Hackers are a promising and promising career. I like hackers and hate them. The so-called bad hacker is the guy who causes someone else to work overtime.
SYN Flood attack is a typical Denial-of-Service (Denial of Service) attack. The so-called denial of service-type attacks means that the victim host or network cannot provide good services through attacks, thus indirectly achieving the purpose of attacks. Hackers like to play with this, so that the other party can work overtime and show that they have the level, ability, and courage. In fact, they are nothing.
I. What is SYN Flood attack?
SYN Flood attacks use the Three-Way Handshake process of TCP in IPv4. This Protocol stipulates that if one end wants to initiate a TCP connection to the other end, it needs to first send a tcp syn (synchronize) packet to the other end. After receiving the packet, the other end sends a tcp syn + ACK packet back, the initiator sends the tcp ack (ACKnowledge Character) packet back, so that the three handshakes are over.
In the above process, there are some important concepts:
Unconnected queue: In the three-way handshake protocol, the server maintains an unconnected queue, which opens an entry for the SYN Packet (syn = j) of each client. This entry indicates that the server has received the SYN packet, and sends confirmation to the customer, waiting for the customer's confirmation package. The connection identified by these entries is in the Syn_RECV state on the server. When the server receives the customer's confirmation packet, it deletes the entry and the server enters the ESTABLISHED state. Or when the TCP server receives the tcp syn request packet, before sending the tcp syn + ACK packet back to the TCP client, the TCP server must first assign a data zone to specifically serve the TCP connection. Generally, the connection status is changedSemi-open connection(Half-open Connection ).
Backlog Parameters: Maximum number of unconnected queues.
Number of SYN-ACK retransmissions: The server sends the SYN-ACK package, if not received the customer confirmation package, the server for the first re-transmission, wait for a period of time has not received the customer confirmation package, for the second re-transmission, if the number of retransmission times exceeds the maximum number of retransmission times specified by the system, the system deletes the connection information from the semi-connection queue. Note that the waiting time for each retransmission is not necessarily the same.
Semi-join survival time: Indicates the maximum time for a semi-connection queue to survive, that is, the maximum time for the service to receive a SYN Packet and confirm that the packet is invalid, the maximum waiting time of all retransmission request packets. The semi-join survival time is also called Timeout time and SYN_RECV survival time.
In the most common SYN Flood attack, an attacker sends a large number of tcp syn packets to the victim in a short time. In this case, the attacker is a TCP client and the victim is a TCP server. According to the above description, the victim will allocate a specific data zone for each tcp syn packet, as long as these SYN packets have different source addresses (this is easy for attackers to forge ). This will cause a great burden on the TCP server system, and eventually the system will not work properly.
Ii. Principles of SYN Cookie
One of the effective measures to prevent SYN Flood attacks is SYN Cookie. SYN Cookie principle was invented by D. J. Bernstain and Eric Schenk.
SYN Cookie is a method used to modify the three-way handshake protocol on the TCP server to prevent SYN Flood attacks.The principle is:When the TCP server receives the tcp syn Packet and returns the tcp syn + ACK packet, a cookie value is calculated based on the SYN Packet instead of a dedicated data zone. When receiving a tcp ack packet, the TCP server checks the validity of the tcp ack packet based on the cookie value. If valid, assign a dedicated data area to process future TCP connections.
The following describes how to configure kernel parameters to implement SYN Cookie in Linux and FreeBSD.
Iii. settings in Linux
If your server is not well configured, the number of TCP TIME_WAIT sockets reaches two or 30 thousand, and the server is easily dragged to death. By modifying Linux kernel parameters, you can reduce the number of TIME_WAIT sockets on the server.
TIME_WAIT can be viewed using the following command:
| The following is a code snippet: Netstat-an | grep "TIME_WAIT" | wc-l |
In Linux, for example, CentOS, you can modify the/etc/sysctl. conf file.
Add the following lines:
| The following is a code snippet: Net. ipv4.tcp _ fin_timeout = 30 Net. ipv4.tcp _ keepalive_time = 1200 Net. ipv4.tcp _ syncookies = 1 Net. ipv4.tcp _ tw_reuse = 1 Net. ipv4.tcp _ tw_recycle = 1 Net. ipv4.ip _ local_port_range = 1024 65000 Net. ipv4.tcp _ max_syn_backlog = 8192 Net. ipv4.tcp _ max_tw_buckets = 5000 Net. ipv4.tcp _ synack_retries = 2 Net. ipv4.tcp _ syn_retries = 2 |
Note:
Net. ipv4.tcp _ syncookies = 1 indicates enabling SYN Cookies. This is a BOOLEAN value. When a SYN wait queue overflows, cookies are enabled to prevent a small number of SYN attacks. The default value is 0, indicating that the process is disabled;
Net. ipv4.tcp _ tw_reuse = 1 indicates enabling reuse, which is a BOOLEAN. Allow TIME-WAIT sockets to be re-used for a New TCP connection. The default value is 0, indicating that the TCP connection is disabled;
Net. ipv4.tcp _ tw_recycle = 1 indicates to enable fast TIME-WAIT sockets recovery in TCP connections. This is a BOOLEAN value. The default value is 0, indicating to disable it.
