System Security: solution to a DOS event

Article Title: System Security: solutions to a DOS event. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

0. analysis process

First, the types, features, and attack methods of DOS are analyzed.

Using netstat-na | grep SYN_RECV | wc, we found that there are a large number of SYN_RECV status connections, and the source addresses are all forged. netstat-na | grep SYN_RECV | the number of wc display is 1024, this is of course, the default Syn_Backlog for Linux is 1024, And the SYN exceeding is discarded.

The attack Port is port 80: WWW Service. Of course, the Web server is no longer accessible.

After SYN_Cookie protection is enabled, the attack is mitigated. However, the attack traffic increases and the situation is not good. in Linux, Iptables cannot be used as syn_proxy, so we had to start from other aspects, and captured the data traffic with tcpdump-w. The count analysis traffic was about 1.8 million pps, of which more than 99% were syn packets with forged source addresses.

Since it is a counterfeit address, it is more difficult to deal with, but after careful statistics and analysis, we have analyzed the main data features of this attack, mainly including the following:

Code:

1. the tcp flag is syn2. the total data length of the ip address is 40Byte3. the Identifier character in the ip header is fixed to 256 (0x0100) 4. the average TTL value is 5 from 74 to 95. the tcp Window value is fixed to 163846. the target port is tcp: 807. the tcp initialization serial number is 1731410000xx, increasing progressively by + 1

In this way, pay attention to the 3, 4, and 5 items, which is the most important clue for us.

3. The ip identifier character end is fixed to 0x0100. In the TCP/IP specification, this field is the serial number in the packet to prevent repeated parts in a connection. Although most operating systems do not strictly follow a specification, the source of this value is definite, that is, in the normal TCP/IP stack, the value of this field should be the serial number of the TCB (TCP Control Block, the TCP Data Structure of a kernel space) that sends this packet. Even if the system does not strictly follow this line, the content of the identifier Field of the data transmitted over the network should be randomly distributed, A normal operating system network stack cannot send a large number of fixed fields such as 0x0100.

4. the TTL value is evenly distributed between 74 and 95. According to common sense, the default TTL of most operating systems should be the integer power of 2 such as 32, 64, and 128. On the other hand, each time the TTL is transmitted over a vro, it is automatically reduced by one. However, the current Internet routing design is already quite good, and it will reach the other end of Intetnet from any point, in general, the number of TTL entries will not exceed 20-30. I have also tested this. From the perspective of China Netcom and China Telecom, the number of TTL hops for most Chinese and international websites is within 20, the Tracert command in Windows also shows that the maximum TTL timeout value it assumes is 30. More than 30 normal Internet routes are rare. Let's do a simple subtraction:

Code:

128 - 30 = 9864 - 30 = 3432 - 30 = 2

Therefore, when a data packet arrives at the endpoint during normal transmission, its TTL distribution range should be: code:

2-32 (rare), 34-64, 98-128

In this data sampling, most of the SYN data with spoofed addresses have a TTL between 74 and 95.

Other additional features, such as IP length, TCP window, and TCP SYN_Flag, can also be used as additional judgment marks. In this way, the main attack pattern is extracted as follows:

Code:

a. tcp syn flag only, dst port 80b. ip identifier = 0x0100c. 74 < ttl < 95d. tcp window = 16384

These four features.

[1] [2] Next page