SYN attack principle and prevention technology _ network

According to statistics, in all hacker attacks, SYN attacks are the most common and most easily exploited one of the attack methods. I believe many people still remember the 2000 Yahoo site attack case, the hacker was using a simple and effective SYN attack, some network worm with SYN attack caused greater damage. This paper introduces the basic principle, tools and detection methods of SYN attack, and probes into the technology of SYN attack prevention comprehensively.

A, TCP handshake protocol

In the TCP/IP protocol, the TCP protocol provides a reliable connection service, and a three-time handshake is used to establish a connection.

First handshake: When the connection is established, the client sends the SYN packet (SYN=J) to the server and enters the Syn_send state, waiting for the server to confirm;

Second handshake: The server received the SYN packet, must confirm the customer's SYN (ACK=J+1), but also send a SYN packet (syn=k), that is Syn+ack packet, at this time the server into the SYN_RECV state;

Third handshake: The client receives the server Syn+ack packet, sends the confirmation packet ack (ACK=K+1) to the server, this packet sends completes, the client and the server enters established state, completes three times handshake.

After three handshake, the client and the server begin to transmit data, in the process, there are some important concepts:

Disconnected queues: In the three handshake protocol, the server maintains an disconnected queue, which is listed as the SYN package (SYN=J) for each client to open an entry indicating that the server received the SYN package and issued a confirmation to the customer, waiting for the customer's confirmation package. The connection identified by these entries is in the SYN_RECV state, and when the server receives the customer's confirmation package, the entry is deleted and the server enters the established state.
Backlog parameter: Represents the maximum number of disconnected queues.

Syn-ack retransmission times the server sends the Syn-ack package, if you do not receive a customer confirmation package, the server for the first retransmission, waiting for a period of time has not received a customer confirmation package, for a second retransmission, if the number of retransmissions exceeded the system specified maximum retransmission number, the system will remove the connection information from the semi-connected queue. Note that the time for each retransmission wait is not necessarily the same.

Semi-connection survival: the longest time that an item in a semi-connected queue survives, or the longest time that a service receives a SYN packet to confirm that the message is invalid, which is the sum of the maximum wait times for all retransmission request packets. Sometimes we also call the timeout time, syn_recv survival time.

Second, SYN attack principle

SYN attack is a kind of Dos attack, it utilizes TCP protocol flaw, and consumes CPU and memory resources by sending a large number of half connection requests. In addition to impact on the host, SYN attacks can harm routers, firewalls and other network systems, in fact, SYN attacks and regardless of the target system, as long as these systems open the TCP service can be implemented. As you can see from the image above, the server receives the connection request (SYN=J), joins this information into the disconnected queue, and sends the request package to the customer (syn=k,ack=j+1), which is now in the SYN_RECV state. When the server does not receive a confirmation package from the client, the request packet is sent back to the timeout before the entry is removed from the connection queue. With IP spoofing, SYN attacks can achieve good results, usually, the client in a short period of time to forge a large number of non-existent IP address, to the server constantly send SYN packets, the server reply to confirm the package, and wait for the customer's confirmation, because the source address is not there, the server needs to continue to resend until the timeout, These forged SYN packets will occupy the disconnected queue for a long time, the normal SYN request is discarded, the target system is slow, the serious person causes network jam and even the system is paralyzed.

Third, SYN attack tool

SYN attacks are simple to implement, and there are plenty of out-of-the-box SYN attack tools on the Internet.

1. SYN Tools under Windows system

Take Synkill.exe as an example, run the tool, select the random source address and source port, and fill in the Target machine address and TCP port, activate the operation, will soon find the target system running slowly. If the attack effect is not obvious, may be the target machine does not open the completed TCP port or firewall to deny access to the port, at this time you can choose to allow access to the TCP port, usually, Windows system open tcp139 Port, Unix system open TCP7, 21, 23, such as Port.

Iv. Detection of SYN attacks

Detection SYN attack is very convenient, when you see a large number of semi-connected state on the server, especially the source IP address is random, basically can be concluded that this is a SYN attack. We use the system's own Netstat tool to detect SYN attacks:

...  

The above is seen in the Linux system, many connections in the SYN_RECV state (in the Windows system is syn_received State), the source IP address is random, indicating that this is a SYN attack with IP spoofing.

We can also directly view the number of disconnected queues in a Linux environment using the following command:

#netstat-n-P TCP grep syn_recv grep:22 wc-l 324

The number of connections that show TCP port 22 is 324, although it is far from the system limit, it should be noticed by the administrator.

V. SYN ATTACK PREVENTION technology

On the SYN attack prevention technology, people study relatively early. Summed up, there are two major categories, one kind is through the firewall, the router and so on filter gateway protection, another kind is strengthens the TCP/IP protocol stack to guard against. But it must be clear that SYN attacks cannot be completely blocked, and what we do is to minimize the risk of SYN attacks, unless the TCP protocol is redesigned.

