The principle of SYN flood network attack and its defending method [turn]

　　1 SYN Flood attack Introduction:

Denial of service attack (denial of Service,dos) is a more effective and very difficult way to defend a network attack, and its purpose is to prevent servers from serving normal users. As a result, DOS poses a deadly threat to businesses and organizations that are closely reliant on the internet for their business.

SYN Flood is the most effective and popular form of Dos attack. It utilizes the flaw of TCP three handshake protocol, sends a large number of SYN connection requests to the target host to fake source address, consumes the resources of target host, and can not provide service for normal users.

　　1.1 The process of establishing a TCP connection

In order to master the basic principle of SYN flood attack, we must first introduce TCP's three-time handshake mechanism.
The TCP three-time handshake process is as follows:
1 The client sends a SYN-bit TCP message to the server, containing the port number used by the client and the initial serial number x;

2 when the server receives the SYN message sent by the client, sends a SYN and ACK-bit TCP message to the client, containing the confirmation number of x+1 and the initial serial number y of the server;

TCP Client
Client Port
(1024-65535)

TCP Server Side

Server port
(1-1023)
Syn
Syn/ack
Ack

3 When the client receives the Syn+ack message returned by the server, it returns an ACK message with the y+1 serial number as x+1 to the server, and a standard TCP connection completes. As shown in Figure 1:

　　1.2 Principle of attack

In the SYN flood attack, the hacker machine sends a large number of TCP SYN packets that falsify the source address to the victim host, the victim host allocates the necessary resources, then returns the Syn+ack packet to the source address and waits for the source to return the ACK packet, as shown in Figure 2. Because the source address is forged, so the source end will never return ACK packets, the victim host continues to send Syn+ack packets, and the semi-connection into the backlog of the port queue, although the general host has a time-out mechanism and the default number of retransmissions, but because the length of the port's semi-connection queue is limited, If a large number of TCP SYN packets are sent to the victim host, the Half-open queue fills up quickly, and the server rejects the new connection, causing the port to fail to respond to connection requests made by other machines and eventually deplete the resource of the victim host.

TCP Client
Client Port
(1024-65535)

TCP Server Side

Server port
(1-1023)
Syn
Syn/ack

Forge Source Address

　　2 several defense techniques

After the SYN flood attack has made a significant impact on the Internet, there are several more effective techniques for how to defend against SYN flood attacks.

　2.1 Syn-cookie Technology

In general, when the server receives a TCP SYN message, it immediately allocates a buffer for the connection request, and then returns a Syn+ack message, which forms a half connection. This is what SYN flood uses to send a large number of SYN connection requests that falsify source addresses without completing the connection. This is a huge drain on the server's resources.

Syn-cookie technology has changed the resource allocation strategy in the process resource allocation for standard TCP connection. When the server receives a SYN message and does not allocate the buffer immediately, it generates a cookie using the information from the connection and uses the cookie as the initial sequence number for the Syn+ack message to be returned. When the client returns an ACK message, the cookie is calculated according to the header information, compared to the first 24 digits of the returned confirmation serial number (the initial serial number + 1), if the same is a normal connection, then allocate the resources and establish the connection.

The ingenious point of this technique is to avoid the resource allocation before the connection information is fully reached, which invalidates the resource consumption of the SYN flood attack. The key to implementation is the calculation of cookies. The cookie should be calculated to contain state information for this connection so that the attacker cannot forge cookies. The cookie process is calculated as follows:

1 The server receives a SYN packet, computes a message digest Mac:
Mac = Mac (a,k);
MAC is a message authentication code function in cryptography, a hash function with a key that satisfies a security nature, and it can provide the security required in the cookie calculation.
A series combination of IP address and port number and parameter T for both the client and the server:
A = Source_ip | | Source_port | | Dst_ip | | Dst_port | | T
K is a unique key for the server;
The time parameter T is 32 more than the specialist time counter, plus 1 every 64 seconds;

2) Generate Cookies:
Cookie = Mac (0:24): the No. 0 to 24th bit that represents the Mac value;

3 Set the initial sequence number of the Syn+ack message to be returned, the setup process is as follows:
I. High 24 bits are replaced with cookies;
Ii. the next 3 bits are replaced by MMS with the maximum message length required by the client;
Iii. The final 5 bit is T mod 32.
The client receives a message from the server Syn+ack, returns an ACK message, this ACK message will take a cookie (confirmation number for the server sent the SYN ACK message of the initial serial number plus 1, so does not affect the high 24-bit), the server-side recalculation of cookies, Compared to the first 24 digits of the confirmation number, if the same, it is not modified, the connection is valid, and then the server completes the connection creation process.

