A detailed description of the SYN flood attack on a DDoS attack instance

Last Update:2017-02-28 Source: Internet

Author: User

Tags ack

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

This article mainly describes the DDoS attack instance SYN flood attack, we all know Syn-flood is currently the most widely used DDoS attack means, the earlier DOS means in the distributed phase of the development has also experienced the process of the bridge.

Syn-flood attack effect is the best, should be all the hackers have chosen the reason for it. So let's take a look at the details of Syn-flood.

Syn-flood is currently the most popular method of DDoS attack, the previous DOS means in the distributed phase of the development of the time also experienced the process of sand scouring the waves. Syn-flood attack effect is the best, should be all the hackers have chosen the reason for it. So let's take a look at the details of Syn-flood.

Syn Flood principle-handshake three times

Syn Flood leverages the inherent vulnerabilities of the TCP/IP protocol. The connection-oriented TCP Three handshake is the foundation of the existence of SYN flood.

Three handshake of TCP connection

As shown in figure two, in the first step, the client presents a connection request to the server. At this point the TCP SYN flag is placed. The client tells the server that the serial number area is legitimate and needs checking. The client inserts its own isn in the serial number area of the TCP header. After the server receives the TCP fragment, it responds with its own isn (SYN flag bit) in the second step, confirming the receipt of the first TCP segment (ACK flag set) for the client. In the third step, the client confirms that the ISN (ACK flag position) is received at the service end. So far to establish a full TCP connection, start Full-duplex mode of the data transfer process.

Syn flood attackers do not complete three handshake

If a user sends a SYN message to the server and suddenly freezes or drops the line, then the server is unable to receive the client's ACK message after sending the Syn+ack answer message (the third handshake cannot be completed), in which case the server side will generally try again (send Syn+ack to the client again) And wait a while to discard this unfinished connection, the length of which we call Syn Timeout, which is generally the order of magnitude of minutes (about 30 seconds-2 minutes);

A user exception that causes one thread in the server to wait 1 minutes is not a big problem, but if a malicious attacker simulates this massively, the server will consume a lot of resources to maintain a very large semi-join list----Tens of thousands of connections, Even a simple save and traverse will consume a lot of CPU time and memory, not to mention the constant syn+ack of the IP in this list.

In fact, if the server's TCP/IP stack is not strong enough, the end result is often a stack overflow crash---even if the server-side system is strong enough, the server side will be too busy handling the attacker's spoofed TCP connection request to ignore the client's normal request (after all, the client's normal request ratio is At this point, from a normal customer's point of view, the server has lost its response, which we call: The server side was subjected to a SYN flood attack (SYN flood attack).

Here is the actual process of a SYN flood attack I simulated in my lab

This LAN environment, only one attack aircraft (Piii667/128/mandrake), is attacked by a Solaris 8.0 (Spark) host, network device is Cisco's hundred Gigabit Switch. This is a Snoop record on Solaris prior to the attack, and Snoop, like Tcpdump, is a good tool for network capture and analysis. You can see that before the attack, the target host received basically some ordinary network packets. ...

...