The Tcp-syn attack principle and detection of network attack

SYN attacks are the most common form of attack in a hacker attack, and SYN attacks are very easy to use and can be more destructive by combining the worm. It is like an old saying: to criticize it, to understand it first. To be able to defend against SYN attacks, administrators should understand what the SYN attack principle is and detect the server.

A, TCP handshake protocol

In the TCP/IP protocol, the TCP protocol provides a reliable connection service, and a three-time handshake is used to establish a connection.

First handshake: When the connection is established, the client sends the SYN packet (SYN=J) to the server and enters the Syn_send state, waiting for the server to confirm;

Second handshake: The server received the SYN packet, must confirm the customer's SYN (ACK=J+1), but also send a SYN packet (syn=k), that is Syn+ack packet, at this time the server into the SYN_RECV state;

Third handshake: The client receives the server Syn+ack packet, sends the confirmation packet ack (ACK=K+1) to the server, this packet sends completes, the client and the server enters established state, completes three times handshake.

After three handshake, the client and the server begin to transmit data, in the process, there are some important concepts:

Disconnected queues: In the three handshake protocol, the server maintains an disconnected queue, which is listed as the SYN package (SYN=J) for each client to open an entry indicating that the server received the SYN package and issued a confirmation to the customer, waiting for the customer's confirmation package. The connection identified by these entries is in the SYN_RECV state, and when the server receives the customer's confirmation package, the entry is deleted and the server enters the established state.

Backlog parameter: Represents the maximum number of disconnected queues.

Syn-ack retransmission times the server sends the Syn-ack package, if you do not receive a customer confirmation package, the server for the first retransmission, waiting for a period of time has not received a customer confirmation package, for a second retransmission, if the number of retransmissions exceeded the system specified maximum retransmission number, the system will remove the connection information from the semi-connected queue. Note that the time for each retransmission wait is not necessarily the same.

Semi-connection survival: the longest time that an item in a semi-connected queue survives, or the longest time that a service receives a SYN packet to confirm that the message is invalid, which is the sum of the maximum wait times for all retransmission request packets. Sometimes we also call the timeout time, syn_recv survival time.

Second, SYN attack principle

SYN attack is a kind of Dos attack, it utilizes TCP protocol flaw, and consumes CPU and memory resources by sending a large number of half connection requests. In addition to impact on the host, SYN attacks can harm routers, firewalls and other network systems, in fact, SYN attacks and regardless of the target system, as long as these systems open the TCP service can be implemented. The server receives the connection request (SYN=J), joins this information to the disconnected queue, and sends the request package to the customer (syn=k,ack=j+1), which enters the SYN_RECV state at this time. When the server does not receive a confirmation package from the client, the request packet is sent back to the timeout before the entry is removed from the connection queue. With IP spoofing, SYN attacks can achieve good results, usually, the client in a short period of time to forge a large number of non-existent IP address, to the server constantly send SYN packets, the server reply to confirm the package, and wait for the customer's confirmation, because the source address is not there, the server needs to continue to resend until the timeout, These forged SYN packets will occupy the disconnected queue for a long time, the normal SYN request is discarded, the target system is slow, the serious person causes network jam and even the system is paralyzed.

Third, SYN attack tool

Understanding the SYN attack principle, the implementation is very simple, the Internet has a large number of off-the-shelf SYN attack tools.

SYN Tools under Windows systems:

Take Synkill.exe as an example, run the tool, select the random source address and source port, and fill in the Target machine address and TCP port, activate the operation, will soon find the target system running slowly. If the attack effect is not obvious, may be the target machine does not open the completed TCP port or firewall to deny access to the port, at this time you can choose to allow access to the TCP port, usually, Windows system open tcp139 Port, Unix system open TCP7, 21, 23, such as Port.

iv. detection of SYN attacks

Detection SYN attack is very convenient, when you see a large number of semi-connected state on the server, especially the source IP address is random, basically can be concluded that this is a SYN attack. We use the system's own Netstat tool to detect SYN attacks:

# NETSTAT-N-P TCP TCP 0 0 10.11.11.11:23124.173.152.8:25882 syn_recv-tcp 0

0 10.11.11.11:23236.15.133.204:2577 syn_recv-tcp 0 0

10.11.11.11:23127.160.6.129:51748 syn_recv-tcp 0 0

10.11.11.11:23222.220.13.25:47393 syn_recv-tcp 0 0

10.11.11.11:23212.200.204.182:60427 syn_recv-tcp 0 0

10.11.11.11:23232.115.18.38:278 syn_recv-tcp 0 0

10.11.11.11:23239.116.95.96:5122SYN_RECV-TCP 0 0

10.11.11.11:23236.219.139.207:49162 Syn_recv-...

The above is seen in the Linux system, many connections in the SYN_RECV state (in the Windows system is syn_received State), the source IP address is random, indicating that this is a SYN attack with IP spoofing.

We can also directly view the number of disconnected queues in a Linux environment using the following command:

#netstat-n-P TCP grep syn_recv grep:22 wc-l 324

The number of connections that display TCP port 22 is 324, which is far from the system limit, but should be noticed by the administrator.