Qno no vro defends against SYN and ARP attacks

Qno's chinanel router is still doing well in the market. Next we mainly analyze the Qno chinanel router's anti-SYN and ARP attacks. Xiaonuo technology, a professional manufacturer of Multi-Wan broadband network access equipment, announced a comprehensive upgrade of all its new software versions on its websites and sales channels to help users resist SYN attacks and next-generation ARP attacks on the network.

After some popular ARP attacks, these two attacks were discovered in some regions in middle November and expanded. In order to avoid the impact on normal users, Qno's chinanol router reminds the majority of broadband access users to be concerned, and wants the Qno chinanol router users to upgrade their software.

Zhang Yanyan, Technical Director of xiaonuo technology, said: The network attack spread model has obviously dispersed from Internet cafes to enterprises, followed by education and other institutions, therefore, it will affect the Internet access of normal users. Recent SYN attacks and next-generation ARP attacks are more evil than the previous wave of ARP attacks. SYN attacks are used together with intranet computers and Internet computers to simultaneously attack routers, which interrupt broadband access. The next generation of ARP attacks are not just ARP spoofing, instead, more than 30 thousand packets are sent to the Intranet in one second, seriously affecting computer and broadband access. These two types of attacks are widely used in northeast China, South China, and central China, which has a great impact on users.

Zhang Yanyan said: although the existing vro has built-in firewall functions, the protection of old functions is necessary because of the variant form of recent attacks. Therefore, when the above attack methods were not identified as a single case in middle November, The GQF and FVR product software of Qno xiaonuo router were comprehensively updated to enhance the ability to resist these two new types of attacks. You can download and update the new version of the software on your website. This means that you can automatically resist these two attacks.

Due to the popularity of network attacks, it has a great impact on users and society as a whole. Therefore, Qno's chinanel router will conduct a series of publicity to teach users to systematically resist network attacks, to achieve the goal of a well-off network society. Details about the above two types of attacks will also be provided on the Qno na router website.

I. TCP handshake protocol

In TCP/IP, TCP provides reliable connection services and uses three handshakes to establish a connection.

First handshake: when a connection is established, the client sends the syn Packet (syn = j) to the server and enters the SYN_SEND status. Wait for the server to confirm;

The second handshake: when the server receives the syn packet, it must confirm that the customer's SYNack = j + 1), and at the same time, it also sends a SYN Packet syn = k), that is, the SYN + ACK packet, the server enters the SYN_RECV status;

The third handshake: the client receives the server's SYN + ACK package and sends the ACK (ack = k + 1) Confirmation package to the server. After the package is sent, the client and server enter the ESTABLISHED status, complete three handshakes. After three handshakes, the client and the server start to transmit data. In the above process, there are some important concepts:

Unconnected queue: in the three-way handshake protocol, the server maintains an unconnected queue, which opens an entry for the SYN Packet syn = j) of each client, this entry indicates that the server has received the SYN Packet and sent a confirmation to the customer, waiting for the customer's confirmation package. The connection identified by these entries is in the Syn_RECV state on the server. When the server receives the customer's confirmation packet, it deletes the entry and the server enters the ESTABLISHED state. Backlog parameter: Maximum number of unconnected queues.

SYN-ACK retransmission times the server sends the SYN-ACK package, if the customer does not receive the confirmation package, the server for the first retransmission, wait for a period of time has not received the customer confirmation package, for the second retransmission, if the number of retransmission times exceeds the maximum number of retransmission times specified by the system, the system deletes the connection information from the semi-connection queue. Note that the waiting time for each retransmission is not necessarily the same.

Semi-connection survival time: the maximum time for the semi-connection queue to survive, that is, the maximum time for the service from receiving the SYN packet to confirming that the message is invalid, the maximum waiting time of all retransmission request packets. The semi-join survival time is also called Timeout time and SYN_RECV survival time.

Ii. SYN Attack principles

SYN attacks are a type of DOS attacks. They consume CPU and memory resources by sending a large number of semi-connection requests due to TCP protocol defects. In addition to affecting hosts, SYN attacks can also harm network systems such as Qno xiaonuo routers and firewalls. In fact, SYN attacks do not care about the target system. As long as these systems open the TCP Service, they can be implemented. The server receives the connection request syn = j), adds this information to the unconnected queue, and sends the request packet to the customer syn = k, ack = j + 1), and enters the SYN_RECV status. When the server does not receive a confirmation packet from the client, it resends the request packet until it times out. In combination with IP spoofing, SYN attacks can achieve good results. Generally, clients forge a large number of nonexistent IP addresses in a short period of time, send syn packets continuously to the server, and the server replies with the confirmation packet, wait for the customer's confirmation. Because the source address does not exist, the server needs to re-Send the packet until it times out. These counterfeit SYN packets will occupy the unconnected queue for a long time, and normal SYN requests will be discarded, the target system runs slowly. In serious cases, network congestion or even system paralysis occurs.