Possible harm to the disadvantage of TCP three-time handshake

Https://www.cnblogs.com/lsgxeva/p/9192704.html

1.DDoS (Distributed denial of service, distributed denial of service)

SYN Flood

The SYN flood is one of the most classic DDoS attacks on the internet, first seen around 1999, when Yahoo was the most famous victim of its time. SYN flood attacks exploit the drawbacks of the TCP three handshake, which makes the target server unresponsive at a small cost and difficult to track down.

The standard TCP three-time handshake process is as follows:

1, the client sends a TCP message containing the SYN flag, SYN is synchronous (Synchronize), the synchronization message indicates the port used by the client and the initial sequence number of the TCP connection;

2, the server after receiving the client's SYN message, will return a syn+ack (that is, confirm acknowledgement) of the message, indicating that the client's request is accepted, and TCP initial sequence number is automatically added 1;

3, the client also returns a confirmation message ack to the server side, the same TCP serial number is added 1.

After these three steps, the TCP connection is established. In order to achieve reliable transmission, the TCP protocol has set up some exception handling mechanism in the process of three-time handshake. In the third step, if the server does not receive the final ACK acknowledgement message from the client, it will remain in the SYN_RECV state, join the client IP to the waiting list and re-send the second step of the Syn+ack message. The re-send is generally performed 3-5 times, approximately 30 seconds or so to poll the wait list to retry all clients. On the other hand, after the server has issued its own syn+ack message, it will pre-allocate resources to prepare the incoming TCP connection storage information, which is retained for the duration of the retry. More importantly, the server resource is limited, can maintain the SYN_RECV state exceeds the limit, no longer accept the new SYN message, that is, deny the new TCP connection establishment.

SYN Flood uses the TCP protocol set above to achieve the purpose of the attack. The attacker disguises a large number of IP addresses to send a SYN message to the server, and almost no device will return any response to the server because the spoofed IP address is almost impossible to exist. As a result, the server will maintain a large waiting list, retrying the sending of syn+ack messages, while occupying a large amount of resources that cannot be released. More crucially, the syn_recv queue of the attacked server is filled with malicious packets, no longer accepting new SYN requests, and legitimate users cannot complete the three handshake to establish a TCP connection. In other words, this server is denied service by SYN Flood.

2 .....

Back to network programming

Possible harm to the disadvantage of TCP three-time handshake