1, Filter Gateway protection

Here, the filter gateway mainly indicates the firewall, of course the router can also become a filter gateway. Firewalls are deployed between different networks, preventing foreign illegal attacks and preventing confidential information from leaking out, it is between the client and the server, use it to protect the SYN attack can play a very good effect. The filter gateway protection mainly includes the timeout setting, the Syn Gateway and the SYN agent three kinds.

Network Guan Shu when setting:

The firewall sets the SYN forwarding timeout parameter (the state-detected firewall can be set in the state table), which is much less than the server's timeout time. When the client sends the SYN package, the server sends a confirmation packet (Syn+ack), and the firewall does not receive a confirmation packet (ACK) of the client when the counter expires, sends the RST packet to the servers so that the server deletes the half connection from the queue. It is noteworthy that the gateway timeout parameter settings should not be too small, the timeout parameter set too small will affect the normal communication, set too large, and will affect the effectiveness of the prevention of SYN Attacks, must be based on the network application environment to set this parameter.

SYN Gateway:

When the Syn gateway receives the client's SYN packet, it is forwarded directly to the server, and the SYN gateway receives the server's Syn/ack packet, forwards the packet to the client, and sends an ACK acknowledgement packet to the server on behalf of the client. At this point the server enters the connection state by a half connection state. When the client confirms that the package arrives, it is forwarded if there is data, otherwise discarded. In fact, in addition to maintaining a half-connection queue, the server also has a connection queue, if a SYN attack, will increase the number of connection queues, but the general server can withstand a much larger number of connections than the number of connections, so this method can effectively reduce the attack on the server.

SYN Agent:

When the client SYN packet to the filter gateway, the SYN agent does not forward the SYN packet, but the server in the name of the active reply to the Syn/ack packet to the customer, if you receive the customer's ACK packet, indicating that this is a normal access, at this time the firewall to the server to send ACK packets and complete three SYN Agent in fact instead of the server to deal with SYN attacks, at this time require the filter gateway itself has a strong ability to prevent SYN attacks.

2, strengthen the TCP/IP protocol stack

Another major technique to prevent SYN attacks is to adjust the TCP/IP protocol stack and modify the TCP protocol implementation. The main methods are SynAttackProtect protection mechanism, SYN-cookie technology, increasing the maximum half connection and shortening the timeout time. The adjustment of the TCP/IP protocol stack may cause some limited functionality, and administrators should do so with full understanding and testing.

SynAttackProtect mechanism

In order to prevent SYN attack, the TCP/IP protocol stack of Win2000 system is embedded with SynAttackProtect mechanism, Win2003 system also adopts this mechanism. The synattackprotect mechanism is to prevent SYN attacks by turning off certain socket options, adding additional connection instructions and reducing timeout times so that the system can handle more SYN connections. By default, the Win2000 operating system does not support synattackprotect protection and needs to increase the SynAttackProtect key value in the following registry location:

Hklmsystemcurrentcontrolsetservicestcpipparameters

The system is not protected by SynAttackProtect when the SynAttackProtect value (if the registry key mentioned in this article is 16) is 0 or is not set, if no special instructions are provided.

When the SynAttackProtect value is 1 o'clock, the system guards against SYN attacks by reducing the number of retransmissions and delaying the routing buffer (route cache entry) when it is not connected.

When the SynAttackProtect value is 2 o'clock (which is recommended by Microsoft), the system not only uses the backlog queue, but also uses additional half-connection instructions to handle more SYN connections, using this key value, TCP/IP TcpInitialRtt, Window size and sliding window will be prohibited.

We should know that at ordinary times, the system is not enabled SynAttackProtect mechanism, only when the SYN attack detected, only enabled, and adjust the TCP/IP protocol stack. So how does the system detect the SYN attack happening? In fact, the system is based on the tcpmaxhalfopen,tcpmaxhalfopenretried and tcpmaxportsexhausted three parameters to determine whether a SYN attack.

TcpMaxHalfOpen represents the maximum number of connections that can be processed at the same time, and if this value is exceeded, the system is considered to be in a SYN attack. The default value for the Win2000 server is 100,win2000 Advanced server is 500.

TcpMaxHalfOpenRetried defines the number of half-open connections that are saved in the backlog queue, and if this value is exceeded, the system automatically starts the SynAttackProtect mechanism. The default value for the Win2000 server is 80,win2000 Advanced server is 400.

TCPMaxPortsExhausted refers to the number of SYN request packets rejected by the system, which defaults to 5.

If you want to adjust the default values for the above parameters, you can modify them in the registry (same position as SynAttackProtect)

SYN Cookies Technology

We know that the TCP protocol opens up a relatively large memory space backlog queue to store a half-join entry, and when SYN requests increase, and this space causes the system to discard the SYN connection. The SYN cookie technology was designed to allow the server to process the new SYN request in case the semi-connected queue was stuffed.

SYN cookies are applied to Linux, FreeBSD, and other operating systems, and when the half-connection queue is full, syncookies does not discard SYN requests, but instead uses encryption to identify the semi-connected state.

