According to statistics, in all hacker attacks, SYN attacks are the most common attack techniques that are most common easily. I believe many people still remember the attack cases suffered by the 2000 Yahoo website. At that time, hackers used a simple and effective SYN attack, and some network worms were more destroyed with SYN attacks. This article introduces the basic principles, tools and testing methods of SYN attacks, and fully explores SYN attack prevention technology.
I. TCP handshake agreement
In the TCP / IP protocol, the TCP protocol provides a reliable connection service and establishes a connection with three handshakes.
First handshake: When establishing a connection, the client sends an SYN package (SYN = J) to the server, and enter the SYN_SEND state, waiting for the server to confirm;
Second Handshake: The server receives the SYN package, must confirm the customer's SYN (ACK = J 1), and also send an SYN package (SYN = K), the SYN ACK package, at which time the server enters the SYN_RECV status;
The third handshake: The client receives the server's SYN ACK package, send a confirmation package to the server (Ack = K 1), this package is sent, the client and the server enters the Established state, complete three handshakes.
Complete three handshakes, the client starts transmitting data with the server, in the above process, there are still important concepts:
Unconnected Queue: In the three handshake protocols, the server maintains an unconnected queue that the queue is set to each client's SYN package (SYN = J) open an entry, which indicates that the server has received the SYN package and issues a confirmation to the customer. , Waiting for the customer's confirmation package. The connected connection of these entries is in the server in the SYN_RECV status. When the server receives the client's confirmation package, delete the entry, the server enters the ESTABLISHED state. Backlog parameters: indicating the maximum number of unconnected queues.
SYN-ACK retransmission server sends a SYN-ACK package. If you do not receive a customer confirmation package, the server performs the first retransmission, waiting for a while, the customer confirmation package is not received, the second retransmission, if the number of retransmissions The system is deleted from the semi-connected queue from the semi-connected queue. Note that the time for each retransmission wait is not necessarily the same.
Semi-connection survival time: means the maximum time of the survival of the semi-connect queue, that is, the service from receiving the SYN package to confirm that this message is invalid, this time value is the longest waiting for all retransmission request packages. Time sum. Sometimes we also call half connection survival time for timeout time, SYN_RECV survival time.
Second, SYN Attack Principle
SYN attacks belong to a DOS attack, which utilizes TCP protocol defects, by sending a large number of semi-connected requests, consuming CPU and memory resources. In addition to the host, SYN attack can also hazard the router, firewall and other network systems. In fact, the SYN attack is not the target of the target, as long as these systems open TCP services. As can be seen from the above figure, the server receives the connection request (SYN = J), add this information to the unconnected queue, and sends the request package to the customer (SYN = K, ACK = J 1), and enter the SYN_RECV status at this time. When the server does not receive a client confirmation package, the request package will be removed until the timeout will be deleted from the necklace. With IP spoofing, SYN attack can achieve a good effect, usually, the client is forged for a large number of non-existing IP addresses in a short time, constantly sending the SYN package to the server, the server replies the confirmation package, and waits for the customer's confirmation, due to the source The address does not exist. The server needs constant retransmission until timeout, these forged SYN packages will occupy unconnected queues for a long time, and normal SYN requests are discarded, and the target system is slow, and severe people cause network blockage or even system embarrassment. Third, SYN Attack Tool
The SYN attack is very simple, and there is a large number of ready-made SYN attack tools on the Internet.
1, SYN tool under the Windows system
Take Synkill.exe as an example, run the tool, select the random source address and source, and fill in the target machine address and TCP terminal, activate the run, will soon find the target system run slow. If the attack effect is not obvious, it may be that the target machine does not turn on the TCP end of the TCP or the firewall refusal to access to the end. At this time, the TCP terminal that allows access can be selected, usually, the Windows system opens TCP139 terminal, UNIX system open TCP7, 21, 23 isometric.
