Prevent SYN flood attacks from turning on the router TCP interception
Intercept, most router platforms are referenced by this feature that the main role is to prevent SYN flood attacks. The SYN attack is used by TCP's three handshake mechanism. The attack terminal uses the forged IP address to issue a request, and the response message issued by the attack terminal will never send the destination, then the attacked is waiting to close this Resources consume resources during the connection, if there are thousands of this connection, host resources will be exhausted, thereby achieving the purpose of attack. We can use the router's TCP interception function to make the host on the network protected (as an example of Cisco router). Turn on TCP interception is divided into three steps:
1. Set the working mode of TCP interception
The working mode of TCP interception is divided into intercept and monitoring. In interception mode, the router reviews all TCP connections, and the burden of itself is aggravated, so we generally work in monitoring mode, monitor the time and number of TCP connections, and turn off the connection over a predetermined value.
Format: IP TCP Intercept Mode (Intercept | Watch)
By default INTERCEPT
2. Set the access table to turn on the host that needs to be protected
Format: Access-List [100-199] [DENY | Permit] TCP Source Source-Wildcard
Destination Destination-Wildcard
Example: To protect 219.148.150.126 this host
Access-list 101 permit TCP Any Host 219.148.150.126
3. Open TCP interception
IP TCP Intercept List Access-List-Number
Example: We have two servers 219.148.150.126 and 219.148.150.125 need to be protected, which can be configured:
IP TCP Intercept List 101
IP TCP Intercept Mode Watch
........
IP Access-List 101 Permit TCP Any Host 219.148.150.125
IP Access-list 101 permit TCP Any Host 219.148.150.126
After such a configuration, our host is protected to some extent.
Editor: Lin Jienshan ----------------------------------------------- ---------------
Settings on the host
Almost all host platforms have the setting of DOS, summarize, there are several species:
* Close unnecessary services
* Limit the number of SYN semi-connected SYNs on the same
* Shorten the Time OUT time of SYN semi-connected
* Timely update system patch ------------ * Close unnecessary services; * Modify the number of connections from the data packet from the default value 128 or 512 to 2048 or more to extend each process The length of the data package queue is to mitigate and digest the connection to more data packets; * Set the connection timeout to ensure the connection of the normal packet, block the illegal attack package; * Timely update the system, install the patch.
Firewall
* Access to the host's non-open service
* Limit the number of SYN maximum connections at the same time
* Restrict access to a specific IP address
* Enable firewall's anti-DDOS properties
* Strictly restrict outward access to external open servers
The fifth item is mainly to prevent its own server from being treated as a tool.
router
CISCO router as an example
* Cisco Express Forwarding (CEF)
* Using Unicast Reverse-Path
* Access Control List (ACL) Filter
* Set the SYN packet traffic rate * Upgrade version of too low ISO
* Establish log server for the router
Among them, special attention is taken when using CEF and Unicast settings, and improper use can cause a serious decrease in the work efficiency of the router, and the upgrade iOS should also be cautious. The router is the core device of the network, sharing a small experience when setting up modifications, is not saved first. Cisco router has two configuration startup config and running config. When you modify it, Running Config is Running Config, allowing this configuration to run for a while (three days will be casual), feel feasible to save the configuration to Startup Config; If you don't satisfy you want to restore the original configuration, you will use the Copy Start RUN.
The router is the core device of the network, it needs to be cautious, it is best to modify, do not save it first. There are two configurations of the Cisco router, and Startup config and running config. When modified, the Running Config is changed, allowing this configuration to run for a while, think that it is feasible to save the configuration to startup config; if not satisfied, want to return to the original configuration , Use the Copy Start RUN.
Regardless of the firewall or router, it is an external interface device. While performing anti-DDOS settings, it is necessary to weigh the cost of normal business that may sacrifice, cautious.
-------------------------------------------------- ------------ How to prevent attack in advance
In fact, many attack methods are not new, there is a long time (just like dos), basically people have already understood them, but when it is used by malicious people, destroy the network security, people realize the problem Severity. Therefore, people should pay full attention to the establishment of a sound safety system to prevent problems. In specific work, we may wish to prevent hackers from the following aspects.
