Principle and monitoring and defense of DOS attacks
The basic principle of the first part SYN FLOOD syn flood is one of the most popular DOS (Denyed Service Attack) and DDOS (Distributed Denial Service Attack), which is a use of TCP protocol defects and sends a large amount of forged TCP connection request. Thus, the attack method of being exhausted by the attacker resource (CPU full load or insufficient memory). It is necessary to understand the basic principle of this attack, or start from the process of TCP connection: Everyone knows that TCP is different from UDP, which is connection, that is, to transmit between the server and the client. TCP data must first create a virtual circuit, which is the TCP connection. The standard process for establishing TCP connections is: First, the request terminal (client) sends a TCP message containing the SYN flag, Synchronize, The synchronization message indicates the port of the client and the initial number of TCP connections; after receiving the client's SYN message, the server will return a SYN ACK message, indicating that the client's request is accepted, while The TCP serial number is added, ACK is confirmed. In the third step, the client also returns a confirmation message ACK to the server, and the same TCP serial number is added, and the TCP connection is completed. The above connection procedures are called Three-Way Handshake in the TCP protocol. The problem is in the three handshake of TCP connections. It is assumed that a user suddenly crashes or dropped after sending SYN packets to the server, then the server will not receive the client's ACK packet after the SYN ACK response message is issued ( The third handshake cannot be completed, in which case the server side generally retry (send SYN ACK again) and wait for a while to discard this unfinished connection, this time we call SYN TIMEOUT Generally, this time is a minute level (approximately 30 seconds to 2 minutes); a user has an exception that causes a thread of the server to wait for 1 minute and is not a big problem, but if there is a malicious attacker a large number of simulations In this case, the server side will consume very much resource in order to maintain a very large semi-connection list - tens of thousands of semi-connected, even simple saving and traversing, will consume very much CPU time and Memory, not to keep the IP of this list to try again to try the retest of SYN ACK. In fact, if the server's TCP / IP stack is not strong enough, the last result is often a stack overflow crash - even if the system is strong enough, the server side will also be busy with the attacker forged TCP connection request and no time to pay attention to the customer's normal request. (After all, the client's normal request ratio is very small), at this point, from the normal customer's perspective, the server lost response, this situation we call: the server side is subject to SYN FLOOD attack (SYN flood attack).
From the defense perspective, there are several simple solutions. The first is to shorten the SYN Timeout time. Since the SYN FLOOD attack depends on the SYN semi-connected number whose SYN is maintained, this value = SYN attack frequency X SYN Timeout, so by shortening the time from receiving SYN packets to determine and discarding the connection, for example, set to 20 seconds (too low SYN TIMEOUT settings may affect the normal access of the customer), can be doubled. Reduce the load of the server. The second method is to set the SYN Cookie, assigns a cookie to each request connection, if it is continuously subsequent SYN packets from an IP in a short time, it is determined that it is attacked, and later from this IP address The package will be discarded. However, the above two methods can only deal with compared the original SYN FLOOD attack, shorten the SYN Timeout time take effect only in the case where the other party's attack frequency is not high, and SYN cookies are more dependent on the other party using real IP addresses. If the attacker The speed of the 10,000-seconds sends SYN packets while using SOCK_RAW Randomly overwriting the source address in the IP packet, and the above methods will be unused. The second part SYN FLOOD attack monitoring and defense is a good monitoring and defense method for SYN FLOOD, but there is no good monitoring and defense method, but if the system administrator is familiar with the attack method and system architecture, it can also be from a series of settings. The degree reduces the load of the attacked system and reducing the negative impact. (This is the main purpose I wrote this article) Generally, if a system (or host) load suddenly elevated or even lost response, using the netstat command to see a large number of SYN_RCVD semi-connection (quantity> 500 or accounting for total connections) 10% or more), can be determined that this system (or host) has been attacked by SYN FLOOD. After the SYN FLOOD attack, you must first do the foregoing, through netstat -n -p tcp> resault.txt records all TCP connection status is necessary, if there is a sniffer, or TCPDUMP, record TCP All details of the SYN packet also help to find and defense later, the fields that require records are: source address, IP header, the serial number, TTL value, etc. in the TCP header, these information is probably an attacker forgery However, it is not helpful to analyze the mental state and attack programs of attackers.
