources for a semi open connection , Will prevent service attacks , Because a new connection cannot be set up （ Whether legal ）. Other operating system functions may require this form of resource , Even on some systems , Even downtime can be very serious .

1996 The technology used to allocate semi open connection resources in 2003 usually includes fairly short queues （ for example ,8 An empty seat ）. When the connection is complete or expires （ for example ,3 Minutes later ）, You can open the queue interval . If the queue is full , The new incoming connection will fail . In the example above , Send a total of 8 Before a packet , All new incoming connections are blocked . This means that every 3 Minute calculation 8 A packet , And stop all new TCP Connect . This blocking service attacks only a small amount of traffic .

Suggested measures include SYN cookie And limit the number of new connections requested from the same source within a specific time period , But the latest TCP / IP The stack does not have the bottleneck mentioned above because it is located in SYN Flood And other channel based capacities . There should be little or no difference in the type of attack .

The enterprise was SYN How to defend against an attack ？ Today, Chi Wang AISI Share how to use iptables To relieve SYN attack .

1、 Modify the waiting number

sysctl -w net.ipv4.tcp_max_syn_backlog=2048

2、 Enable syncookies

sysctl -w net.ipv4.tcp_syncookies=1

3、 Modify the number of retries

sysctl -w net.ipv4.tcp_syn_retries = 0

The number of retransmissions is set to 0, As long as the response from the client is not received , Discard the connection now , The default setting is 5 Time

4、 Restriction sheet IP Concurrency number

Use iptables Limit the number of concurrent connections to a single address ：

iptables -t filter -A INPUT -p tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 10 --connlimit-mask 32 -j REJECT

5、 Limit C Number of class subnet concurrency

Use iptables Limit individual c Number of concurrent links of class subnet ：

iptables -t filter -A INPUT -p tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 10 --connlimit-mask 24 -j REJECT

6、 Limit the number of connections per unit time

Set as follows ：

iptables -t filter -A INPUT -p tcp --dport 80 -m --state --syn -m recent --set

iptables -t filter -A INPUT -p tcp --dport 80 -m --state --syn -m recent --update --seconds 60 --hitcount 30 -j DROP

7、 modify modprobe.conf

For better results , Need modification /etc/modprobe.conf

options ipt_recent ip_list_tot=1000 ip_pkt_list_tot=60

effect ： Record 10000 An address , Every address 60 A package ,ip_list_tot The maximum is 8100, Exceeding this value will result in iptables error

8、 Limit the maximum number of connections to a single address

iptables -I INPUT -p tcp --dport 80 -m connlimit --connlimit-above 50 -j D