In the TCP implementation, when the client's SYN request is received, the server needs to reply to the Syn+ack packet to the client, and the client also sends a confirmation packet to the server. Usually, the server's initial serial number is calculated by the server according to a certain law or random number, but in SYN cookies, the server's initial serial number is by the client IP address, client port, server IP address and server port and other security values such as the hash operation, Encrypted, it is called a cookie. When the server suffers a SYN attack that makes the backlog queue full, the server does not reject the new SYN request, but instead responds to the cookie (the SYN serial number of the reply packet) to the client, and if the client's ACK packet is received, the server subtracts the client's ACK serial number by 1 to get a cookie comparison And make a hash of the above elements to see if it equals this cookie. If equal, complete three handshake directly (note: This is not the time to see if this connection belongs to the backlog queue).

In Redhat Linux, enabling SYN cookies is done by setting the following command in the startup environment:

# echo 1?? /proc/sys/net/ipv4/tcp_syncookies

Increase the maximum number of semi-connections

A large number of SYN requests caused the disconnected queues to be filled, leaving the normal TCP connection unable to successfully complete the three handshake, easing the pressure by increasing the disconnected queue space. Of course backlog queues need to occupy a lot of memory resources, can not be unlimited expansion.

WIN2000: In addition to the TcpMaxHalfOpen, tcpmaxhalfopenretried parameters described above, the WIN2000 operating system can be set up dynamically backlog (dynamic backlog) To increase the maximum number of connections the system can hold, configure dynamic backlog to be driven by Afd.sys, Afd.sys is a kernel-level driver that supports applications based on window sockets, such as FTP, Telnet, and so on. AFD. SYS at the registry location:
The Hklmsystemcurrentcontrolsetservicesafdparametersenabledynamicbacklog value is 1 o'clock, which means that dynamic backlog is enabled, and the maximum number of semi connections can be modified.

MinimumDynamicBacklog represents the minimum number of idle connections that a semi-join team is assigned to a single TCP port, and when the TCP port is less than this threshold in the backlog queue's idle connection, The system automatically enables extended idle connections (DynamicBacklogGrowthDelta) for this port, and Microsoft recommends that the value be 20.

The MaximumDynamicBacklog is the current active semi-connected and idle connection and, when this and beyond a critical value, the system rejects the SYN package and Microsoft recommends that the MaximumDynamicBacklog value not exceed 2000.

The DynamicBacklogGrowthDelta value refers to the number of idle connections that are extended, and the number of connections is not counted within MaximumDynamicBacklog. When a half join team is listed as an idle connection allocated by a TCP port that is less than MinimumDynamicBacklog, the system automatically assigns the free connection space defined by DynamicBacklogGrowthDelta so that the TCP port can handle more half connections. Microsoft recommends that the value be 10.

Linux:linux uses variable Tcp_max_syn_backlog to define the maximum number of half-open connections that backlog queues hold. In Redhat 7.3, the value of the variable defaults to 256, and this value is far from sufficient, and a low intensity SYN attack can make the half connection queue full. We can modify the value of this variable by using the following command:

# sysctl-w net.ipv4.tcp_max_syn_backlog= ' 2048 '

Sun Solaris Sun Solaris uses variable tcp_conn_req_max_q0 to define the maximum number of semi connections, and in Sun Solaris 8, the default is 1024, which can be changed by the Add command:

# NDD-SET/DEV/TCP Tcp_conn_req_max_q0 2048

Hp-ux:hp-ux uses variable Tcp_syn_rcvd_max to define the maximum number of semi connections, which defaults to 500 in HP-UX 11.00, which can be changed by the NDD command:

#ndd-set/dev/tcp Tcp_syn_rcvd_max 2048

Shorten timeout time

As mentioned above, the SYN attack can be prevented by increasing the backlog queue, and also the system can process more SYN requests by reducing the timeout time. We know that the timeout timeout, also known as the semi-connection survival time, is the total number of times the system has to wait for the timeout, the greater the value of the number of backlog queue, the longer the system can handle the SYN request less. To shorten the timeout, you can do this by shortening the retransmission timeout (typically the first retransmission timeout) and reducing the number of retransmissions.

Win2000 the wait time defaults to 3 seconds before the first retransmission, to change this default value, you can modify the network access in the registration table TcpInitialRtt registration value to complete. The number of retransmissions is defined by TcpMaxConnectResponseRetransmissions, and the registry location is: Hklmsystemcurrentcontrolsetservicestcpipparameters Registry key.

Of course, we can also set the number of retransmissions to 0 times, so that if the server does not receive an ACK acknowledgment package within 3 seconds, the connection entry is automatically removed from the backlog queue.

Linux:redhat uses variable tcp_synack_retries to define the number of retransmissions, the default value is 5 times, and the total timeout takes 3 minutes.

The default number of retransmissions for Sun Solaris Solaris is 3 times, with a total timeout of 3 minutes, which can be modified by the NDD command.

Http://netsecurity.51cto.com/art/200608/30428.htm