TCP blocking _tcp to prevent SYN flood attack on router

Source: Internet
Author: User
Tags ack iptables server port

(Reprint please tell the original author) The original address: Click to open the link

Prevent SYN Flood attack to turn on TCP interception of router

Intercept, most of the router platforms are referencing this function, its main function is to prevent SYN flood attack. The SYN attack utilizes TCP's three-time handshake mechanism, the attacker uses a forged IP address to make a request to the attacked side, and the response message sent by the attack will never be sent to the destination, and the attacker is consuming resources in the process of waiting to close the connection, if there are thousands of such connections, The host resource will be depleted to achieve the purpose of the attack. We can take advantage of the TCP blocking capabilities of routers to protect hosts on the network (for example, Cisco routers).
Opening TCP interception is divided into three steps:

1. Set the working mode of TCP blocking

The working mode of TCP interception is divided into interception and monitoring. In blocking mode, the router audits all TCP connections, and its own burden is heavier, so we typically let the router work in monitoring mode, monitor the time and number of TCP connections, and close the connection beyond the predetermined value.

Format: IP tcp intercept mode (Intercept|watch)

Default is Intercept

2. Set Access table to open the host that needs to be protected

Format: access-list [100-199] [deny|permit] TCP source Source-wildcard

Destination Destination-wildcard

For example: To protect 219.148.150.126 this host

Access-list permit TCP any host 219.148.150.126

3. Open TCP Intercept

IP TCP Intercept list Access-list-number

Example: We have two servers 219.148.150.126 and 219.148.150.125 need to be protected and can be configured like this:

IP TCP Intercept List 101

IP TCP intercept mode watch

........

IP access-list Permit TCP any host 219.148.150.125

IP access-list Permit TCP any host 219.148.150.126

After this configuration, our host is protected to a certain extent.

Editor: Lin Jishan
--------------------------------------------------------------


Settings on the host

Almost all host platforms have a set of defenses against DOS, to sum up, there are several basic:

* Close Unnecessary services

* Limit the number of concurrently open SYN semi-connections

* Shorten time out of SYN semi-connection

* Update system patches in time
------------
* Closure of unnecessary services;
* Modify the number of connections from the default value of 128 or 512 to 2048 or greater to increase the length of each processing packet queue to mitigate and digest more packet connections;
* Set the connection timeout to a shorter time to ensure the normal packet connection, shielding the illegal attack packets;
* Update system and install patches in time.


Firewall

* Prohibit access to non-open services for the host

* Limit the number of simultaneous SYN max connections open

* Restrict access to specific IP addresses

* Enable the firewall's anti-DDoS properties

* Strictly restrict the outward access of the server to the open door

The fifth key is to prevent your server from being used as a tool to harm.


Router

Take the Cisco router as an example

* Cisco Express Forwarding (CEF)

* Use unicast Reverse-path

* Access Control List (ACL) filtering

* Set the SYN packet flow rate

* Upgrade version of the ISO too low

* Create log server for routers

The use of CEF and unicast settings to pay special attention to improper use of the router will cause a serious decline in efficiency, upgrade iOS should also be cautious. The router is the network core equipment, shares with everybody to make the setting modification the small experience, is first does not save. Cisco router has two configuration startup config and running config, modified when the change is running config, you can let this configuration run for a period of time (35 days on the casual), feel feasible and then save configuration to Startup Config, and if you're not satisfied with the original configuration, start run with copy.

The router is the network core equipment, needs the careful setting, the best changes, does not save first, in order to view the effect. Cisco router has two configurations, startup config and running config, changes in the change is running config, you can let this configuration run for a period of time, think it is feasible to save the configuration to startup config If you are not satisfied with the original configuration, start run with copy.

Regardless of whether the firewall or the router is to the external interface device, in the anti-DDoS settings, it is necessary to weigh the costs of the normal business that may be the corresponding sacrifice, cautious.

--------------------------------------------------------------
How to prevent attacks in advance

In fact, many of the attack methods are not new, the existence of time is very long (like Dos), basically people have learned about them, but when it is used by malicious people, undermining the security of the network, people are aware of the seriousness of the problem. Therefore, people should give full attention to the establishment of a sound safety system to prevent it. In the specific work, we might as well from the following aspects to prevent hacker attacks.

1. Use enough machines to withstand hacker attacks. This is an ideal coping strategy. If the user has enough capacity and sufficient resources for hackers to attack, in its constant access to users, to capture user resources, their own energy is gradually lost, perhaps not so users were attacked, hackers have been powerless to provide a weapon.