Syn-cookie technology can effectively defend the SYN flood attack because it does not need to save any information on the server side during the connection establishment, and realizes the stateless three times handshake. But there are some weaknesses in the approach. Since the calculation of the cookie only involves some of the confidence in the header, the connection is not stored on the server side, so many functions of the protocol are lost, for example, timeout retransmission. In addition, because the calculation of the cookie has a certain amount of computation, increased the delay time of the connection establishment, therefore, Syn-cookie technology can not be used as a defense of high-performance servers. Usually using the dynamic resource allocation mechanism, when the allocation of certain resources and then use the cookie technology, Linux is achieved. Another problem is that when we avoid the SYN flood attack, we also offer a denial-of-service attack, and the attacker sends a large number of ACK packets to make the server busy with computational validation. Nevertheless, Syn-cookie technology is still an effective technique in preventing SYN flood attacks.

　2.2 Solution for address State monitoring

The solution to the address state monitoring is to monitor the data packets on the TCP connection in the network using the monitoring tools, and to deal with the packets that are heard. The primary basis for processing is the source address of the connection request.

Each source address has a state that corresponds to a total of four states:
Initial state: Any source address just beginning;
New state: The first occurrence or occurrence of multiple times can not determine the existence of the source address state;
Good state: The state at which the source address is determined;
Bad state: The state at which the source address does not exist or is unreachable.
The specific action and state transitions are determined according to the bit value in the TCP header:

1) listen to the SYN packet, if the source address is the first time, then the state of the source address is new state, if it is a new state or bad state, then the packet's RST position 1 is then sent again, if the good state without any processing.

2 Listen to the ACK or RST packet, if the state of the source address is new state, then to good state, if the good state is unchanged, if it is bad state is changed to new State;

3 Listen to the SYN ACK message from the server (the destination address is addr), indicates that the server has established a semi-connection for the connection request from addr, and to prevent too many connections from being established, send an ACK packet to the server, establish a connection, and, at the same time, start timing, if timeout, Has not received an ACK message, proof that addr can not be reached, if the state of addr at this time to become a new state, if the status of addr is a new state is a bad state, if the state of the addr is not changed.
The transition diagram of the state is shown in Figure 3:

Initial state
Good
NEW
Bad
Ack/rst
Syn
Ack/rst

ACK Package Acknowledgement timeout
Ack/rst

ACK Package Acknowledgement timeout

Below is an analysis of how the method based on address state monitoring can defend against SYN flood attacks.

1 for a fake source address of the SYN packet, if the source address for the first time, then the state of the source address for the new state, when the server heard the Syn+ack message, indicating that the server has to the source address of the connection request established a half connection. At this point, the monitor program sends an ACK message to the source address to complete the connection. In this way, the number of semi connections in a semi connected queue is not large. Timer began to time, because the source address is forged, so will not receive ACK message, timeout, the monitoring program to send the RST packet, the server released the connection, the source address state to bad state. After that, for each SYN message from the source address, the monitoring program will actively send a RST message.

2 for a legitimate SYN message, if the source address for the first time, then the state of the source address for the new state, the server response request, send Syn+ack message, monitoring program to send ACK message, the connection was established. The ACK from the client will soon arrive, and the state of the source address is transferred to the good state. The server can handle the ACK packets that are repeatedly arrived.
From the above analysis, we can see that the method based on monitoring can defend the SYN flood attack well, without affecting the connection of normal users.

　　3 Summary

This article introduces the basic principles of SYN flood attack, and then describes two defense methods that are more effective and easy to implement: Syn-cookie technology and Source address State technology based on monitoring. Syn-cookie Technology realizes the stateless handshake and avoids the resource consumption of SYN flood. The source address State technology based on monitoring can monitor the status of each connected server's IP address and take proactive measures to avoid the effect of SYN flood attack. These two technologies are the most mature and feasible technologies for the current defense of SYN flood attacks.
 
 
Reference
1.    Shing, Wang Qingxian, Li Meilin .  SYN flood attack Principle and prevention method .  computer Application, the
2.    Sun   XI, Zhu Xiaoyin, Wang Yu Lin. TCP torrent attack and countermeasure under DDoS. Network security technology and applications, the
3.    Lee   Lei, Zhao Yongxiang, Chen Changjia. The principle of TCP SYN flooding and its coping strategy. Network and Application, 2003
4.    Chen   wave. SYN flood attack principle, realization and prevention. Computer Application and research, 2003 principles, described in detail the current several more effective defense measures: Syn-cookie Technology and address State monitoring technology.