1. With a sufficient machine to afford hacker attack. This is a more ideal response strategy. If the user has sufficient capacity and enough resources to the hacker attack, when it constantly accesses the user, when it captures the user resources, their energy is gradually disappearing, maybe the users are unable to die, the hacker is unable to support.
2. Take advantage of network equipment to protect network resources. The so-called network device refers to load balancing devices such as routers, firewalls, which can effectively protect the network. When Yahoo! The first dead is the router when it is attacked, but other machines are not dead. The dead router will return to normal after the restart, and it is still very fast, there is no loss. If the other servers die, the data will be lost, and the restart server is a long process, I believe there is no router, Yahoo! Will be hit hard.
3. Use INEXPRESS, Express Forwarding to filter unnecessary services and ports, that is, filter out fake IPs on the router. For example, Cisco's CEF (Cisco Express Forwarding) can be compared to the package Source IP and Routing Table and filter it.
4. Use Unicast Reverse Path Forwarding to check the source of visitors. It checks if the visitor's IP address is true, if it is fake, it will be blocked. Many hackers are often confuse users using false IP addresses. It is difficult to find where it comes from, so it uses Unicast Reverse path forwarding to reduce the emergence of false IP addresses to help improve network security. 5. Filter all RFC1918 IP addresses. The RFC1918 IP address is an IP address of the internal network, like 10.0.0.0, 192.168.0.0 and 172.16.0.0, which is not a fixed IP address of a certain network segment, but the area IP address reserved inside the Internet, should filter out them. .
6. Limit SYN / ICMP traffic. The user should configure the maximum traffic of SYN / ICMP on the router to limit the highest bandwidth that the SYN / ICMP package can have, so that when a large amount exceeding the defined SYN / ICMP traffic, it means not normal network access, but There is a hacker invasion.
---------------------------------------- SYN Attack Prevention Technology
Regarding SYN Attack Prevention Technology, people have studied more early. Incident, there are two major categories, one is to protect the firewall, router and other filtering gateway, the other is through the reinforcement TCP / IP protocol stack defense. But it must be clear that SYN attacks cannot be completely blocked, we do It is as possible to reduce the hazard of SYN attacks unless the TCP protocol is redesigned.
1, filter gateway protection
Here, the filtration gateway mainly refers to the firewall, and of course the router can also become a filter gateway. The firewall is deployed between different networks, preventing external illegal attacks and preventing confidentiality leakage, which is in the client and server, using it to protect SYN attacks to play a good effect. Filter gateway maintenance mainly includes three types of timeout settings, SYN gateways and SYN agents.
■ Gateway timeout setting: Firewall settings SYN forwarding timeout parameters (state detection firewall can be set in the status table), which is much smaller than the server's Timeout time. When the client sends a SYN package, the server sends a confirmation package (SYN ACK), the firewall does not receive the client's confirmation package (ACK) when the counter expires, the server sends the RST package to enable the server from the queue Delete this semi-connection. It is worth noting that the gateway timeout parameter setting should not be too small, and the timeout parameter sets too small to affect the normal communication. It will be too large, affecting the effect of preventing the SYN attack, and must be based on the network application environment Set this parameter.