2. Make full use of network equipment to protect network resources. The so-called network equipment refers to the routers, firewalls and other load balancing devices, they can effectively protect the network. When Yahoo. The first to die when attacked was the router, but the other machines did not die. The dead routers return to normal after restarting, and start up quickly, with no loss. If the other server died, the data will be lost, and restart the server is a long process, I believe there is no router this barrier, Yahoo. Will be badly hit by immeasurable damage.

3. The use of inexpress, Express forwarding filter unnecessary services and ports, that is, filtering fake IP on the router. Cisco Express forwarding, for example, can compare and filter the packet Source IP and Routing Table CEF.

4. Use the unicast Reverse Path forwarding to check the source of the visitor. It checks whether the visitor's IP address is true by using a reverse routing table query, and if it is false, it masks it. Many hackers often use fake IP address to confuse users, it is difficult to find out where it comes from, therefore, using unicast Reverse Path forwarding can reduce the appearance of false IP address, help improve network security.

5. Filters all RFC1918 IP addresses. The RFC1918 IP address is the IP address of the intranet, such as 10.0.0.0, 192.168.0.0, and 172.16.0.0, which are not fixed IP addresses for a network segment, but rather a reserved regional IP address within the Internet that should be filtered out.

6. Limit syn/icmp traffic. The user should configure the maximum flow of syn/icmp on the router to limit the maximum bandwidth that the SYN/ICMP packet can occupy, so that when a large number exceeds the limited syn/icmp flow, it is not a normal network access, but a hacker intrusion.

----------------------------------------
The technology of SYN attack prevention

On the SYN attack prevention technology, people study relatively early. Summed up, there are two major categories, one kind is through the firewall, the router and so on filter gateway protection, another kind is strengthens the TCP/IP protocol stack to guard against. But it must be clear that SYN attacks cannot be completely blocked, and what we do is to minimize the risk of SYN attacks, unless the TCP protocol is redesigned.

1, Filter Gateway protection

Here, the filter gateway mainly indicates the firewall, of course the router can also become a filter gateway. Firewalls are deployed between different networks, preventing foreign illegal attacks and preventing confidential information from leaking out, it is between the client and the server, use it to protect the SYN attack can play a very good effect. The filter gateway protection mainly includes the timeout setting, the Syn Gateway and the SYN agent three kinds.

Network Guan Shu Setting: The firewall sets the SYN forwarding timeout parameter (the state-detected firewall can be set in the state table), which is much less than the server's timeout time. When the client sends the SYN package, the server sends a confirmation packet (Syn+ack), and the firewall does not receive a confirmation packet (ACK) of the client when the counter expires, sends the RST packet to the servers so that the server deletes the half connection from the queue. It is noteworthy that the gateway timeout parameter settings should not be too small, the timeout parameter set too small will affect the normal communication, set too large, and will affect the effectiveness of the prevention of SYN Attacks, must be based on the network application environment to set this parameter.

SYN Gateway: When the SYN Gateway receives the client's SYN packet, it is forwarded directly to the server, the SYN gateway receives the server's Syn/ack packet, forwards the packet to the client, and sends an ACK acknowledgement package to the server on behalf of the client. At this point the server enters the connection state by a half connection state. When the client confirms that the package arrives, it is forwarded if there is data, otherwise discarded. In fact, in addition to maintaining a half-connection queue, the server also has a connection queue, if a SYN attack, will increase the number of connection queues, but the general server can withstand a much larger number of connections than the number of connections, so this method can effectively reduce the attack on the server.

SYN Agent: When the client SYN packet to the filter gateway, the SYN agent does not forward the SYN package, but in the name of the server to actively reply to the Syn/ack package to the customer, if you receive the customer's ACK packet, indicating that this is a normal access, at this time the firewall to send ACK packets to the server SYN Agent in fact instead of the server to deal with SYN attacks, at this time require the filter gateway itself has a strong ability to prevent SYN attacks.

2, strengthen the TCP/IP protocol stack

Another major technique to prevent SYN attacks is to adjust the TCP/IP protocol stack and modify the TCP protocol implementation. The main methods are SynAttackProtect protection mechanism, SYN-cookie technology, increasing the maximum half connection and shortening the timeout time. The adjustment of the TCP/IP protocol stack may cause some limited functionality, and administrators should do so with full understanding and testing.

