Linux under SYN attack [go]

SYN attack and battle in Linux
A SYN attack principle
A SYN attack is a Dos attack that exploits a TCP protocol flaw that consumes server CPU and memory resources by sending a large number of half-connection requests. SYN attack chat can affect the host outside, can also harm routers, firewalls and other network systems, in fact, SYN attack and no matter what the target system, These systems can be implemented as long as the TCP service is turned on. We know that there are three handshake processes required to establish a TCP connection between two computers in the network, the client first sends the TCP SYN packet off to the server, and the server sends the corresponding SYN ACK packet to the client. Finally, the client responds with an ACK. In order to establish a normal handshake process. In the specific connection details, when the server first accepts the SYN packet, the corresponding semi-connection record is added to the queue in the TCP stack, and then waits for the packet to be prepared for the handshake below, if the handshake succeeds, Then this semi-connection record will be removed from the queue. Or when the server does not receive a confirmation package from the client, the request packet is re-sent until the timeout is removed from the connection queue. However, the semi-connection records stored in the TCP stack in the server are limited, and when the server is subjected to a SYN Dos attack, The queue will soon be full, the client in a short period of time to forge a large number of non-existent IP address, to the server constantly send SYN packets, the server reply to confirm the package, and wait for the customer's confirmation, because the source address is not present, the server needs to continue to resend until time-out, These forged SYN packets will take a long time to occupy the disconnected queue, the normal SYN request is discarded, the target system is slow to run seriously caused by network congestion or even the system is paralyzed, the server then no longer accept the new network connection, resulting in normal client unreachable server situation occurs.
(ii) Actual SYN attack process
SYN attack is very simple to implement, the Internet has a large number of SYN attack tools can be directly exploited. Assuming that a Web service is installed on a Linux server and the service httpd Start command is executed at a Linux command prompt, the Web services can be opened. Then execute "netstat-ant | grep 80 "command, you can see that port 80 is already open. Use SYN attack software on other machines on the network (such as" Synkill ") to Dos attacks on the Linux server's 80 port, then execute the command on the Linux server" Netstat-ant | grep 80 ", you can see a large number of network connection information, including the type of connection, the original address, the target straight address, connection status and so on, of course, because the SYN tool will usually pseudo-client address, so in the connection list is not found the real address." SYN_RECV "is displayed in the connection status, Indicates that it is currently in a semi-connected state. We can run the command every few seconds "netstat-n-P TCP | grep syn_recv |grep 80 | Wc-l ", to check the number of entries in the disconnected queue for a port (80), when it is found that the number of entries has increased to a certain maximum and is in equilibrium, it is likely that the queue in the Linux TCP stack is full, and the user cannot establish a new connection.
(iii) If you can defend against SYN Dos attacks in Linux
In Linux, the method of defending Syn Dos attacks is more common, such as increasing the number of SYN maximum half connections, reducing the time-out value, using SYN cookie technology, filtering suspicious IP address and other common methods, respectively, the following analysis.
(d) Increase the number of SYN maximum half connections in a queue
Execute command "Sysctl-a|grep net.ipv4.tcp_max_syn_backlog" in Linux and display in "net.ipv4.tcp_max_syn_backlog=256" returned The maximum half-connection capacity of a Linux queue is 256. This default value is not enough for a Web server, and a simple SYN attack is sufficient to fully occupy it. Therefore, the simplest way to defend against Dos attacks is to increase this default value and execute commands in Linux "Sysctl-w et.ipv4.tcp_max_syn_backlog=3000 ", so you can change the queue syn maximum half-connection number capacity value to 3000.
(v) Decrease Timeout value
When establishing a TCP connection in Linux, when a handshake is created between the client and the server, when the server does not receive a confirmation package from the client, the request packet is re-sent until the timeout is removed, which means that the connection to the queue is deleted, that is, the half-connection has a certain survival time, and the half-connection is automatically disconnected. , in the above SYN attack test, after a long period of time, you will find that some half of the connection has been automatically disconnected. The half-connection survival time is actually the sum of the time-outs of all system retransmission waits, the larger the value, the longer the half-connection takes up the backlog queue, and the system can handle The fewer SYN requests, the less time-out can effectively protect against SYN attacks, which can be achieved by narrowing the retransmission timeout and reducing retransmission times. The default number of retransmissions in Linux is 5, the total timeout is 3 minutes, and the command "Sysctl-w" is executed in Linux. Net.ipv4.tcp_synack_retries=1, set the time-out retransmission number to 1.
(vi) Use of SYN cookies to protect against Dos attacks
In addition to opening up a memory space in the TCP protocol stack to store a half-connection number, to avoid the fact that the queue is filled by a large number of SYN requests, the Linux server can still handle the new SYN connection, and the SYN cookie technology can be used to process the SYN connection. What is SYN What about cookies? A SYN cookie is a cookie that responds to a TCP SYN request, during a normal TCP connection, when the server receives a SYN packet, it returns a Syn-ack packet to answer, and then enters TCP-SYN-RECV (semi-open connection) State to wait for the last ACK packet to be returned. The server uses a data space to describe all pending connections, but the size of the data space is limited, so the attacker will fill this space, and in the execution of the TCP SYN cookie, when the server receives a SYN packet, he returns a SYN- ACK packet, the ACK sequence number of this packet is encrypted, it is the source address and port number of the TCP connection, the destination address and port number, and a cryptographic seed is hashed, and then the server releases all the state. If an ACK packet is returned from the client, The server recalculates the cookie to determine if it is the return packet of the last syn-ack. If so, the server can go directly to the TCP connection state and open the connection. This allows the server to avoid waiting for semi-open connections, executing commands in Linux "echo" echo "1" > /proc/sys/net/ipv4/tcp_syncookies "> >/etc/rc_local" so that you can start the SYN Cookie and add it to the Linux boot file so that even if the system restarts it does not affect the SYN The activation state of the cookie.
(vii) Filtering of suspicious IP direct addresses
When the client attacks the server. The packet can be captured on the server so that the IP in the packet can be detected, and then filtered to these suspicious tide lines, which will not properly connect to the server. The use of the "tcpdump" command from Linux enables the capture operation. Execute Command " Tcpdump-c 1000-l ETH 0-n DST port > Test.txt ", you can create a ' test.txt ' file in the current directory, which contains a large number of network packets, through the analysis of the file, it is easy to get suspicious client IP, The suspect IP can then be masked with the "iptables" command that comes with the system. "0/0" can be suppressed by executing the command "iptables-a input-s 219.29.78.79-d-j REJECT 219.29.78.79" External primary access to all ports on this machine. where the "-j REJECT" parameter indicates that access is forbidden.

Linux under SYN attack [go]