DOS (Denial of Service Denger) and DDOS (Distributed Denial of Service Distributed Denger) Attack are one of the security threats of large websites and web servers. In February 2000, Yahoo, Amazon, CNN was attacked and other cases, which were engraved in the history of major security incidents. Syn Flood has become the current most popular DOS and DDoS attack measures due to its own attack. DOS (Denial of Service Denger) and DDOS (Distributed Denial of Service Distributed Denger) Attack are one of the security threats of large websites and web servers. In February 2000, Yahoo, Amazon, CNN was attacked and other cases, which were engraved in the history of major security incidents. Syn Flood has become the current most popular DOS and DDoS attack measures due to its own attack.
Syn flood uses TCP protocol defects to send a large amount of forged TCP connection requests, so that the attacker resource is exhausted, and it cannot respond or handle normal service requests in time. A normal TCP connection requires three handshakes. First, the client sends a packet containing the SYN flag, and then the server returns a SYN / ACK answering package, indicating that the client's request is accepted, and finally the client returns a confirmation package ACK, This completes the TCP connection. After sending a response package in the server side, if the client does not make a confirmation, the server will wait for timeout, and the semi-connection status is saved in a limited cache queue; if a large SYN is sent to the server, there is no answer, It will cause the server-end TCP resource to be exhausted, causing normal connections that cannot be entered, or even cause the server's system crash.
Firewalls are often used to protect internal networks from unauthorized access to external networks, which is located between clients and servers, so use firewalls to prevent DOS attacks from protecting internal servers. For SYN FLOOD, firewall usually have three protection methods: SYN gateway, passive SYN gateway and SYN relay.
The Syn Gateway firewall receives the client's SYN package, forward to the server directly; after the firewall receives the server's SYN / ACK package, the SYN / ACK package is forwarded to the client on the other hand, on the other hand, to the server Return an ACK package to complete the TCP's three handshakes, so that the server will enter the connection status by semi-connection state. When the client's real ACK package arrives, data is forwarded to the server, otherwise the package is discarded. Since the server can withstand the connection status, this method can effectively alleviate the attack on the server.
The passive SYN gateway sets the SYN request timeout parameters of the firewall to make it far less than the server's timeout period. The firewall is responsible for forwarding the client's SYN package to the server, the server sent to the client's SYN / ACK package, and the client's ACK package. Thus, if the client has not sent an ACK package when the firewall timer expires, the firewall sends an RST package to the server to cause the server to remove the semi-connection from the queue. Since the firewall's timeout parameter is much smaller than the server's timeout period, this can effectively prevent the SYN FLOOD attack.
After the Syn Relay Firewall, after receiving the client's SYN package, the SYN pin does not forward but record the status information and then actively send the SYN / ACK package to the client. If you receive the client's ACK package, it indicates that it is normal access. The firewall sends a SYN package to the server and completes three handshakes. This is made by a firewall as a proxy to implement the connection of the client and the server, and can be fully filtered and not available to the server.