SynAttackProtect mechanism

In order to prevent SYN attack, the TCP/IP protocol stack of Win2000 system is embedded with SynAttackProtect mechanism, Win2003 system also adopts this mechanism. The synattackprotect mechanism is to prevent SYN attacks by turning off certain socket options, adding additional connection instructions and reducing timeout times so that the system can handle more SYN connections. By default, the Win2000 operating system does not support synattackprotect protection and needs to increase the SynAttackProtect key value in the following registry location:

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters

The system is not protected by SynAttackProtect when the SynAttackProtect value (if the registry key mentioned in this article is 16) is 0 or is not set, if no special instructions are provided.

When the SynAttackProtect value is 1 o'clock, the system guards against SYN attacks by reducing the number of retransmissions and delaying the routing buffer (route cache entry) when it is not connected.

When the SynAttackProtect value is 2 o'clock (which is recommended by Microsoft), the system not only uses the backlog queue, but also uses additional half-connection instructions to handle more SYN connections, using this key value, TCP/IP TcpInitialRtt, Window size and sliding window will be prohibited.

We should know that at ordinary times, the system is not enabled SynAttackProtect mechanism, only when the SYN attack detected, only enabled, and adjust the TCP/IP protocol stack. So how does the system detect the SYN attack happening? In fact, the system is based on the tcpmaxhalfopen,tcpmaxhalfopenretried and tcpmaxportsexhausted three parameters to determine whether a SYN attack.

TcpMaxHalfOpen represents the maximum number of connections that can be processed at the same time, and if this value is exceeded, the system is considered to be in a SYN attack. The default value for the Win2000 server is 100,win2000 Advanced server is 500.

TcpMaxHalfOpenRetried defines the number of half-open connections that are saved in the backlog queue, and if this value is exceeded, the system automatically starts the SynAttackProtect mechanism. The default value for the Win2000 server is 80,win2000 Advanced server is 400.

TCPMaxPortsExhausted refers to the number of SYN request packets rejected by the system, which defaults to 5.

If you want to adjust the default values for the above parameters, you can modify them in the registry (same position as SynAttackProtect)

SYN Cookies Technology

We know that the TCP protocol opens up a relatively large memory space backlog queue to store a half-join entry, and when SYN requests increase, and this space causes the system to discard the SYN connection. The SYN cookie technology was designed to allow the server to process the new SYN request in case the semi-connected queue was stuffed.

SYN cookies are applied to Linux, FreeBSD, and other operating systems, and when the Half-open queue is full, the SYN cookie does not discard the SYN request, but it identifies the semi-connected state by encryption technology.

In the TCP implementation, when the client's SYN request is received, the server needs to reply to the Syn+ack packet to the client, and the client also sends a confirmation packet to the server. Usually, the server's initial serial number is calculated by the server according to a certain law or random number, but in SYN cookies, the server's initial serial number is by the client IP address, client port, server IP address and server port and other security values such as the hash operation, Encrypted, it is called a cookie. When the server suffers a SYN attack that makes the backlog queue full, the server does not reject the new SYN request, but instead responds to the cookie (the SYN serial number of the reply packet) to the client, and if the client's ACK packet is received, the server subtracts the client's ACK serial number by 1 to get a cookie comparison And make a hash of the above elements to see if it equals this cookie. If equal, complete three handshake directly (note: This is not the time to see if this connection belongs to the backlog queue).

In Redhat Linux, enabling SYN cookies is done by setting the following command in the startup environment:

# echo 1 >/proc/sys/net/ipv4/tcp_syncookies

Increase the maximum number of semi-connections

A large number of SYN requests caused the disconnected queues to be filled, leaving the normal TCP connection unable to successfully complete the three handshake, easing the pressure by increasing the disconnected queue space. Of course backlog queues need to occupy a lot of memory resources, can not be unlimited expansion.

WIN2000: In addition to the TcpMaxHalfOpen, tcpmaxhalfopenretried parameters described above, the WIN2000 operating system can be set up dynamically backlog (dynamic backlog) To increase the maximum number of connections the system can hold, configure dynamic backlog to be driven by Afd.sys, Afd.sys is a kernel-level driver that supports applications based on window sockets, such as FTP, Telnet, and so on. AFD. SYS at the registry location:
The Hklm\system\currentcontrolset\services\afd\parametersenabledynamicbacklog value is 1 o'clock, which means that dynamic backlog is enabled, and the maximum number of semi connections can be modified.

MinimumDynamicBacklog represents the minimum number of idle connections that a semi-join team is assigned to a single TCP port, and when the TCP port is less than this threshold in the backlog queue's idle connection, The system automatically enables extended idle connections (DynamicBacklogGrowthDelta) for this port, and Microsoft recommends that the value be 20.

