DoS (Denial of service denial-of-service) and DDoS (distributed denial of service distributed Denial-of-service) attacks are one of the security threats to large Web sites and network servers. The attacks on Yahoo, Amazon and CNN in February 2000 were carved into the history of major security events. Because of its good attacking effect, SYN Flood has become the most popular DOS and DDoS attack method at present.
SYN flood uses TCP protocol flaw to send a large number of forged TCP connection requests, which makes the exploited resource run out, unable to respond or process the normal service request in time. A normal TCP connection requires three handshake, first the client sends a packet containing the SYN flag, then the server returns a Syn/ack reply packet, indicating that the client's request is accepted, and then the client returns a confirmation packet Ack, which completes the TCP connection. After sending the answer package on the server side, if the client does not issue a confirmation, the server waits until the timeout is saved in a limited cache queue, and if a large number of SYN packets are not answered after being sent to the server, the TCP resources on the server end are quickly depleted, causing the normal connections to not enter. It can even cause the server's system to crash.
Firewalls are often used to protect the internal network from unauthorized access by the external network, located between the client and the server, so using firewalls to prevent Dos attacks effectively protects the internal servers. For SYN Flood, firewalls typically have three defenses: SYN gateways, passive SYN gateways, and SYN relays.
SYN Gateway Firewall received the client's SYN packet, directly to the server, the firewall received the server's Syn/ack package, on the one hand, the Syn/ack packet forwarded to the client, on the other hand to the server in the name of an ACK packet, completed TCP three times handshake, Let the server driven by the semi-connected state into the connection state. When the client's real ACK packet arrives, the data is forwarded to the server, or the packet is discarded. Because the server can withstand the connection state is much higher than the semi-connection state, this method can effectively reduce the attack on the server.
The passive SYN gateway sets the SYN request timeout parameter for the firewall, making it much less than the server time-out period. The firewall is responsible for forwarding the SYN packets that the client sends to the server, the Syn/ack packets the server sends to the client, and the ACK packets that the client sends to the server. This way, if the client does not send an ACK packet when the firewall timer expires, the firewall sends the RST packet to the server so that the server deletes the half connection from the queue. This can effectively prevent SYN flood attacks because the firewall timeout parameter is far less than the server time-out period.
The SYN relay firewall receives the client's SYN packet, does not forward to the server, but records the status information and then sends the client a SYN/ACK packet, and if the client's ACK packet is received, it indicates that it is normal access, sending a SYN packet to the server by the firewall, and completes three times shaking hands. This is done by the firewall as an agent to achieve client and server-side connection, you can completely filter the unavailable connection to the server.