Recently, I am particularly interested in SYN FLOOD. I saw an article about SYN Cookie FireWall, I have a Google, I have no Chinese, translated him.
############################################################################################################################################################################################# ###################################################
Original in: http://www.bronzesoft.org/projects/scfw/
Reprinted please explain the source
http://www.mmbest.com
Big bun
This article introduces 4 concepts
One: Introduction SYN
2: What is SYN flood attack
Three: What is SYN Cookie
Four: What is a Syn cookie firewall?
C = Client (client)
S = Server (server)
FW = firewall (firewall)
One: Introduction SYN
Syn cookie is a to prevent SYN flood attack technology. He is invented by D. J. Bernstein and Eric Schenk. Now SYN Cookie is already part of the Linux kernel (I inserted a sentence
The default STAT is NO), but it only protects the Linux system during the execution of the Linux system. We just say to create a Linux firewall, he can use the entire network and all the nets
The operating system provides SYN Cookie to protect you can block the semi-open TCP connection with this firewall, so this protected system does not enter the semi-open state (TCP_SYN_RECV). when
When the connection is fully established, the client to the server is connected to the firewall.
Two: What is SYN flood attack? (Warning from CERT)
When a system (we call him client) tries to establish a TCP connection, C and the server exchange a series of packets.
This connection technology is widely used in a variety of TCP connections such as Telnet, web, email, and so on.
The first is that c Send a SYN message to the server, then this server sends a SYN-ACK package to respond to C, then, c will return an ACK package to achieve it once
The entire TCP connection. In this way, the connection C to the server is established, and the C and the server can exchange data with each other. Here is the picture description above :)
Client Server
------ ------
SYN -------------------->
<-------------------- SYN-ACK
ACK -------------------->
Client and Server Can Now
Send Service-Specific Data
There is a potential drawback when S returns a confirmed SYN-ACK package, and he may not receive the ACK package responded. This is the so-called semi-open connection, S needs
It takes a certain amount of system memory to wait for this unchanging connection, although this number is limited, but malicious people can start SYN flood attacks by creating a lot of semi-open connections.
.
Semi-open connection can be easily achieved by IP spoofing. The attacker sends SYN to the victim system, which looks legal, but in fact, the so-called C will not respond at all.
SYN-ACK packets, which means that victims will never receive ACK packets.
At this time, the semi-open connection will eventually consume all the system resources of the victim, and the victim will no longer receive any other request. I usually wait for the ACK to return to the package has timeout limit, so half open
The connection will finally time out, and the victim system will automatically fix. Although this, the attacker can easily send false SYN request packages to continuous attacks before the victim system is repaired.
In most cases, the victim can hardly accept any other request, but this attack does not affect the existing entry or outbound connection. Although this, the victim system
It is still possible to exhaust system resources to lead to other problems.
The position of the attack system is almost unconfirmed, because the number of source addresses in the SYN package is false. When the SYN package arrives at the victim system, there is no way to find his real address.
Since the source IP filtering is the only way to verify the data package source in the source address-based packet transmission.
Three: What is SYN Cookie?
SYN Cookie is a TCP implementation that uses a cookie to respond to TCP SYN requests. According to the above description, in the normal TCP implementation, when S receives a SYN packet, he returns
A SYN-ACK package to answer, then enter the TCP-SYN-RECV (semi-open connection) state to wait for the last returned ACK package. S Use a data space to describe all unresolved connections.
However, the size of this data space is limited, so the attacker will stuff with this space.
During the execution of TCP SYN Cookies, when S receives a SYN package, he returns a SYN-ACK package, and the ACK serial number of this packet is encrypted,
It is to say that it is calculated from the source address, the port source, the target address, the target port, and an encrypted seed. Then S releases all the status. If an ACK package returns from C,
S will recalculate it to determine whether it is the return package of the last SYN-ACK. If so, S can enter the TCP connection status directly and open the connection. In this way, s can
Avoid presence and semi-open connection.
The above is just the basic idea of SYN Cookie, and it still has many techniques during the application. Please see the details of Archive of Discussions in the previous year's KERNEL mailing list
content.
4, what is SYN Cookie firewall
The SYN Cookie firewall is an extension of Syn cookie. Syn cookie is built on the TCP stack, and he provides protection for the Linux operating system. Syn cookie firewall is Linux
A big feature, you can use a firewall to protect your network to avoid SYN flood attacks.
Below is the principle of the SYN Cookie firewall
Client FireWall Server
------ ----------------
1. SYN ----------- - - - - - - - - ->
2. <------------ SYN-ACK (cookie)
3. ACK ----------- - - - - - - - - ->
4. - - - - - - --------------->
5. - - - - - - - - - ---------- SYN-ACK
6. - - - - - - - --------------->
7. -----------> relay the ------->
<----------- CNECTION <-------
1: A SYN package is sent from C to S
2: The firewall plays the role here to respond to a SYN-ACK package with SYN cookie to c.
3: c Send an ACK package, and then the firewall and C are connected.
4: The role of the firewall plays C to send a SYN to S
5: s Returns a SYN to c
6: Firewall Playing C Sends an ACK confirmation package to S, this time the firewall and S are connected to the 7: firewall forwarding C and S
If the system suffers from Syn Flood, then the third step will not have, and no matter whether the firewall does not receive the SYN package in the first step, we will repel the SYN flood attack.
hit
Five: Download
IP_scfw-0.92.tar.gzhttp: //www.bronzesoft.org/projects/scfw/ip_scfw-0.9.2.tar.gz) is the latest version, including a for Linux 2.2.17 kernel
Patch and management tools, download him and install it according to the readme file.
Designhttp: //www.bronzesoft.org/projects/scfw/design) is a detailed explanation of the document for this code, which is also included in this TAR-GZ package, you can also
Read it online
Changeloghttp: //www.bronzesoft.org/projects/scfw/changelog) said the progress of this plan.
Tcpdos.tgzhttp://www.bronzsoft.org/projects/scfw/tcpdos.tgz) is a tool initiated SYN flood attack, you can use it to test your SYN Cookie defense
firewall
Insert a few words: That is when the C-send Ack gives FW, if some reason Ack is lost, the communication will stop, but under the general TCP connection, the S terminal will send another SYN-ACK, Beautiful in the United States