The MaximumDynamicBacklog is the current active semi-connected and idle connection and, when this and beyond a critical value, the system rejects the SYN package and Microsoft recommends that the MaximumDynamicBacklog value not exceed 2000.

The DynamicBacklogGrowthDelta value refers to the number of idle connections that are extended, and the number of connections is not counted within MaximumDynamicBacklog. When a half join team is listed as an idle connection allocated by a TCP port that is less than MinimumDynamicBacklog, the system automatically assigns the free connection space defined by DynamicBacklogGrowthDelta so that the TCP port can handle more half connections. Microsoft recommends that the value be 10.

Linux:linux uses variable Tcp_max_syn_backlog to define the maximum number of half-open connections that backlog queues hold. In Redhat 7.3, the value of the variable defaults to 256, and this value is far from sufficient, and a low intensity SYN attack can make the half connection queue full. We can modify the value of this variable by using the following command:

# sysctl-w net.ipv4.tcp_max_syn_backlog= "2048"

Sun Solaris Sun Solaris uses variable tcp_conn_req_max_q0 to define the maximum number of semi connections, and in Sun Solaris 8, the default is 1024, which can be changed by the Add command:

# NDD-SET/DEV/TCP Tcp_conn_req_max_q0 2048

Hp-ux:hp-ux uses variable Tcp_syn_rcvd_max to define the maximum number of semi connections, which defaults to 500 in HP-UX 11.00, which can be changed by the NDD command:

#ndd-set/dev/tcp Tcp_syn_rcvd_max 2048

Shorten timeout time

As mentioned above, the SYN attack can be prevented by increasing the backlog queue, and also the system can process more SYN requests by reducing the timeout time. We know that the timeout timeout, also known as the semi-connection survival time, is the total number of times the system has to wait for the timeout, the greater the value of the number of backlog queue, the longer the system can handle the SYN request less. To shorten the timeout, you can do this by shortening the retransmission timeout (typically the first retransmission timeout) and reducing the number of retransmissions.

Win2000 the wait time defaults to 3 seconds before the first retransmission, to change this default value, you can modify the network access in the registration table TcpInitialRtt registration value to complete. The number of retransmissions is defined by TcpMaxConnectResponseRetransmissions, and the registry location is: HKLM\System\CurrentControlSet\Services\Tcpip\Parameters Registry key.

Of course, we can also set the number of retransmissions to 0 times, so that if the server does not receive an ACK acknowledgment package within 3 seconds, the connection entry is automatically removed from the backlog queue.

Linux:redhat uses variable tcp_synack_retries to define the number of retransmissions, the default value is 5 times, and the total timeout takes 3 minutes.

The default number of retransmissions for Sun Solaris Solaris is 3 times, with a total timeout of 3 minutes, which can be modified by the NDD command.

--------------------------------
Iptables setting, referencing from CU


Prevent synchronization Pack Floods (Sync Flood)
# iptables-a forward-p tcp--syn-m limit--limit 1/s-j
There are people writing.
#iptables-A input-p tcp--syn-m limit--limit 1/s-j ACCEPT
--limit 1/s Limit syn concurrency by 1 times per second and can be modified according to your needs
Prevent various port scans
# iptables-a forward-p tcp--tcp-flags syn,ack,fin,rst rst-m limit--limit 1/s-j ACCEPT
Ping flood Attack (ping of Death)
# iptables-a forward-p ICMP--icmp-type echo-request-m limit--limit 1/s-j ACCEPT

----------------------------------

Recently, a design flaw known as buffer overflow (buffer overflow) is seriously endangering the security of the system and becoming a more headache problem than Y2K. Once this flaw is discovered by someone with ulterior motives, it can be exploited as a means of unlawful intrusion, destroying information in the computer. According to statistics, attacks through cache overflow accounted for more than 80% of the total number of attacks on all systems, the most recent sites suffered by the so-called distributed denial of service (DDoS) attacks are also a use of the buffer overflow principle of the attack mode.

Simply put, a cache overflow is a means of attacking a system that causes an overflow to be written to a buffer of the program that exceeds its length, thereby destroying the stack of the program and allowing the program to execute other instructions to achieve the purpose of the attack. The intruder of Distributed denial of service (DDoS) uses a long string to fill the area of the communication bar beyond the design capacity, and some redundant strings will be mistaken by the computer to execute the password, which gives the intruder a chance to enter the computer, while the system is not aware of it. There are reports that the "cache overflow" is a very common computer security problem that has occurred over the past decade, and that intruders can use it to fully control the computer.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.