Use network devices to prevent tcp syn Attacks

TCP is the first packet sent by the host during network connection. It is very small but critical. SYN attacks exploit these packets in large quantities. Because these packages cannot be effectively processed, the host or network device cannot be effectively identified. They often need to spend several seconds trying each type of package before giving up providing a normal response. A package takes several seconds. However, if there are too many packages, the enterprise network will bring a devastating blow.
In essence, SYN attacks are a type of DOS attacks. They use TCP defects to send a large number of semi-connection requests (TCP packets ), it consumes CPU and memory resources of the host or network device. SYN attacks have a wide range. They not only negatively affect common hosts and servers, but also affect intermediate network devices, such as routers and switches. Generally, as long as the network device or host adopts the TCP protocol, it may become the victim of SYN attacks.

IP spoofing is a good partner with SYN attacks. In combination with IP spoofing, SYN attacks can often achieve good results. If an attacker can exploit a tool to forge a large number of non-existent IP addresses within several seconds, send packets to a target object, and the server replies to the validation packet, wait for confirmation from the customer ., Because the source address is false and does not exist, the server will repeat it until it times out. These forged packets will occupy the unconnected queue for a long time. Normal connection requests cannot respond and are discarded. This may cause network congestion.

Since SYN attacks are so serious, can we effectively prevent SYN attacks? Unfortunately, no expert has said so far that SYN attacks can be completely eliminated. This is a congenital defect of the TCP protocol and is difficult to treat. What our network administrator can do now is to find ways to limit its adverse effects. For example, the most commonly used measure is to prevent the impact on key equipment, such as servers and routers.

1. Restrict the impact on the server through the firewall proxy

Generally, we place the server on the firewall side for security considerations. Proxy is implemented through the firewall when a TCP connection is established. The TCP proxy is equivalent to an intermediate server between the client and the target server. When a client wants to access server resources, the client is not directly connected to the server, but first connected to the proxy server of the firewall, and then the proxy server accesses the server for the client. The proxy server forwards the feedback from the server to the client. Therefore, from a certain perspective, the firewall Proxy Server is a client for the server, but it is a qualified server for the real client. The firewall can check incoming TCP connection requests and then execute the TCP proxy function. If the firewall detects that the incoming connection request is forged, the firewall can take some measures to prevent its impact on the server on the firewall side.

For example, my company now has an ERP application service that provides data support for sales offices across the country. If this server is paralyzed, sales across the country will be affected to varying degrees. Such as goods allocation, etc. Due to the existence of a large number of users outside the network, it is difficult for me to ensure the security of user hosts throughout the country. Based on the principle of security first, a firewall is set up between the ERP application server and the Internet, and the firewall proxy function is enabled to restrict SYN attacks, as follows:

 

1. When a client on the Internet needs to access the ERP server, a TCP connection is initiated first. In this case, the client does not communicate directly with the ERP server, but with the firewall proxy server. In this way, the real address of the ERP server can be hidden to prevent external attackers from attacking the ERP server.

2. When the firewall proxy receives the SYN connection request from the client, the request is forwarded to the internal ERP server. In this case, the firewall proxy acts as the client. When the firewall proxy obtains the information the user wants, the information is fed back to the client. In this case, the firewall proxy acts as an ERP server. It can be seen that with the firewall proxy, the client and the ERP server will not communicate directly. However, this setting still does not effectively prevent SYN attacks. Other settings are required.

For example, in enterprises, the Firewall uses TCP timer parameters to filter forged TCP connection requests. If the firewall proxy encounters a forged connection request, the firewall usually uses parameters to set the active timeout time in the semi-open connection; the firewall proxy also uses parameters to set the inbound rate of special connections and TCP connection requests. However, when changing this parameter, you must set it according to the actual situation of the enterprise network. If the adjustment is short, if the customer uses a slow link, their connection may time out.

Use the following command to limit SYN attacks.

Ip tcp intercept access-list-number

Ip tcp intercept mode watch

These two commands play the following roles:

The first is to record how many sessions occurred in the last minute. Normally, it includes valid sessions and invalid sessions. That is to say, the session generated by a forged request will also be reflected in this record.

Second, the number of unfinished sessions. Generally, this unfinished session may be a session generated by a forged request. When an enterprise network is congested, you can obtain useful information when viewing the unfinished session. With this information, the network administrator can determine whether the network is congested due to SYN attacks and learn why the network performance is declining.

3. How long does the final confirmation wait. We all know that the main method of SYN attacks is to spoof an address, so that the server is exhausted and confirmed with the source address. If the source address does not respond, the server or network device will resend the confirmation information until a delay is exceeded. Therefore, you can also find whether SYN Attacks exist in the network by using the "final confirmation of how long it has been waiting" parameter.

Ii. Adjust the TCP/IP protocol and modify the TCP protocol implementation

The first method to restrict SYN Attacks depends on Cisco and other products, such as firewalls and routers. In addition, we can also adjust the TCP/IP protocol stack and modify the TCP protocol to prevent SYN attacks. For example, we can achieve what we need by increasing the maximum semi-connection and shortening the timeout time and SYN Cookies. However, this adjustment technology is difficult. At the same time, adjusting the TCP/IP protocol stack will affect some application functions. Therefore, before making such changes, the Administrator must fully understand the changes and perform detailed and sufficient tests to deploy them.

For example, a SynAttackProtec mechanism is provided in Microsoft's operating system. This also restricts SYN attacks by adjusting the TCP/IP protocol stack. It is mainly to disable some Socket options, add additional connection instructions and reduce the timeout time, so that the system can process more SYN connections to prevent SYN attacks. In general, the system does not enable this protection mechanism. Manual configuration is required by the network administrator.

However, I do not recommend this method. It will have a great impact on the existing application services and adversely affect the existing network applications, such as reducing the network and server stability. Therefore, I suggest using specialized network devices, such as routers or firewalls, to prevent SYN attacks.

However, it should be noted that no matter which method is used, it is impossible to completely prevent SYN attacks. Unless the TCP implementation method is completely changed. But so far, this is impossible. Therefore, the network administrator should have a clear understanding of this. Any attempt to prevent SYN attacks will fail. What we can do now is to do everything we can to put the adverse effects of SYN attacks within a relatively small range; or to protect some key applications and devices, reduce the adverse effects of SYN attacks.