Net. ipv4.tcp _ fin_timeout = 30 indicates that if the socket is disabled by the local end, this parameter determines the time it remains in the FIN-WAIT-2 state. The Unit is seconds.
Net. ipv4.tcp _ keepalive_time = 1200 indicates the frequency of keepalive messages sent by TCP when keepalive is in use. The default value is 2 hours, which is changed to 20 minutes. The Unit is seconds.
Net. ipv4.ip _ local_port_range = 1024 65000 indicates the port range used for external connection. The default value is small: 32768 to 61000, Which is changed to 1024 to 65000.
Net. ipv4.tcp _ max_syn_backlog = 8192 indicates the length of the SYN queue. The default value is 1024. The length of the queue is 8192, which can accommodate more network connections waiting for connection.
Net. ipv4.tcp _ max_tw_buckets = 5000 indicates that the system maintains the maximum number of TIME_WAIT sockets at the same time. If this number is exceeded, the TIME_WAIT socket is immediately cleared and warning information is printed. The default value is 180000, Which is changed to 5000. For servers such as Apache and Nginx, the number of TIME_WAIT sockets can be greatly reduced by parameters in the previous lines, but the effect on Squid is not great. This parameter can control the maximum number of TIME_WAIT sockets to prevent the Squid server from being dragged to death by a large number of TIME_WAIT sockets.
Net. ipv4.tcp _ synack_retries and net. ipv4.tcp _ syn_retries define the number of SYN retries.
Run the following command to make the configuration take effect:
| The following is a code snippet: /Sbin/sysctl-p |
If you do not want to modify/etc/sysctl. conf, you can also directly use the command to modify it:
| The following is a code snippet: /Sbin/sysctl-w key = value |
Iv. settings under FreeBSD
Yayu's personal point of view: FreeBSD's syn defense may be different from that in Linux, and the configuration parameters may be different. The related configuration and understanding may not be correct :)
There is a TCP LinkMSL (max segment lifetime)Concept, that isMaximum generation timeThe value of MSL is 30 s in general implementation, and some implementations adopt 2 minutes. In the TCP State Machine "passive shutdown": From CLOSE_WAIT to LAST_ACK, there is a rule as follows: when TCP executes an active shutdown and returns the last ACK concurrently, the connection must be in the TIME_WAIT status for two times of MSL. This allows TCP to send the last ACK again to prevent the ACK from being lost (the other end times out and resends the final FIN ).
One consequence of this rule is that the link (client address, port, and server address and port) on this address cannot be used during the 2 * MSL period. For example, if we close the link after creating a link and restart the link quickly, the port becomes unavailable.
The TIME_WAIT time is 2 * MSL. Therefore, you can adjust net. inet. tcp. msl to reduce the TIME_WAIT time. For a Web server, you can adjust this value to 7500 or 2000 (for accessing a web server, more than 4 ~ If the page cannot be refreshed within 15 seconds, you can consider giving up -_-)
For parameter settings, see:
| The following is a reference clip: Net. inet. tcp. syncookies = 1 Net. inet. tcp. msl = 7500 Net. inet. tcp. blackhole = 2 Net. inet. udp. blackhole = 1 |
In FreeBSD, yayu does not see the command "/sbin/sysctl-p" to make the content of/etc/sysctl. conf take effect. Therefore, the command is directly used:
| The following is a code snippet: Sysctl net. inet. tcp. syncookies = 1 net. inet. tcp. msl = 7500 net. inet. tcp. blackhole = 2 net. inet. udp. blackhole = 1 |
V. Others
In addition to modifying the server kernel parameters, you can also modify Timeout, KeepAlive, MaxClients, and other parameters in the apache configuration file to prevent Dos attacks. If an interface is called, you must also control the call time. Please refer to the following breakdown.
Vi. Summary
I hate the bad hackers who work overtime, but it also promotes my learning.
If someone sees something wrong, please pay attention to it. Thank you!
7. References:
The principle of SYN Cookie and Its Implementation in Linux kernel: http://www.bkjia.com/Article/200410/1669.html
Reduce the number of TIME_WAIT Sockets for Squid servers in Linux: http://www.bkjia.com/ OS /201110/108540.html
TCP three-way handshake: http://www.bkjia.com/net/201110/108541.html
Tcp three-way handshake with four waves: http://www.bkjia.com/net/201110/108542.html
China's most complete sysctl. conf optimization: http://www.bkjia.com/ OS /201110/108543.html
Linux anti-DDOS settings: www.2cto.com/article/201511/95976.html
FreeBSD system optimization part Kernel Parameter Adjustment Chinese Note: http://www.bkjia.com/ OS /201110/108545.html
Linux system optimization sysctl: http://www.bkjia.com/ OS /201110/108546.html
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
