How SYN Flood should respond

1 What is a SYN flood attack

At the time of the TCP three handshake, the server receives a SYN request from the client, the operating system assigns a TCP (transmission Control Block) to the request, the server returns a Syn/ack request, and will be in the SYN_RCVD state (half-open connection state).

As you can see from the above procedure, if you maliciously send a large number of SYN packets to a server port, you can enable the server to open a large number of half-open connections, allocate the TCB, and thus consume a large amount of server resources, and also make the normal connection request cannot be appropriate. The attack initiator's resource consumption is negligible.

SYN Flood is one of the most popular DOS (denial of service attacks) and DDoS (distributed denial of service attacks) in the current way.

2 How to find yourself in a state of attack

(1) The service side cannot provide normal TCP services. The connection request was denied or timed out;

(2) through the Netstat-an command check the system, found that there is a large number of SYN_RECV connection status.

3 Defensive measures

(1) With TCP Wrapper, the server only handles TCP connection requests from the limited source IP, and the connection requests from other unspecified sources are rejected.

(2) Shortening SYN timeout time, because the effect of SYN flood attack depends on the number of SYN half connections maintained on the server, this value =syn the frequency of the attack x SYN Timeout, so by shortening from receiving to the SYN message to determine the message is invalid and discard the time to change the connection, For example, set to less than 20 seconds (too low a SYN timeout setting may affect the customer's normal access), can be multiplied to reduce the load on the server.

(3) Setting up SYN cookie is to assign a cookie to each IP address of the request connection, if the repeated SYN message of an IP is received in a short time, it is considered to be attacked, and the packets from this IP address will be discarded.

(4) Using SYN Proxy firewall

SYN cache technology and SYN cookie technology are generally a host-protection technology that requires the support of the system's TCP/IP protocol stack, and not all operating systems currently support these technologies. As a result, many firewalls provide a function of the SYN Proxy, the main principle of which is to validate the SYN request that is attempting to traverse, and then release it, describing the process:

As you can see from the (left), the firewall initiates a SYN request to the internal server (Listener) after confirming the validity of the connection, and on the right, all invalid connections cannot reach the internal server. The firewall uses other techniques such as SYN cookie or SYN flood to verify the validity of the connection.
One thing to keep in mind in this way is that the firewall needs to proxy the packets that occur during the entire active connection, as shown in the following:

Because the firewall replaces the Issued SYN ACK packet with the sequence number C, and the server's true response packet has a sequence number C ', which has a difference of |c-c ' |, the serial number is modified when each relevant data message passes through the firewall.

How SYN Flood should respond