Article Source: http://efeil.blog.163.com/blog/static/11890229720103192444193/
I. Introduction to SYN 2: What is SYN Flood Attack 3: What is SYN Cookie 4: What is SYN Cookie firewall c = client (client) S = server (server) FW = firewall (firewall) 1: Introduce SYN Cookie as a technology to prevent SYN flood attacks. He was invented by D. J. Bernstein and Eric Schenk. Now syn cookie is a part of the Linux kernel (the default stat is no), but it only protects the Linux system during the execution of the Linux system. We only want to create a Linux firewall. It can provide SYN Cookie protection for the entire network and all network operating systems. You can use this firewall to block semi-open TCP connections, therefore, this protected system will not be semi-open (tcp_syn_recv ). When the connection is completely established, the connection from the client to the server must be completed through the firewall. 2. What is SYN flood attacks? (Warning from CERT) when a system (called its client) tries to establish a TCP connection with a system (server) that provides services, C and the server exchange a series of packets. This connection technology is widely used in various TCP connections, such as telnet, web, email, and so on. First, C sends a SYN packet to the server, then the server sends a SYN-ACK packet to respond to C, then C returns an ACK packet to achieve a complete TCP connection. In this way, the connection between C and the server is established, and then the C and server can exchange data with each other. Below is the above picture description :) client server ------ SYN --------------------> <-------------------- SYN-ACK ack --------------------> client and server can now send service-specific da TaThere is a potential drawback when s returns a confirmed SYN-ACK package and he may not receive an ACK package from C. This is the so-called semi-open connection. S requires a certain amount of system memory to wait for this pending connection. Although this quantity is limited, however, malicious users can create many semi-open connections to launch SYN flood attacks. IP spoofing can easily achieve semi-open connections. The attacker sent a SYN packet to the victim's system, which seemed legal, but in fact the so-called C would not respond to the SYN-ACK packet, which means the victim would never receive an ACK packet.
At this time, the semi-open connection will consume all the victim's system resources, and the victim will no longer be able to receive any other requests. Usually wait for the ACK returned packet to have a timeout limit, so it is half open. The connection will eventually time out, and the victim system will automatically repair the connection. Even so, before the victim's system recovers, attackers can easily send fake SYN request packets to continue attacks. In most cases, the victim is almost unable to accept any other request, but this attack does not affect the existing inbound or outbound connections. Even so, the victim system may exhaust system resources to cause other problems. The location of the attack system is almost uncertain, because most of the source addresses in the SYN Packet are false. When the SYN packet arrives at the victim system, it cannot find its real address, because in the source address-based data packet transmission, the source IP address filtering is the only method that can verify the data packet source. 3. What is SYN Cookie? SYN Cookie is a TCP implementation that uses a cookie to respond to a tcp syn request. According to the above description, in a normal TCP implementation, when s receives a SYN packet, he returns a SYN-ACK package to respond, and then enters the TCP-SYN-RECV (semi-open connection) state to wait for the last returned ack package. S uses a data space to describe all pending connections. However, the size of the data space is limited, so attackers will fill the space. During tcp syn Cookie execution, when s receives a SYN packet, he returns a SYN-ACK packet whose ack serial number is encrypted, that is, it is calculated based on the source address, port source order, target address, target port, and an encrypted seed. Then s releases all statuses. If an ACK packet returns from C, S recalculates it to determine if it is the return packet of the previous SYN-ACK. In this case, s can directly enter the TCP connection status and open the connection. In this way, s can avoid semi-open connections. The above is just the basic idea of SYN Cookie. It still has many skills in the application process. View Details about archive of discussions in the kernel email list of previous years. 4. What is SYN Cookie firewall? SYN Cookie firewall is an extension of syn cookie, and SYN Cookie is built on the TCP stack, which provides protection for the Linux operating system. SYN Cookie Firewall is a special feature of Linux. You can use a firewall to protect your network from SYN flood attacks. The following is the principle of SYN Cookie firewall client firewall server ------ ---------- ------ 1. SYN -------------> 2. <------------ SYN-ACK (cookie) 3. ack -------------> 4. ---Syn ---------------> 5. <-------------- SYN-ACK 6. ---ack -------------> 7. -----------> relay the -------> <----------- connection <------- 1: a syn packet is sent from C to S 2: The firewall plays the s role here to respond to a SYN C Ookie's SYN-ACK package sends ACK packets to C 3: C, and then the connection between the firewall and C is established. 4: At this time, the firewall sends a SYN to S 5: S and returns a SYN to C 6: The firewall plays C and sends an ACK confirmation packet to S, at this time, the connection between the firewall and S is established 7: If the firewall forwards data between C and S, if the system suffers SYN flood, the third step will not be available, in addition, neither the firewall nor the s will receive the SYN Packet corresponding to the first step, so we will fight back this SYN Flood attack.
