In a network environment built on a network protocol supported by IPv4, Syn Flood is a very dangerous and common DOS attack. So far, there are not many means that can effectively prevent SYN FLOOD attacks, and SYN Cookie is one of the most famous. Syn cookie The original reason D. J. Bernstain and Eric Schenk inventions. There are a variety of implementations on many operating systems. These include Linux. This article introduces the principle of SYN FLOOD attack and SYN Cookie, more importantly, introducing the way to implement SYN cookie in the Linux core. Finally, this article gives an idea that enhances the SYN cookie functionality in Linux.
First, SYN FLOOD attack
The Syn Flood attack is a typical Denial Of Service attack. The so-called refusal service attack is by attack, making the victim host or network unknown service, thereby indirectly reaching the purpose of attack.
SYN FLOOD attacks use the three-way handshake of the TCP protocol in IPv4. Everyone knows the agreement, if one end wants to initiate TCP connections to the other end, it needs to send TCP SYN to each other, and send a TCP SYN ACK package after receiving the other party, and send the TCP ACK package back, so three handshake It is over. We called the initiator of the TCP to the TCP client (TCP Client), the TCP connection recipient called the TCP server (TCP Server). It is worth noting that when the TCP server receives the TCP SYN Request package, the TCP server should be assigned a data area to serve this upcoming TCP connection before sending a TCP SYN ACK to the TCP client. Generally, the connection state that receives the SYN package has not received the ACK package is a half-open connection.
In the most common SYN FLOOD attack, the attacker sends a large number of TCP SYN packages to the victim in a short period of time. At this time, the attacker is a TCP client, and the victim is a TCP server. Based on the above description, the victim will assign a specific data area for each TCP SYN package, as long as these SYN packs have different source sites (this is easier for attackers). This will cause a large system burden to the TCP server system, eventually leading to the system to work properly.
Publisher: Snow From: World Computer
