Judging DDoS attacks from a TCP state machine
first, the TCP protocol
The TCP protocol is the core protocol of the Transport layer, providing a reliable connection-oriented protocol, divided into three handshake and four disconnects, in which TCP has a state machine that records the state of the different stages.
second, TCP handshake and disconnection
Here does not focus on the three-time handshake and four disconnects, just attach a plot, this part of the details of our own brain complement: reference Links: 72861891
2.1 Handshake Protocol:
2.2 Disconnect Procedure
third, the state machine of TCP
In the Protocol setup and disconnection process, the TCP protocol has to maintain a state that we call the TCP state machine. For details, see:
3.1 Handshake process status
- CLOSED: Indicates the initial state.
- LISTEN: Listening Port status
- SYN_RCVD: Indicates receipt of SYN message, short time
- Syn_sent: A message that sends a SYN
- Established: Indicates that the connection has been established and is a stable state.
In order to facilitate understanding, for example, a restaurant before 8 is not open, closed state (closed state), eight after the opening of business, waiting for guests to listen (status), the customer into the shop order (Sys_send), the boss received and confirmed (SYS_RCVD), The customer said yes to serve and then both sides entered the (established) state.
3.2 disconnecting process status
- Fin wait 1: Local TCP entity sends a FIN segment and waits for acknowledgement of response
- CLOSE WAIT: The server receives a FIN segment that confirms that the client's request sent back an ACK message segment
- Fin Wait 2: Client receives acknowledgment ACK segment and transfers to fin wait 2 status
- CLOSED: The server receives the last acknowledgment ACK segment, its TCP entity frees the connection, and deletes the connection record
The image is understood as: guests eat to leave, shout the Boss Checkout (Fin wait1), the boss said you wait a moment I find you money (closeing), the customer received the check is correct (Fin wait2), confirm and then disconnect each other (closed)
four, half open and half closed
DDoS network attacks a lot of ways, there are application layer DDoS and Network layer, this article only discusses the network layer formed DDoS attack type, the above we tell state machine, it is very good to understand that a large number of semi-open links, occupy a large number of network bandwidth, thereby achieving the purpose of DOS.
4.1 Half Open
Occurs in the TCP3-second handshake.
If A to B initiates a TCP request, B also responds as normal, but a does not hold the 3rd handshake, which is the half-connection
4.2 Half off
When a party closes the send channel, it can still accept the data sent by the other party, which is called "Half closed". (Removing the TCP connection is: You close your send channel and I close my send channel).
Five, Netstat dos detection
Netstat-na
Show all active network connections to the server
Netstat-an | grep:80 | Sort
Only active network connections to 80 segments are shown, and 80 is the HTTP port, which is useful for Web servers and sorts the results. It's very useful for you to find a single launch flood attack IP from many connections
Netstat-n-p|grep Syn_rec | Wc-l
This command is useful for finding active sync_rec on the server, which should be very low, preferably less than 5.
In Dos attacks and mail bombs, this number can be very high. However, the value is usually dependent on the system, so the high value may be split equally to the other server.
Netstat-n-P | grep Syn_rec | Sort-u
Lists all included IP addresses, not just the count.
Netstat-n-P | grep Syn_rec | awk ' {print $} ' | Awk-f: ' {print '} '
Lists all the different IP address nodes that send Syn_rec connection status
Netstat-ntu | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n
Use the netstat command to calculate the number of connections per IP address to the server
NETSTAT-ANP |grep ' tcp|udp ' | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-n
List the number of connections to the server using TCP and UDP
Netstat-ntu | grep estab | awk ' {print $} ' | Cut-d:-f1 | Sort | uniq-c | Sort-nr
Check established connections, not all connections, this can be the number of connections per IP
Netstat-plan|grep:80|awk {' Print $ '}|cut-d:-F 1|SORT|UNIQ-C|SORT-NK 1
Displays and lists the connections to 80 port IP address and number of connections. 80 is used as an HTTP
"Go" Linux from the TCP state machine, three handshake to judge the DDoS attack