Principles and defense methods of SYN flood Network Attacks

Principles and defense methods of SYN flood Network Attacks

Summary

This paper introduces the basic principles of SYN Flood attacks, and describes in detail several effective defense measures: SYN-cookie technology and address status monitoring technology.

 

1 SYN Flood attack introduction:

Denial of Service (DoS) is an effective and very difficult way to defend against, it aims to prevent the server from providing services for users who normally access the server. Therefore, DoS poses a critical threat to enterprises and organizations that rely closely on the Internet to carry out their businesses.

SYN Flood is the most effective and popular form of DoS attacks. It uses the three-way TCP handshake to send a large number of SYN connection requests with forged source addresses to the target host, consuming the resources of the target host and thus failing to provide services to normal users.

1.1 TCP connection establishment process

To understand the basic principles of SYN Flood attacks, we must first introduce the three-way handshake mechanism of TCP.
The TCP three-way handshake process is as follows:
1) the client sends a TCP packet with a SYN position to the server, including the port number and initial serial number x used by the client;

2) After receiving the SYN Packet sent from the client, the server sends a TCP packet with both SYN and ACK positions to the client, including the confirmation number x + 1 and the initial serial number y of the server;

3)
TCP client
Client Port
(1024-65535)
 
TCP Server

Server Port
(1-1023)
SYN
SYN/ACK
ACK

After receiving the SYN + ACK packet from the server, the client returns an ACK packet with the confirmation number y + 1 and x + 1 to the server. A standard TCP connection is completed. 1:

1.2 attack principles

 

In SYN Flood attacks, hackers send a large number of tcp syn packets with forged source addresses to the affected host, allocate necessary resources to the affected host, and then return the SYN + ACK packet to the source address, wait for the source to return the ACK package, as shown in figure 2. Because the source address is forged, the source end will never return an ACK packet. The victim host will continue to send SYN + ACK packets and add the semi-connection to the port backlog queue, although the average host has a timeout mechanism and default retransmission times, however, the zookeeper yundun com SYN packet, the semi-connection queue will soon be filled up, and the server rejects new connections, which will cause the port to fail to respond to connection requests from other machines and eventually exhaust the resources of the affected host.

TCP client
Client Port
(1024-65535)
 
TCP Server
 
Server Port
(1-1023)
SYN
SYN/ACK
 
Counterfeit Source Address

2 defense technologies

After SYN Flood attacks have a major impact on the internet, several effective technologies have emerged to defend against SYN Flood attacks.

2.1 SYN-cookie technology

Generally, when the server receives a tcp syn packet, it immediately allocates a buffer for the connection request and returns a SYN + ACK packet, forming a semi-connection. SYN Flood uses this to send a large number of SYN connection requests that forge the source address without completing the connection. In this way, a large amount of server resources are consumed.

SYN-cookie technology changes the resource allocation policy in the process of establishing standard TCP connections. When the server receives a SYN packet, it generates a cookie using the connection information instead of allocating the buffer immediately. The cookie is used as the initial serial number of the SYN + ACK packet to be returned. When the client returns an ACK packet, the cookie is calculated based on the packet header information and compared with the first 24 digits of the returned confirmation serial number (initial serial number + 1, it is a normal connection. Then, allocate resources and establish a connection.

The clever point of this technology is that it avoids Resource Allocation before the connection information is fully reached, and invalidates the resource consumption of SYN Flood attacks. The key to implementation is cookie computing. Cookie calculation should include the status information of this connection, so that attackers cannot forge cookies. The cookie calculation process is as follows:

1) After receiving a SYN packet, the server calculates a message digest mac:
Mac = MAC (A, k );
MAC is a message authentication code function in cryptography, that is, a hash function with a key that meets a certain security nature. It can provide the security required in cookie computing.
A is A serial combination of the IP address and port number of both the customer and the server, and the parameter t:
A = SOURCE_IP | SOURCE_PORT | DST_IP | DST_PORT | t
K is the unique key of the server;
The time parameter t is a 32-bit long time counter, Which is incremented by 1 every 64 seconds;

2) generate a cookie:
Cookie = mac (): 0th to 24 bits of the mac value;

3) set the initial serial number of the SYN + ACK packet to be returned. The setting process is as follows:
I. Replace the 24-bit high with cookies;
Ii. The next three bits are replaced by the maximum message length MMS required by the customer;
Iii. The last 5 bits are t mod 32.
After receiving the SYN + ACK packet from the server, the client returns an ACK packet, which carries a cookie (the initial serial number of the syn ack packet sent by the server is 1, therefore, it does not affect the height of 24 bits). The cookie is re-calculated on the server end, which is compared with the first 24 bits of the confirmation number. If it is the same, it indicates that it has not been modified and the connection is valid. Then, the server establishes the connection.

