SYN Attack and Defense in LINUX

Article Title: SYN Attack and Defense in LINUX. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

(1) SYN Attack principles

SYN attacks are a type of DOS attacks. They consume server CPU and memory resources by sending a large number of semi-connection requests due to TCP protocol defects. SYN attacks can affect the host, but can also harm the network systems such as routers and firewalls. In fact, SYN attacks do not care about the target system. As long as these systems enable the TCP Service, they can be implemented. we know that three handshakes are required when two computers establish a TCP connection in the network. The client first sends a tcp syn packet to the server, then the server sends the corresponding syn ack packet to the client, and then the client responds with ACK. to establish a normal handshake process. in specific connection details, when the server first receives the SYN packet, the corresponding semi-connection records are added to the queue in the TCP protocol stack, then wait to accept the data packet to prepare the handshake. If the handshake succeeds, the semi-connection record will be deleted from the queue. or when the server does not receive a confirmation packet from the client, it resends the request packet until it times out. however, the semi-connection records stored in the TCP protocol stack on the server are limited. When the server is under syn dos attacks, the queue will soon be full, the client spoofs a large number of nonexistent IP addresses in a short period of time, continuously sends SYN packets to the server, the server replies to the confirmation packet, and waits for the customer's confirmation, because the source address does not exist, the server needs to be re-issued until it times out. These forged SYN packets will occupy the unconnected queue for a long time, and normal SYN requests will be discarded. If the target system is slow, network congestion or system paralysis may occur, the server then no longer accepts new network connections, resulting in normal client access failure.

(2) SYN Attack Process

SYN attacks are very simple to implement. A large number of SYN attack tools on the Internet can be used directly. if a Web service is installed on a Linux server, you can enable the Web service by running the "service httpd start" command at the Linux command prompt, run the "netstat-ant | grep 80" command to check whether port 80 is enabled. use SYN attack software (such as "synkill") on other machines on the network to launch DOS attacks on port 80 of the Linux server, then run the "netstat-ant | grep 80" command on the Linux server to view a large amount of network connection information, including the connection type, original address, destination direct address, and connection status, of course, the SYN tool usually falsely reports the client address, so the real address cannot be found in the connection list. "SYN_RECV" is displayed in the connection status, indicating that the instance is in the semi-connection status. run the "netstat-n-p TCP | grep SYN_RECV | grep 80 | wc-l" command every few seconds to check a port (80 here) when the number of unconnected queues increases to a maximum value and is in the balance state, it is likely that the queues in the TCP protocol stack of Linux are full, in this case, the user cannot create a new connection.

(3) Protection against syn dos attacks in Linux

In Linux, the most common methods to defend against syn dos attacks include increasing the maximum half number of SYN connections in the queue and reducing the timeout value. Common methods such as SYN cookie technology are used to filter suspicious IP addresses, the following is an analysis.

(4) increasing the maximum number of SYN connections in the queue

Run the command "sysctl-a | grep net. ipv4.tcp _ max_syn_backlog ", in the returned" net. ipv4.tcp _ max_syn_backlog = 256 "indicates that the maximum semi-connection capacity of a Linux queue is 256. this default value is far from enough for Web servers. A simple SYN attack is enough to fully occupy it. therefore, the simplest way to defend against DOS attacks is to increase this default value and run the "sysctl-w et" command in Linux. ipv4.tcp _ max_syn_backlog = 3000 ". In this way, you can change the maximum number of semi-connections in the queue to 3000.

(5) Reduce the timeout value

When a TCP connection is established in Linux, when a handshake is created between the client and the server, the server resends the request packet when the server does not receive the confirmation packet from the client, this entry is not connected to the queue until it times out. That is to say, the semi-connection has a certain survival time. After this time, the semi-connection will be automatically disconnected. In the above SYN attack test, after a long period of time, some semi-connections are automatically disconnected. the half-connection survival time is actually the sum of the timeout time for waiting for all retransmissions of the system. The larger the value, the longer the Backlog queue time occupied by the half-connection, the system can process fewer SYN requests. Therefore, shortening the timeout time can effectively defend against SYN attacks, which can be achieved by reducing the Retransmission timeout time and the number of retransmission times. in Linux, the default retransmission frequency is 5, and the total timeout time is 3 minutes. in Linux, run the command "sysctl-w net. ipv4.tcp _ synack_retries = 1 ", set the number of retransmission times to 1.

(6) Use SYN cookies to defend against DOS Attacks

In addition to opening up a memory space in the TCP protocol stack to store the half-connections, to avoid the queue being filled due to the large number of SYN requests, the Linux server can still process new SYN connections and use SYN Cookie technology to process SYN connections. what is SYN Cookie? A syn Cookie uses a Cookie to respond to a tcp syn request. During a normal TCP connection, when the server receives a SYN packet, it returns a SYN-ACK packet to respond, then enter the TCP-SYN-RECV (semi-open connection) status to wait for the last returned ACK packet. the server uses a data space to describe all pending connections. However, the size of the data space is limited, so attackers will fill the space. During the execution of tcp syn cookies, when the server receives a SYN packet, it returns a SYN-ACK packet. The ACK serial number of this packet is encrypted, which is composed of the source address and port number of the TCP connection, the destination address, port number, and an encrypted seed are obtained by HASH calculation, and then the server releases all statuses. if an ACK packet is returned from the client, the server recalculates the COOKIE to determine whether it is the response packet of the SYN-ACK. if yes, the server can directly enter the TCP connection status and open the connection. in this way, the server can avoid waiting for semi-open connections, run the "echo" echo "1">/proc/sys/net/ipv4/tcp_syncookies ">/etc/rc_local" command in Linux to start SYN cookies, and add it to the Linux Startup File, so that the SYN Cookie activation status is not affected even if the system is restarted.

(7) filter suspicious IP addresses

When the client attacks the server. packet capture can be performed on the server, so that IP addresses in the packets can be checked, and then the suspicious traffic is filtered out to make the packets unable to connect to the server normally. the Linux built-in "tcpdump" command can be used to capture packets. run the "tcpdump-c 1000-l eth 0-n dst port 80> test.txt" command to create a 'test.txt "file under the current directory, which contains a large number of network packets. By analyzing the file, it is easy to obtain the suspicious client IP address, and then use the "iptables" Command provided by the system to block the suspicious IP address. run the command "iptables-a input-s 219.29.78.79-d 0/0-j REJECT" to disable External access to all ports on the local machine. the "-j REJECT" parameter indicates access is forbidden.