■ SYN Gateway: When the SYN gateway receives the client's SYN package, forward to the server directly; After the SYN gateway receives the server's SYN / ACK package, turn the package to the client, and send a ACK confirmation package to the server in the name of the client. . At this point, the server enters the connection status by the semi-connected state. When the client confirms the package, if there is data, it is forwarded, otherwise it will be discarded. In fact, the server has a connection queue in addition to maintaining the semi-connect queue, and if the SYN attack occurs, the number of connection queues will increase, but the number of connections that the general server can withstand is much larger than the number of semi-connected, so this The method can effectively alleviate the attack on the server. ■ SYN Agent: When the client SYN package arrives at the filter gateway, the SYN agent does not forward the SYN package, but actively reply to the SYN / ACK package to the customer in the name of the server. If you receive the customer's ACK package, it indicates that this is normal. Access, at this time, the firewall sends an ACK package to the server and completes three handshakes. The SYN agent in fact replaces the server to deal with the SYN attack. At this time, the filter gateway is required to have strong SYN attack capabilities. 2, reinforcement TCP / IP protocol stack
Another major technology to prevent SYN attacks is to adjust the TCP / IP protocol stack to modify the TCP protocol implementation. The main method has the SYNATTACKPROTECT protection mechanism, SYN Cookies technology, increasing maximum half connection and short-time timeout. The adjustment of the TCP / IP protocol stack may cause certain functions to be limited, and the administrator should make this job under the premise of fully understanding and testing.
■ SYNATTACKPROTECT mechanism
In order to prevent the SYN attack, the SYNATTACKPROTECT mechanism is embedded in the TCP / IP protocol stack in Win2000 system, and the Win2003 system also uses this mechanism. The SYNATTACKPROTECT mechanism is to increase additional connection instructions and reduce timeout, so that the system can process more SYN connections to achieve the purpose of preventing the SYN attack. By default, the Win2000 operating system does not support the SYNATTACKPROTECT protection mechanism, and you need to add the SYNATTACKPROTECT key value in the registry:
HKLM / System / CurrentControlSet / Services / TCPIP / Parameters
When the SYNATTACKPROTECT value (if there is no specification, the registry key value mentioned in this article is a hexadecimal) is 0 or not set, the system is not protected by SYNATTACKPROTECT.
When the SYNATTACKPROTECT value is 1, the system prevents the SYN attack by reducing the number of retransmission and delay unconnected time routing (route cache entry).
When the SYNATTACKPROTECT value is 2 (Microsoft Recommended this value), the system not only uses the Backlog queue, but also uses additional semi-connection instructions to handle more SYN connections, when using this key value, TCP / IP TCPinitialRTT, Window size and slidable window will be disabled.
We should know, usually, the system is not enabled by the SYNATTACKPROTECT mechanism, only when the SYN attack is detected, and the TCP / IP protocol stack is adjusted. So how do the system detects that the SYN attack occurs? In fact, the system determines if the SYN attack is determined in accordance with TCPMaxHalfopen, TCPMaxHalFopenRetried and TCPMaxportSexhausted and TCPMaxportSexhausted and TCPMAXPORTSEXHAUSTED.
TCPMaxHalfopen indicates the maximum number of half connections that can be handled at the same time, if exceeds this value, the system considers being in the SYN attack. Win2000 Server default is 100, Win2000 Advanced Server is 500. TCPMaxHalFopenReed defines the number of semi-connected numbers saved in the Backlog queue and retransmit. If this value is exceeded, the system automatically launches the SYNATTACKPROTECT mechanism. Win2000 Server default is 80, Win2000 Advanced Server is 400.
TCPMAXPORTSEXHAUSTED refers to the number of SYN request packets that the system rejected, the default is 5.
If you want to adjust the default value of the above parameters, you can modify it in the registry (where you are the same as SYNATTACKPROTECT)
■ SYN Cookies Technology
We know that the TCP protocol has opened up a relatively large memory space backlog queue to store semi-connection entries, which will cause the system to discard the SYN connection when SYN requests are increasing, and this space. In order to make the semi-connect queue are filled, the server can still process the new to SYN request, and SYN cookies technology is designed.
SYN Cookies are applied to the Linux, FreeBSD and other operating systems. When the semi-connect queue is full, SYN cookies do not discard the SYN request, but to identify the semi-connection state by encryption technology.
