Principles and handling of SYN attacks in Linux security

Principles and handling of SYN attacks in Linux security

TCP has been developed for more than 30 years since it was invented in 1974 and has become the most important basic Internet Protocol. However, TCP also has some defects.

SYN attacks use the defects of the TCP protocol to cause the system service to stop responding normally.

SYN Attack Principle

TCP requires three handshakes before transmitting data. The principle of SYN attack is to send SYN packets to the server and forge the source IP address.

When the server receives the SYN packet, it adds the connection to the backlog queue, sends the SYN-ACK packet to the source IP address, and waits for the ACK packet to complete the three-way handshake to establish the connection.

Because the source IP address is forged and does not contain the Host IP address, the server cannot receive ACK packets and resends them continuously. At the same time, the backlog queue is full of SYN connections under attack, the connection cannot be processed normally.

SYN Attack Processing

The following solutions are provided for SYN Attacks:

Method 1: Reduce the number of retransmissions of SYN-ACK packets (5 by default ):

sysctl -w net.ipv4.tcp_synack_retries=3 sysctl -w net.ipv4.tcp_syn_retries=3

Method 2: Use SYN Cookie technology:

sysctl -w net.ipv4.tcp_syncookies=1

Method 3: Add a backlog Queue (default value: 1024 ):

sysctl -w net.ipv4.tcp_max_syn_backlog=2048

Method 4: Limit the number of SYN concurrent connections:

iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT --limit 1/s

SYN Attack Simulation

You can use the hping tool described earlier to simulate SYN attacks. For details, see common Linux Network Tools: hping advanced host scanning.

Another synkill can also be used to simulate SYN attacks.