Fourth, test SYN attack
Testing the SYN attack is very convenient, when you see a large number of semi-connected states on the server, especially the source IP address is random, basically, this is a SYN attack. We use the system's own NetStat tool to detect the SYN attack:
# Netstat -n -p TCP TCP 0 0 10.11.11.11:23 124.11.152.8:23 124.11.152.8:823 124.11.11:23 236.15.11.11:23 236.15.133.204:2577 SYN_RECV - TCP 0 0 10.11.11.11:23 127.160.6.129:51748 SYN_RECV - TCP 0 0 10.11.11.11:23 222.220.13.25:23 222.220.13.25:47393 SYN_RECV - TCP 0 0 10.11.11.11:23 212.200.204.182:60427 SYN_RECV - TCP 0 0 10.11.11.11:23 232.115.18.38:278 SYN_RECV - TCP 0 0 0 10.11.11.11:96:5122 SYN_RECV - TCP 0 0 10.11.11.11:23 236.219.139.207:49162 SYN_RECV - ...
The above is seen in the Linux system, many connects are in the SYN_RECV status (SYN_RECEIVED state in the Windows system), the source IP address is random, indicating that this is an SYN attack with IP spoof.
We can also directly view the number of unconnected queues in a linux environment by the following command: #Netstat -n -p TCP GREP SYN_RECV GREP: 22 WC -L 324
There is 324 unconnected numbers in TCP terminal 22, although it is far from being able to reach the system limit, but it should cause the administrator's attention.
V. SYN attack prevention technology
Regarding SYN Attack Prevention Technology, people have studied more early. Incident, there are two major categories, one is to protect the firewall, router and other filtering gateway, the other is through the reinforcement TCP / IP protocol stack defense. But it must be clear that SYN attacks cannot be completely blocked, we do It is as possible to reduce the hazard of SYN attacks unless the TCP protocol is redesigned.
1, filter gateway protection
Here, the filtration gateway mainly refers to the firewall, and of course the router can also become a filter gateway. The firewall is deployed between different networks, preventing external illegal attacks and preventing confidentiality leakage, which is in the client and server, using it to protect SYN attacks to play a good effect. Filter gateway maintenance mainly includes three types of timeout settings, SYN gateways and SYN agents.
■ Gateway timeout setting: Firewall settings SYN forwarding timeout parameters (state detection firewall can be set in the status table), which is much smaller than the server's Timeout time. When the client sends a SYN package, the server sends a confirmation package (SYN ACK), the firewall does not receive the client's confirmation package (ACK) when the counter expires, the server sends the RST package to enable the server from the queue Delete this semi-connection. It is worth noting that the gateway timeout parameter setting should not be too small, and the timeout parameter sets too small to affect the normal communication. It will be too large, affecting the effect of preventing the SYN attack, and must be based on the network application environment Set this parameter.
■ SYN Gateway: When the SYN gateway receives the client's SYN package, forward to the server directly; After the SYN gateway receives the server's SYN / ACK package, turn the package to the client, and send a ACK confirmation package to the server in the name of the client. . At this point, the server enters the connection status by the semi-connected state. When the client confirms the package, if there is data, it is forwarded, otherwise it will be discarded. In fact, the server has a connection queue in addition to maintaining the semi-connect queue, and if the SYN attack occurs, the number of connection queues will increase, but the number of connections that the general server can withstand is much larger than the number of semi-connected, so this The method can effectively alleviate the attack on the server.
■ SYN Agent: When the client SYN package arrives at the filter gateway, the SYN agent does not forward the SYN package, but actively reply to the SYN / ACK package to the customer in the name of the server. If you receive the customer's ACK package, it indicates that this is normal. Access, at this time, the firewall sends an ACK package to the server and completes three handshakes. The SYN agent in fact replaces the server to deal with the SYN attack. At this time, the filter gateway is required to have strong SYN attack capabilities. 2, reinforcement TCP / IP protocol stack
Another major technology to prevent SYN attacks is to adjust the TCP / IP protocol stack to modify the TCP protocol implementation. The main method has the SYNATTACKPROTECT protection mechanism, SYN Cookies technology, increasing maximum half connection and short-time timeout. The adjustment of the TCP / IP protocol stack may cause certain functions to be limited, and the administrator should make this job under the premise of fully understanding and testing.
