TCP/IP stack reinforcement for Unix operating systems-TCP protocol section

TCPThe three-way handshake mechanism is used to establish a connection. The first packet of the handshake isSYNPacket; the second packet isSYN/ACKPacket, indicating that it responds to the first SYN Packet and continues the handshake process; the third packet is only a response, expressed as an ACK packet. If A is the connection party and B is the response partyAttackThreats:

Attackers listen to SYN/ACK packets sent by B.

The attacker sends the RST packet to Party B, then sends the SYN packet, impersonating Party A to initiate A new connection.

Party B responds to the new connection and sends the connection response packet SYN/ACK.

The attacker then impersonates Party A and sends an ACK packet to Party B.

In this way, attackers can damage the connection. If attackers take the opportunity to insert harmful data packets, the consequences will be more serious.

ICMP attacks include:

Tcp syn scan is a port scan: tcp syn scan is a variant of port scan. Port Scan is used to check whether the port on the specified host is opened.

SYN diffusion is a Denial-of-Service attack: SYN diffusion is the most destructive Denial-of-Service attack before the Smurf attack became popular.

1. Adding System elasticity under heavy TCP load makes the system more resistant to SYN flood attacks)

Perform the following steps:

Purchase more physical memory.

Use SYN Cookies (including Linux2.4-2.6 and BSD) technology. When the semi-connection queue is full, SYN cookies do not discard SYN requests, but use encryption technology to identify the semi-connection status. Limit the number of SYN semi-connections that can be opened at the same time .?

Increase the maximum number of semi-connections: a large number of SYN requests cause unconnected queues to be full, so that normal TCP Connections cannot successfully complete three-way handshakes. by increasing the space of the unconnected queues, this pressure can be mitigated .?

Shorten the timeout time of SYN semi-join

Increase the backlog queue to prevent SYN attacks. In addition, reduce the timeout time and enable the system to process more SYN requests. Timeout, that is, the half-connection survival time, is the total timeout time for all retransmissions of the system. The larger the value, the longer the half-connection takes up the backlog queue, the fewer SYN requests the system can process. To shorten the timeout time, You can shorten the Retransmission timeout time, which is generally the first Retransmission timeout time) and reduce the number of retransmission times.

 
 

  
  
AIX5
  
  
 
  
  
# No-oClean_partial_conns=1 
  
  
 
  
  
FreeBSD 5-7
  
  
 
  
  
# Sysctl-wKern. ipc. somaxconn=1024 
  
  
 
  
  
HP-UX 10
  
  
 
  
  
# Ndd-set/dev/tcp tcp_syn_rcvd_max 1024
  
  
 
  
  
# Ndd-set/dev/tcp tcp_conn_request_max 200
  
  
 
  
  
# Ndd-set/dev/tcp tcp_time_wait_interval 60000
  
  
 
  
  
Linux2.4-2.6
  
  
 
  
  
# Sysctl-wNet. ipv4.tcp _ max_syn_backlog=2048 
  
  
 
  
  
# Sysctl-wNet. ipv4.tcp _ syncookies=1 
  
  
 
  
  
# Sysctl-wNet. ipv4.tcp _ synack_retries="0" 
  
  
 
  
  
The OpenBSD3-4 is already the default setting
  
  
 
  
  
Solaris8-10
  
  
 
  
  
# Ndd-set/dev/tcp tcp_conn_req_max_q 1024
  
  
 
  
  
# Ndd-set/dev/tcp tcp_conn_req_max_q0 4096
  
  
 
  
  
# Ndd-set/dev/tcp tcp_time_wait_interval 60000
 
 

Note: SYN Attack prevention technologies are classified into two main categories: Firewall and router filtering Gateway Protection and TCP/IP protocol stack reinforcement. however, it must be clear that SYN attacks cannot be completely blocked. What we do is to minimize the harm of SYN attacks unless we re-design the TCP protocol.

2. added a TCP sending and receiving window of at least 32 kbytes, but not more than 64 kbytes

 
 

  
  
AIX5
  
  
 
  
  
# No-oTcp_sendspace=32768 
  
  
 
  
  
# No-oTcp_recvspace=32768 
  
  
 
  
  
FreeBSD 5-7
  
  
 
  
  
# Sysctl-wNet. inet. tcp. sendspace=32768 
  
  
 
  
  
# Sysctl-wNet. inet. tcp. recvspace=32768 
  
  
 
  
  
HP-UX 10 is already the default setting
  
  
 
  
  
The Linux2.4-2.6 kernel supports dynamic adjustment of RFC 1323 and RFC 2018.
  
  
 
  
  
The OpenBSD3-4 kernel supports dynamic adjustment of RFC 1323 and RFC 2018
  
  
 
  
  
Solaris8-10
  
  
 
  
  
# Ndd-set/dev/tcp tcp_xmit_hwat 32768
  
  
 
  
  
# Ndd-set/dev/tcp tcp_recv_hwat 32768
 
 

The content of TCP attacks has been introduced to you. I hope you have mastered the content and we will continue to introduce it to you in future articles.

1. UNIX System Security Crisis assessment
2. Take targeted measures to ensure the security of Unix servers
3. Analysis of the inevitability of Unix host System Security Vulnerabilities
4. TCP/IP stack reinforcement for Unix operating systems-TCP protocol section
5. ARP protocol for TCP/IP stack reinforcement of Unix operating systems