In TCP implementation, when receiving the SYN request from the client, the server needs to reply to the SYN ACK package to the client, and the client also sends a confirmation package to the server. Typically, the initial serial number of the server is calculated or used by the server according to certain regularities, but in SYN cookies, the initial serial number of the server is through the client IP address, the client end, the server IP address, and the server side.囗 and other elements such as other safety values for Hash operations, encrypted, called cookies. When the server suffers from the SYN attack, the server does not reject the new SYN request, but a reply to the cookie (SYN serial number of the package) to the client. If you receive the client's ACK package, the server will client's ACK sequence The number minus 1 gets the Cookie comparison value and performs the above elements once a Hash operation to see if this cookie is equal. If equally, complete the three handshakes directly (note: This connection does not look at whether this connection belongs to the backlog queue).
In Redhat Linux, enabling Syn cookies to complete by setting the following command in the boot environment:
# echo 1> / proc / sys / net / ipv4 / tcp_syncookies
■ Increase the maximum number of half connections
A large number of SYN requests cause the unconnected queue to be stuffed, making normal TCP connections unable to complete three handshakes, can alleviate such stress by increasing unconnected queues. Of course, the Backlog queue needs to take up a lot of memory resources and cannot be expanded in unlimited.
Win2000: In addition to the TCPMaxHalFopen, TCPMaxHalfopenRetried parameters described above, Win2000 operating system can increase the maximum number of half connections that the system can accommodate by setting dynamic backlog (Dynamic Backlog), and configure dynamic backlog to complete by AFD.SYS, afd.sys Is a kernel-based driver for supporting Window socket-based applications, such as FTP, Telnet, and more. AFD.sys At the location of the registry: hklm / system / currentControlSet / Services / AFD / ParametersNableDynamicBackLog value is 1, indicates that dynamic backlog can modify the maximum half connection number. MinimumDynamicbackLog indicates the minimum idle connection that the semi-connect queue is allocated by a single TCP end. When the TCP end is smaller than this critical value, the system is automatically enabled (DynamicbackLogGrowthDelta), Microsoft It is recommended to be 20.
MaximumDynamicbackLog is a half-connection and idle connection for current events. When and exceeds a critical value, the system rejects the SYN package, Microsoft recommended maximumdynamicbackLog value must not exceed 2000.
The DynamicBackLogGrowTHDELTA value refers to the number of idle connections. This connection does not calculate within MaximumDynamicbackLog, and when the semi-connect queue is a TCP-assigned idle connection is less than Minimum DynamicbackLog, the system automatically assigns the idle connection space defined by DynamicbackLogGrowTHDELTA, Make the TCP end to process more semi-connectivity. Microsoft recommends this value of 10.
Linux: Linux uses variable TCP_MAX_SYN_BACKLOG to define the maximum number of half connections accommodated by the Backlog queue. In Redhat 7.3, the value of this variable is default 256, this value is far less than, a SYN attack that has a strong intensity can make the semi-connect queue all. We can modify this variable by the following command:
# sysctl -w net.ipv4.tcp_max_syn_backlog = "2048"
Sun Solaris Sun Solaris Use variable TCP_CONN_REQ_MAX_Q0 to define the maximum number of half connections, in Sun Solaris 8, the value is default 1024, can change this value via the add command:
# NDD -SET / DEV / TCP TCP_CONN_REQ_MAX_Q0 2048
HP-UX: HP-UX uses variable TCP_SYN_RCVD_max to define the maximum half connection number, in HP-UX 11.00, the value is default to 500, can change the default value by the NDD command:
#Ndd -set / dev / tcp TCP_SYN_RCVD_MAX 2048
■ Shorten timeout
The above mentioned that the SYN attack can be protected by increasing the Backlog queue; additional timeout also enables the system to process more SYN requests. We know, Timeout timeout, ie, half-connection survival time, is the total number of times the system is waiting for the number of times, the greater the value, the longer the half connection number occupies the backlog queue, the longer the system can process SYN requests. The less. In order to shorten the timeout, it can be achieved by shortening the retaining timeout (typically the first retransmission timeout time) and the number of retransmissions.