■ SYNATTACKPROTECT mechanism
In order to prevent the SYN attack, the SYNATTACKPROTECT mechanism is embedded in the TCP / IP protocol stack in Win2000 system, and the Win2003 system also uses this mechanism. The SYNATTACKPROTECT mechanism is to increase additional connection instructions and reduce timeout, so that the system can process more SYN connections to achieve the purpose of preventing the SYN attack. By default, the Win2000 operating system does not support the SYNATTACKPROTECT protection mechanism, and you need to add SYNATTACKPROTECT key values below the registry: HKLM / System / CurrentControlSet / Services / TCPIP / Parameters
When the SYNATTACKPROTECT value (if there is no specification, the registry key value mentioned in this article is a hexadecimal) is 0 or not set, the system is not protected by SYNATTACKPROTECT.
When the SYNATTACKPROTECT value is 1, the system prevents the SYN attack by reducing the number of retransmission and delay unconnected time routing (Route Cache Entry).
When the SYNATTACKPROTECT value is 2 (Microsoft Recommended this value), the system not only uses the Backlog queue, but also uses additional semi-connection instructions to handle more SYN connections, when using this key value, TCP / IP TCPinitialRTT, Window size and slidable window will be disabled.
We should know, usually, the system is not enabled by the SYNATTACKPROTECT mechanism, only when the SYN attack is detected, and the TCP / IP protocol stack is adjusted. So how do the system detects that the SYN attack occurs? In fact, the system determines if the SYN attack is determined in accordance with TCPMaxHalfopen, TCPMaxHalFopenRetried and TCPMaxportSexhausted and TCPMaxportSexhausted and TCPMAXPORTSEXHAUSTED.
TCPMaxHalfopen indicates the maximum number of half connections that can be handled at the same time, if exceeds this value, the system considers being in the SYN attack. Win2000 Server default is 100, Win2000 Advanced Server is 500.
TCPMaxHalFopenReed defines the number of semi-connected numbers saved in the Backlog queue and retransmit. If this value is exceeded, the system automatically launches the SYNATTACKPROTECT mechanism. Win2000 Server default is 80, Win2000 Advanced Server is 400.
TCPMAXPORTSEXHAUSTED refers to the number of SYN request packets that the system rejected, the default is 5.
If you want to adjust the default value of the above parameters, you can modify it in the registry (where you are the same as SYNATTACKPROTECT)
■ SYN Cookies Technology
We know that the TCP protocol has opened up a relatively large memory space backlog queue to store semi-connection entries, which will cause the system to discard the SYN connection when SYN requests are increasing, and this space. In order to make the semi-connect queue are filled, the server can still process the new to SYN request, and SYN cookies technology is designed.
SYN Cookies are applied to the Linux, FreeBSD and other operating systems. When the semi-connect queue is full, SYN cookies do not discard the SYN request, but to identify the semi-connection state by encryption technology.
In TCP implementation, when receiving the SYN request from the client, the server needs to reply to the SYN ACK package to the client, and the client also sends a confirmation package to the server. Typically, the initial serial number of the server is calculated or used by the server according to certain regularities, but in SYN cookies, the initial serial number of the server is through the client IP address, the client end, the server IP address, and the server side.囗 and other elements such as other safety values for Hash operations, encrypted, called cookies. When the server suffers from the SYN attack, the server does not reject the new SYN request, but a reply to the cookie (SYN serial number of the package) to the client. If you receive the client's ACK package, the server will client's ACK sequence The number minus 1 gets the Cookie comparison value and performs the above elements once a Hash operation to see if this cookie is equal. If equally, complete the three handshakes directly (note: This connection does not look at whether this connection belongs to the backlog queue). In Redhat Linux, enabling Syn cookies to complete by setting the following command in the boot environment:
# echo 1> / proc / sys / net / ipv4 / tcp_syncookies
■ Increase the maximum number of half connections
A large number of SYN requests cause the unconnected queue to be stuffed, making normal TCP connections unable to complete three handshakes, can alleviate such stress by increasing unconnected queues. Of course, the Backlog queue needs to take up a lot of memory resources and cannot be expanded in unlimited.
