Brief discussion on iptables anti-SYN flood attack and CC attack

------------------------This article for their own practice, summed up the concept of something is not all, here cheap to mention, many online, This paper mainly describes the current more popular SYN flood attacks and CC attacks-------------------------------------

What is a SYN flood attack:

SYN Flood is a well-known DOS (Denial of service attack) is one of the ways of DDoS (distributed denial of service attack), which is a way of using TCP protocol defects to send a large number of bogus TCP connection requests. This allows the attacker to run out of resources (CPU full-load or low-memory) attack mode (TCP protocol defects, so there is no way to eradicate, unless the TCP protocol is re-made, not currently possible).

The normal principle is: 1, the TCP three handshake, the client sends a TCP message containing the SYN flag when connecting to the server side, SYN is synchronous (Synchronize), the synchronization message indicates the port used by the client and the initial sequence number of the TCP connection

2, the server after receiving the client's SYN message, will return a syn+ack message, indicating that the client's request is accepted, while the TCP sequence number is added one, ACK is confirmed (acknowledgment), entrainment also sends a SYN packet to the client, and the server allocates resources to the connection.

3, the client also returns a confirmation message ack to the server side, the same TCP serial number is added one, to this a TCP connection is completed.

The SYN flood attack exploits the flaw of the TCP three handshake, in the third handshake of the TCP connection, when the server receives the client's SYN packet and returns the client Ack+syn packet, because the client is a fake IP, the other party will never receive the package and will not respond to the third handshake package. A "half-connection" that causes the attacked server to maintain a large syn_recv state, and there will be a retry of the default 5 responses to the second handshake packet, full TCP waiting for the connection queue, resource exhaustion (CPU full load or insufficient memory), so that normal business requests are not connected. Typically, SYN Flood is used in conjunction with ARP spoofing, which creates a SYN attack.

What is a cc attack:

The CC attack (Challenge Collapsar) is a DDoS (distributed denial of service), and is a common site attack method, the attacker through the proxy server or broiler (hacked computer) to the victim host to continue to send a large number of packets, causing the other server resources exhausted, Until the downtime crashes. CC is mainly used to attack the page, everyone has the experience: when a page access to a particularly large number of times, the opening of the Web page is slow, CC is to simulate multiple users (how many threads is how many users) constantly access to those who need a lot of data operations (that is, the need for a lot of CPU time) page, resulting in a waste of server resources, the CPU for a long time at 100%, always have to handle the connection until the network congestion, normal access is aborted.

Attack Detection:

When you find that the server is very card, the Web Access is very slow even when the SSH operation started a little card, you need to be very careful.

Detection can do this:

Top view CPU usage and CPU load conditions

The load is generally less than the CPU core number *0.7 is normal, the load is equal to or slightly larger than the number of cores. Indicates that the CPU load is starting to be serious and if it is exceeded, the description is problematic.

To see which programs have high CPU usage and whether they are normal, you can use the PIDOF process name to view all the process numbers for that process name, and then ll/proc/the process number/exe and FD to see if it is normal information.

Netstat Viewing port status

Netstat-n | grep "^tcp" | awk ' {print $6} ' | Sort | uniq-c | Sort-n

1 SYN_RECV

Fin_wait1

Time_wait
149 established

You can view the number of current connection states to determine.

There are Vmstat, SAR, and other detection commands, the use of online methods!

Syn Flood General Defenses:

The first: Shortening SYN timeout time, because the effect of SYN flood attack depends on the number of SYN half connections maintained on the server, this value =syn the frequency of the attack x SYN Timeout, so by shortening from receiving to the SYN message to determine the message is invalid and discard the time to change the connection.

The second kind: Setting up the SYN cookie is to assign a cookie to each IP address of the request connection, and if the repeated SYN message of an IP is received continuously for a short time, it is assumed to be attacked, and the packets from this IP address will be discarded later.