Win2000 first retransmission before waiting time to wait for 3 seconds, to change this default value, can be done by modifying the network to pick up the TCPinitialRTT registration value in the registry. The number of retransmissions is defined by TCPMaxConnectResponseretransMissions, where the registry is: HKLM / System / CurrentControlSet / Services / TCPIP / Parameters Registry Key. Of course, we can also set the number of retransmission to 0, so that the server automatically removes the connection entry from the Backlog queue if the ACK confirmation package has not received the ACK confirmation package in 3 seconds.
Linux: redhat uses variable TCP_SYNACK_RETRIES to define the number of retransmission, its default value is 5 times, and the total timeout takes 3 minutes.
Sun Solaris Solaris default retransmissions are 3 times, and the total hour time is 3 minutes, and these default values can be modified through the NDD command.
------------------------------- iptables set, quote from CU
Prevent Synchronization Package # iptables -a forward -p tcp --syn -m limited --Limit 1 / S -J ACCEPT also Someone Writing #iptables -a INPUT -P TCP --SYN -M LIMIT - LIMIT 1 / S -J Accept --LIMIT 1 / S limits SYN and a number of hours per second, can modify the prevention of various port scans according to their own needs # iptables -a forward -p tcp --tcp-flags syn, ACK, FIN, RST RST -M LIMIT --LIMIT 1 / S -J Accept Ping Flood Attack (Ping of Death) # iptables -a forward -p ICMP - ICMP-TYPE Echo-Request -m Limit --Limit 1 / S - J ACCEPT
----------------------------------
Recently, a design defect called "buffer overflow" is seriously harmed by the system's safety, which has become a more headache than Y2K. Once this defect is discovered by people who are interested in, they will be utilized as a means of illegal intrusion, and the information in the computer is destroyed. According to statistics, attacks by caching overflow accounted for more than 80% of all system attacks, the so-called distributed service rejection (DDoS)-type attack that the major websites received is also an attack method using cache overflow principle.
Simply put, the cache overflow refers to a means of attacking the system. It has caused overflows that are written in the buffer of the program, thereby destroying the stack of the program, making the program turn to perform other instructions, and to attack purpose. The invader of the distributed denial service (DDoS) is an input of a long string, fills the communication bar and the like, and some excess strings will be mistaken by the computer, so that the intruder has The opportunity enters the computer while the system cannot be perceived. It is reported that "cache overflow" is a very common computer security issue that has occurred in the past decade, and invaders can use it fully controlled the computer. ■ Cache overflow hackers' customary tricks
In UNIX systems, root privileges are currently used by cache overflows. In fact, this hacker has a preferred attack method after the system has already had a basic account. It is also widely used in remote attacks, and there is already many instances that achieve remote access Rootshell through stack overflows of the daemon process.
In the Windows system, there is also a problem with caching overflow. Moreover, with the Internet's popularity, the Internet service program on the WIN series has more and more, low-level WIN programs become fatal injuries on your system, because they also happen to overflow. Moreover, since the WIN system user and manager generally lack security awareness, a stack overflow on a WIN system, if it is maliciously utilized, it will cause the entire machine to be controlled by hackers, thereby causing the entire local area network into the hacker. In early this month, in Microsoft's popular product IIS Server 4.0 was found to be a defect called "illegal HTR request". According to Microsoft, this defect can cause any code to run at the server side in a particular case. But with the CEO Firas Bushnaq of the Internet Security Company of this vulnerability, this is just a horns of the iceberg. Bushnaq said hackers can use this vulnerability to completely control the IIS server, and in fact, many e-commerce sites are just based on this system.
■ How hacks are chaos
Let us find out the principle of cache overflow. It is known that the C language does not perform array boundary check, in many applications implemented with C language, it is assumed that the size of the buffer is sufficient, and its capacity is definitely greater than the length of the string to be copied. However, the fact is not always like this. When the program error or the malicious user deliberately sent a long string, there are many unexpected things, and the other characters will override other variables adjacent to array. The space makes the variable unpredictable value. If you happen, when the array is adjacent to the subroutine, it is possible to turn the subroutine return address due to the exceeding part of the string, and turn the subroutine to return to another unpredictable address, so that the program An error occurred in the execution process. Even because the application has accessed the address that is not in the process address space range, the process has a violation of the process. This kind of error is actually common in programming.