Win2000: In addition to the TCPMaxHalFopen, TCPMaxHalfopenRetried parameters described above, Win2000 operating system can increase the maximum number of half connections that the system can accommodate by setting dynamic backlog (Dynamic Backlog), and configure dynamic backlog to complete by AFD.SYS, afd.sys Is a kernel-based driver for supporting Window socket-based applications, such as FTP, Telnet, and more. AFD.sys At the location of the registry: hklm / system / currentControlSet / Services / AFD / ParametersNableDynamicBackLog value is 1, indicates that dynamic backlog can modify the maximum half connection number.
MinimumDynamicbackLog indicates the minimum idle connection that the semi-connect queue is allocated by a single TCP end. When the TCP end is smaller than this critical value, the system is automatically enabled (DynamicbackLogGrowthDelta), Microsoft It is recommended to be 20.
MaximumDynamicbackLog is a half-connection and idle connection for current events. When and exceeds a critical value, the system rejects the SYN package, Microsoft recommended maximumdynamicbackLog value must not exceed 2000.
The DynamicBackLogGrowTHDELTA value refers to the number of idle connections. This connection does not calculate within MaximumDynamicbackLog, and when the semi-connect queue is a TCP-assigned idle connection is less than Minimum DynamicbackLog, the system automatically assigns the idle connection space defined by DynamicbackLogGrowTHDELTA, Make the TCP end to process more semi-connectivity. Microsoft recommends this value of 10.
Linux: Linux uses variable TCP_MAX_SYN_BACKLOG to define the maximum number of half connections accommodated by the Backlog queue. In Redhat 7.3, the value of this variable is default 256, this value is far less than, a SYN attack that has a strong intensity can make the semi-connect queue all. We can modify this variable by the following command: # sysctl -w net.ipv4.tcp_max_syn_backlog = "2048"
Sun Solaris Sun Solaris Use variable TCP_CONN_REQ_MAX_Q0 to define the maximum number of half connections, in Sun Solaris 8, the value is default 1024, can change this value via the add command:
# NDD -SET / DEV / TCP TCP_CONN_REQ_MAX_Q0 2048
HP-UX: HP-UX uses variable TCP_SYN_RCVD_max to define the maximum half connection number, in HP-UX 11.00, the value is default to 500, can change the default value by the NDD command:
#Ndd -set / dev / tcp TCP_SYN_RCVD_MAX 2048
■ Shorten timeout
The above mentioned that the SYN attack can be protected by increasing the Backlog queue; additional timeout also enables the system to process more SYN requests. We know, Timeout timeout, ie, half-connection survival time, is the total number of times the system is waiting for the number of times, the greater the value, the longer the half connection number occupies the backlog queue, the longer the system can process SYN requests. The less. In order to shorten the timeout, it can be achieved by shortening the retaining timeout (typically the first retransmission timeout time) and the number of retransmissions.
Win2000 first retransmission before waiting time to wait for 3 seconds, to change this default value, can be done by modifying the network to pick up the TCPinitialRTT registration value in the registry. The number of retransmissions is defined by TCPMaxConnectResponseretransMissions, where the registry is: HKLM / System / CurrentControlSet / Services / TCPIP / Parameters Registry Key.
Of course, we can also set the number of retransmission to 0, so that the server automatically removes the connection entry from the Backlog queue if the ACK confirmation package has not received the ACK confirmation package in 3 seconds.
Linux: redhat uses variable TCP_SYNACK_RETRIES to define the number of retransmission, its default value is 5 times, and the total timeout takes 3 minutes.
Sun Solaris Solaris default retransmissions are 3 times, and the total hour time is 3 minutes, and these default values can be modified through the NDD command.