(Defect: Shortening SYN timeout time only in the case of the other attack frequency is not high, the SYN cookie is more dependent on the other side to use the real IP address, if the attacker sends a SYN message at a rate of tens of thousands of/s, and uses ARP spoofing to randomly overwrite the source address in the IP message, The above method will be useless. ）

Vim/etc/sysctl.conf

Add or modify the following: (Remember to sysctl-p the changes after saving)

Net.ipv4.tcp_syncookies = 1

Net.ipv4.tcp_fin_timeout = 1

Net.ipv4.tcp_tw_reuse = 1

Net.ipv4.tcp_max_tw_buckets = 6000

Net.ipv4.tcp_tw_recycle = 1

Net.ipv4.tcp_syn_retries = 1

Net.ipv4.tcp_synack_retries = 1

Net.ipv4.tcp_max_syn_backlog = 262144

Net.core.netdev_max_backlog = 262144

Net.ipv4.tcp_max_orphans = 262144

Net.ipv4.tcp_keepalive_time = 30

Iptables Nature Defense:

Limit the request speed of SYN (this method needs to adjust a reasonable speed value, otherwise it will affect the normal user's request)

Iptables-n Syn-flood (new chain)

Iptables-a input-p TCP--syn-j Syn-flood

Iptables-a syn-flood-p tcp-m limit--limit 2/s--limit-burst 50-j RETURN

Iptables-a syn-flood-j DROP

Tips: Attacking this thing can only be defended and cannot be completely eradicated! Can only be mitigated and reduced to the lowest risk. Money can be on the third-party company's product services! Hey.

CC Attacks General Defense:

1, generally speaking, CC attacks are real IP, so the general approach is to block IP

2. Change the Web port, the default CC attack is the 80 port of the attack server

3, Domain name spoofing, we can use the CDN and other accelerator tools to proxy our server, so as to achieve defense, (online Some people say the domain name resolution to 127.0.0.1 let the attackers themselves attack themselves, do not know if there is no use, never tried. and the formal business, how can you do such an analysis, the business how to do? ）

Fetch the IP number of Access server 80 by using the Grab Package command

TCPDUMP-TNN DST Port 80-c 100 | Awk-f "." ' {print $ '. $ "." $ "." $4} ' | Sort | uniq-c | Sort-n-R |head-20

Tcpdump:verbose output suppressed, use-v OR-VV for full protocol decode

Listening on eth0, Link-type EN10MB (Ethernet), capture size 65535 bytes
Packets Captured
101 Packets received by filter
0 packets dropped by kernel
IP 221.239.28.142
IP 124.65.101.82
IP 14.123.162.69
7 IP 183.238.49.188
7 IP 120.234.19.186

We can see the most 221.239.28.142 packages, so we do IP processing.

Iptables-i input-s 221.239.28.142-j REJECT

Iptabes Other restriction rules:             

#防御太多DOS攻击连接, you can allow up to 15 initial connections per IP for the extranet, more than the discard, and the second is to allow established connections and sub-connections based on the first bar

Iptables-a input-i eth0-p tcp--syn-m connlimit--connlimit-above--connlimit-mask 32-j DROP (--connlimit-mask 32 For the host mask, 32 is either a host IP or a network segment)
Iptables-a input-p tcp-m State--state established,related-j ACCEPT

# Protect against DDOS, allow up to 24 initial connections from the extranet, then add 12 servers per second, access too many drops, and second to allow 1 initial connections per second within the server to forward
Iptables-a input-p tcp--syn-m limit--limit 12/s--limit-burst 24-j ACCEPT
Iptables-a forward-p tcp--syn-m limit--limit 1/s-j ACCEPT

#允许单个IP访问服务器的80端口的最大连接数为 20

Iptables-i input-p TCP--dport 80-m connlimit--connlimit-above 20-j REJECT

#对访问本机的22端口进行限制, each IP can only be connected 5 times per hour, over the Reject, 1 times as a child recalculation

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --name SSHPOOL --rcheck --seconds 3600 --hitcount 5 -j DROP

Iptables-a input-p TCP--dport 22-m State--state new-m recent--name sshpool--set-j ACCEPT

(The recent rule above applies only to the default rule for drop, if you want to apply the default accept rule, you need to--set the front and no-j accept)

Brief discussion on iptables anti-SYN flood attack and CC attack