A program that uses buffer overflow and attempt to damage or illegally enter the system is usually consisting of several parts:
1. Preparing a string that can be adjusted from a shell's machine code, below we call it as shellcode.
2. Apply for a buffer and fill the machine code in the low end of the buffer.
3. Estimating the possible starting position in the stack and writing this location into the high end of the buffer. This starting position is also a parameter that we need to repeat call when we execute this program.
4. The buffer is used as a system with an entry parameter that overflows an error program, and executes this error.
Through the above analysis and examples, we can see a huge threat to the security of the system. In UNIX systems, use a class of well-written programs that use this error existing in the SUID program to easily obtain the permissions of the system's superuser. When the service program provides services in the port, the buffer overflow program can easily turn this service, so that the system's service is paralyzed at a certain period of time, which may make the system immediately down, thereby turning into a refusal service attack. . This mistake is not only a programmer's error, but the system itself appears more incorrectly when it is realized. Today, buffer overflow errors are constantly discovered from UNIX, Windows, routers, gateways, and other network devices and constitute a class of maximum of the largest number of system security threats and large. -------------------------------------------------- ------------- Announced part of my firewall. Mainly for ICMP / PING, but use not too big :(
/ sbin / iptables -pinput drop / sbin / iptables -a input / sbin / iptables -a input -i eth1 -p icmp -j acid-ipt / sbin / iptables -a input -p iCMP --ICMP-TYPE 8 -J DROP / SBIN / IPTABLES -A INPUT -S 127.0.0.2 -I Lo -j Accept / Sbin / iptables -a INPUT -S 127.0.0.2 -i Eth0 -j Drop / Sbin / iptables - A INPUT -S $ lan_net / 24 -i eth0 -j drop / sbin / iptables -a input -s 172.16.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0/8 -i Eth0 -j drop / sbin / iptables -a infut -i eth0 -m limited --LIMIT 1 / Sec --LIMIT-BURST 5 -J ACCEPT / SBIN / iptables -a input -i eth0 -p udp -m
State --State new -j reput / sbin / iptables -a input -p tcp --dport 22 -j acid -pt / sbin / iptables -a input -p tcp --dport 80 -j accept / sbin / iptables -a input - P TCP -I Eth1 - Dport 53 -J ACCEPT / SBIN / IPTABLES -A INPUT -P UDP -I Eth1 - Dport 53 -J ACCEPT / SBIN / IPTABLES -A INPUT -P TCP -I Eth0 -M State - State Established, Related -m TCP - Dport 1024: -J Accept / Sbin / iptables -a INPUT -P UDP -I Eth0 -m State --State Established, Related -M UDP - Dport 1024: -J Accept / Sbin / iptables -a input -p icmp - iCMP-type echo-request -j log --log-level 2 / sbin / iptables -a input -i eth0 -p icmp --ICMP-TYPE Echo-request -j Drop / SBIN / IPTABLES -A INPUT -P TCP -M MultiPort - Destination-Port 135, 137, 138, 139 -J log / sbin / iptables -a input -p udp -m multiport - DESTINATION-Port 135, 137, 138, 139 -j log / sbin / iptables -a input -i eth0 -p tcp --dport 2000 -j accept / sbin / iptables -a input -i eth0 -p tcp --dport 2001 -j acid -pt / sbin / iptables -a input -p tcp -i eth1 -m state - -State Established, Related -m TCP - DP Ort 1024: -j Accept is just some of my personal exploration experience, insufficient or wrong, but also indicates that If you can prevent DDOS, please tell me :) Because of the specificity of this article, please inform me, thank you for cooperation :) -------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------------------- Finally, introduce two when the website suffers from DOS attacks Fast recovery service after response: * If there is a rich IP resource, you can replace a new IP address, point the website domain name to the new IP; * deactivate the 80 port, use the HTTP service as 81 or other port, will Website domain name points to IP: 81.
