CentOS anti-SYN attack

' {print $6} '|sort|uniq-c |sort-rn

172 established

CONNECTED

589 SYN_RECV

STREAM

The SYN is incredibly high and continues to be traced by those IP-issued SYN:

' {print $} ' ' {print $} ' | Sort | uniq-c | Sort-nr | More

First, the principle of SYN attack:

In the TCP/IP protocol, the TCP protocol provides a reliable connection service with a three-time handshake to establish a connection.

First handshake: When a connection is established, the client sends a SYN packet (SYN=J) to the server and enters the Syn_send state, waiting for the server to confirm;

Second handshake: The server receives the SYN packet, it must confirm the customer's SYN (ACK=J+1), and also send itself a SYN packet (syn=k), that is, the Syn+ack packet, when the server enters the SYN_RECV state;

Third handshake: The client receives the server's Syn+ack packet, sends the acknowledgment packet ack (ACK=K+1) to the server, the packet is sent, the client and the server enter the established state, and the handshake is completed three times. Three handshake is completed and the client and server begin to transfer data.

If a user initiates a connection request to a server that only goes to the second handshake and no longer responds to the server, the server waits for the user to confirm that if too many such connections will fill the server-side connection queue, the normal user will not be able to establish a connection. So we make the following changes directly from the SYN connection:

To view the default SYN configuration for Linux:

[Email protected] ~]# Sysctl-a | grep _syn

Net.ipv4.tcp_max_syn_backlog = 1024

Net.ipv4.tcp_syncookies = 1

Net.ipv4.tcp_synack_retries = 5

Net.ipv4.tcp_syn_retries = 5

Tcp_max_syn_backlog is the length of the SYN queue, and increasing the SYN queue length can accommodate more network connections waiting to be connected. Tcp_syncookies is a switch that opens the SYN Cookie feature, which prevents partial SYN attacks. Tcp_synack_retries and Tcp_syn_retries define the number of retry connections for the SYN, reducing the default parameter to control the number of SYN connections as little as possible.

Here are my modified parameters, which can be modified according to the actual situation of my server:

[Email protected] ~]# more/etc/rc.d/rc.local #!/bin/SH # This script would be executed*after*All of the other init scripts. # You can put your own initialization stuffinchHereifYou don'T# Want to DoThe full Sys V style init stuff. Touch/var/Lock/subsys/Local Ulimit-hsn65535/usr/local/apache2/bin/apachectl start ##### sysctl-W net.ipv4.tcp_max_syn_backlog=2048Sysctl-W net.ipv4.tcp_syncookies=1Sysctl-W net.ipv4.tcp_synack_retries=3Sysctl-W net.ipv4.tcp_syn_retries=3

In order for the configuration to take effect immediately without restarting the server, you can perform

#sysctl-W net.ipv4.tcp_max_syn_backlog=2048-W net.ipv4.tcp_syncookies=1-W net.ipv4.tcp_synack_retries=3-W net.ipv4.tcp_syn_retries=3

Some people like to use access control lists to prevent SYN attacks, to some extent, slow down the SYN attack:

Syn Flood attack

1/S-J ACCEPT  1/s limit syn concurrency 1 times per second

Anti-port scan

1/s-j ACCEPT

Ping of Death

1/S-J accept#>iptables-save >/etc/sysconfig/iptables

To view, #iptables-L

ACCEPT TCP-Anywhere anywhere TCP Flags:fin,syn,rst,ack/syn LIMIT:AVG 1/sec burst 5

ACCEPT TCP-Anywhere anywhere TCP Flags:fin,syn,rst,ack/rst LIMIT:AVG 1/sec burst 5

ACCEPT ICMP-anywhere anywhere ICMP echo-request limit:avg 1/sec burst 5

To view the SYN connection again:

' {print $} ' ' {print $} ' | Sort | uniq-c | Sort-nr |  More  - 10.92. 10.220 1 125.43. 36.199　　

Obviously, the number of SYN connections is down.

CentOS anti-SYN attack