SYN-cookie technology implements stateless three-way handshakes without storing any information on the server during connection establishment, thus effectively defending against SYN Flood attacks. However, this method also has some weaknesses. Because cookie computing only involves part of the packet header's confidence, during the connection establishment process, no information is stored on the server side, so many features of the Protocol are lost, for example, timeout retransmission. In addition, because the computing of cookies has a certain amount of computing workload and increases the delay time for connection establishment, SYN-cookie technology cannot be used as a defense means for high-performance servers. The dynamic resource allocation mechanism is usually used. After a certain amount of resources are allocated, the cookie technology is adopted, which is implemented in Linux. Another problem is that when we avoid SYN Flood attacks, we also provide another Denial-of-Service attack method. The attacker sends a large number of ACK packets, so that the server is busy with computing and verification. Even so, SYN-cookie technology is still an effective technology in preventing SYN Flood attacks.

2.2 solution to address status monitoring

The solution to address status monitoring is to use monitoring tools to monitor TCP connection data packets in the network and process the packets. The main reason for processing is the source address of the connection request.

Each source address has a corresponding status. There are four statuses in total:
Initial State: Any source address in the initial state;
NEW status: the status of the source address that exists cannot be determined when the source address appears for the first time or appears for multiple times;
GOOD status: determines the status of the source address;
BAD status: the status when the source address does not exist or is unavailable.
The specific action and status conversion are determined based on the bit code value in the TCP Header:

1) Listen to the SYN Packet. If the source address appears for the first time, set the source address to the NEW status; if the source address is in the NEW or BAD status; the RST position of the package is 1 and then resend. If the package is in GOOD state, no processing is performed.

2) An ACK or RST packet is monitored. If the source address is in the NEW status, the packet is in the GOOD status. If the source address is in the GOOD status, the packet is changed to the NEW status. If the source address is in the BAD status, the packet is changed to the NEW status; if it is in BAD state, it is converted to NEW state.

3) Listening to syn ack packets from the slave server (the destination address is addr) indicates that the server has established a semi-connection for the connection request sent from the addr, to prevent too many semi-connections, send an ACK packet to the server to establish a connection and start timing. If the ACK packet has not been received, the addr is not reachable, if the status of addr is GOOD at this time, the status changes to NEW. If the status of addr is NEW, the status changes to BAD. If the status of addr is BAD, the status changes.
Figure 3 shows the status transition:

Initial State
GOOD
NEW
BAD
ACK/RST
SYN
ACK/RST

ACK packet validation timeout
ACK/RST

ACK packet validation timeout

The following describes how the address status monitoring method can defend against SYN Flood attacks.

1) For a SYN packet with a forged source address, if the source address appears for the first time, the source address is in the NEW State. when listening to the server's SYN + ACK packet, indicates that the server has established a semi-connection for the connection request of the source address. At this time, the monitoring program sends an ACK packet to complete the connection on behalf of the source address. In this way, the number of semi-connections in the semi-connection queue is not many. The timer starts timing. Because the source address is forged, the ACK packet is not received. After the timeout, the monitoring program sends the RST packet, the server releases the connection, and the status of the source address changes to BAD. Then, the monitoring program will send an RST packet for each SYN packet from the source address.

2) for a valid SYN packet, if the source address appears for the first time, the status of the source address is NEW. The server responds to the request, sends SYN + ACK packets, and the monitoring program sends ACK packets, the connection is established. Then, the ACK from the client will soon arrive, and the source address will be in GOOD state. The server can handle the ACK packets that are repeated.
From the above analysis, we can see that the monitoring-based method can effectively defend against SYN Flood attacks without affecting the connection of normal users.

3 Summary

This article introduces the basic principles of SYN Flood attacks, and then describes in detail two effective and convenient defense methods: SYN-cookie technology