Especially TTL values, if a large number of attack packs seem to come from different IP but the TTL value is the same, we tend to infer the router distance between the attacker and us, at least by filtering the specific TTL value to reduce the attacked The system's load (in this case, the TTL value and the attack message can restore normal access), which once mentioned that the SYN attack protection can be made by shortening the SYN TIMEOUT time and setting SYN cookies, for the Win2000 system, By modifying the registry to reduce the hazard of SYN FLOOD, as follows in the registry: First, open regedit, find hkey_local_machine / system / currentControlSet / Services / TCPIP / parameters Add a synattackprotect key value, type REG_DWORD, the value range is 0-2, this value determines the protection measures taken when the system is attacked by SYN attacks, including the number of times the system SYN ACK retry, the default is 0 (without any protection), the recommended setting is 2; add a TCPMAXHALFOPEN The key value, the type is REG_DWORD, the value range is 100-0xffff, this value is a semi-connection that is allowed to open at the same time. By default, Win2k Pro and Server is 100, and Advanced Server is 500, this value is difficult to determine, depending on The status of the server TCP load and the possible attack intensity, the specific value needs to be trial to determine. Add a TCPMaxHalFopenRetried key value, type REG_DWORD, the value range is 80-0xffffff, by default Win2k Pro and Server is 80, and Advanced Server is 400. This value determines what the system will open SYN Attack protection. Let's analyze the Win2000 SYN attack protection mechanism: Under normal circumstances, Win2K's three handshakes connected to TCP has a regular setting, including SYN TIMEOUT time, SYN-ACK retries and SYN packets from the router to the system Winsock's delay, etc., this regular setting is for system performance (security and performance often contradict each other) so you can provide users with convenient and fast services; once the server is attacked, the number of SYN semi-connected exceeds TCPMaxHalfopenRetried settings, system Will be considered by the SYN FLOOD attack. At this time, the option in the SYNATTACKPROTECT key value starts, SYN Timeout time is decreased, the number of retries of SYN-ACK is reduced, and the system will automatically perform packets in the buffer. Delay, avoid excessive impact on TCP / IP stack, trying to minimize attack hazards; if the attack intensity is increasing, more than TCPMAXHALFOPEN values, at this time, the system can no longer provide normal service, more important Ensure that the system will not crash, so the system will discard any SYN packets that exceed TCPMaxHalFopen values (should be used with random packet loss policies) to ensure the stability of the system.
Therefore, for systems that need to be protected by SYN attacks, we can test / predict the semi-connection opening amount of access to the peak period, with its reference to set the value of TCPMaxHalfopenRetried (retain a certain margin), then use TCPMaxHalfopenretried 1.25 times As a TCPMaxHalFopen value, this can maximize Win2K itself SYN attack protection mechanism. By setting the registry defense SYN FLOOD attack, use "beating" strategy, regardless of how the system is strong, never shift to the beating support, except for the beating, "retreat" is also a more effective way. The retreat is based on a shortcoming of the SYN FLOOD attack code. Let's re-analyze the process of the SYN FLOOD attacker: SYN FLOOD program has two attack methods, IP-based and domain names, the former is an attacker's own domain analysis and Pass the IP address to the attack program, the latter is an attack program to automatically perform domain resolution, but they have the same thing, that is, once the attack starts, will not perform domain name resolution, our entry point is here: Suppose one The server quickly replaces his IP address after being attacked by the Syn Flood attack, then the attacker is still an empty IP address that is constantly attacking, and there is no host, and the defense will change the DNS parsing to the new IP address. Restore users through domain names in a very short period of time (depending on the DNS refresh time). In order to confuse an attacker, we can even place a "sacrifice" server to satisfy the "effect" of the attacker (due to DNS buffer, as long as the attacker's browser does not rise, he is still the original IP address). The same reason, in many load balancing architecture, DNS-based load balancing itself has an immunity to SYN FLOOD, and DNS-based load balancing can assign users to different IP server hosts, attackers The attack is always only one of the servers. Although the attacker can continue to perform DNS requests to break this "backhand" strategy, it has increased the cost of the attacker, and the second-long DNS request can help us. The true trail of tracing attackers (DNS request is different from the SYN attack, which is required to return data, so it is difficult to perform IP camouflage).
For the firewall, the method of defense SYN FLOOD attack depends on the basic principles of firewall work. Generally, the firewall can work with or below the TCP layer, the firewall working on the TCP layer is called a gateway type firewall. The relationship between the gateway type firewall and the server, the client is shown below: External TCP connection internal TCP connection [client] =================> [firewall] = =================> [Server] As shown above, there is no real TCP connection between the client and the server, and all data exchange between the client and the server is Through the firewall agent, the external DNS analysis also points to the firewall, so if the website is attacked, it is really attacking the firewall. This firewall has the advantage of being stable, strong anti-strike, but because all TCP packets It is necessary to pass the firewall forward, so the efficiency is lower because the client does not directly establish a connection directly to the server, the firewall does not go to the background of the server to establish a new TCP connection, so attackers cannot cross the firewall directly attack the background server. As long as the firewall itself is strong enough, this architecture can resist the considerable intensity SYN FLOOD attack. However, since the actual TCP connection of the firewall is twice as the number of user connections (TCP connection is required at both ends of the firewall), all TCP requests and data transfer from the client are proxy, when the system has a large amount of access, The firewall itself is relatively high, so this architecture does not apply to a large website. (I feel that for such a firewall architecture, using TCP_STATE attack estimates will be quite effective :) Working under the IP layer or IP layer is different, its relationship with the server, the client is as follows Down: [Firewall] Packet Modification Forwarding [Client] ==================================== Server The TCP connection client is directly connected to the server, and the firewall is from the role of the router. It intercepts all passed packages and filters, and the filter is forwarded to the server, and the external DNS parsing directly points to the server. The advantages of the firewall are high efficiency, which can accommodate the flow of 100Mbps-1Gbps, but if this firewall is configured, not only allows an attacker to attack the internal server, or even the intensity of attacks, causing the entire system to crash.
