SYN Flood

SYN Flood is the most popular DoS (Denial of Service attack) and DdoS (distributed denial of service attack) one way, this is a defect using TCP protocol, sending a large number of forged TCP connection requests, allowing resources to be the attacker depletion (CPU full load or memory) of the attack. Fundamentals To understand the basic principles of such an attack, or from the TCP connection is established to begin the process: We all know, TCP and UDP, which is based on the connection, that is: In order to service and client TCP data transfer between, you must first establish a virtual circuit, which is TCP connection, the process of establishing a standard TCP connection like this:
 First, the requester (client) sends a TCP packet with the SYN flag, SYN that is synchronized (Synchronize), synchronous message will specify the client port and a TCP connection with the initial sequence number; The second step, the server receives the client's SYN packet, it will return a SYN + ACK packet, said client request is accepted, and TCP sequence number is plus one, ACK acknowledge that (Acknowledgment). The third step, the client returns a confirmation message ACK to the server, the same TCP sequence number is plus one, this a TCP connection is completed. The connection process than in the TCP protocol is called three-way handshake (Three-way Handshake). The problem lies in the three-way handshake in TCP connection, suppose a user to the server SYN packet is sent after the sudden crash or dropped, then the server send SYN + ACK response packet is not received by the client's ACK packet ( third handshake can not be completed), in which case the server will normally try (once again send SYN + ACK to the client) and wait for some time to complete the connection does not drop this, the length of time we called SYN Timeout, Generally this time is minutes magnitude (about 30 seconds -2 minutes); abnormal causes the server to a user a thread to wait one minute is not a big problem, but if there is a malicious attacker that a large number of simulation case, the server will in order to maintain a very large list of half-open connections consume a lot of resources and tens of thousands of semi----- connection, even a simple walk will save and consume a lot of CPU time and memory , not to mention also constantly on the list of IP for SYN + ACK retry. In fact if the server's TCP / IP stack is not strong enough, the final result is often a stack overflow crash --- even if the server system is strong enough, the server will be busy with the attacker forged TCP connection request time to ignore the request of the customer's normal (After all, the normal client request rate is very small), this time from the normal customer's point of view, server not responding, this is what we call: the server-side SYN Flood attack by the (SYN flood attack). Solution From the defense perspective, there are several simple solution: The first is to reduce the SYN Timeout time, due to the effect of SYN Flood attack depends on the server SYN half to keep the number of connections, this value = SYN attack frequency x SYN Timeout, so by shortening the SYN packet from the receiving to determine the invalid packets and discard the connection time to change, for example, is set to 20 seconds or less (low SYN Timeout setting may affect the customer's normal access), can be doubled to reduce server load. The second method is to set SYN Cookie, is a request to connect to each IP address assigned a Cookie, if the short period of time by a continuous repetition of IP SYN packet, identified by the attack, after the IP address from the The packets will be discarded. But the above two methods can only deal with primitive SYN Flood attacks, reduce the SYN Timeout time is only in the other attack frequency is not high in the case effect, SYN Cookie is more dependent on each other using the real IP address, if the attacker to the number of million / sec sending the SYN packet, while taking advantage of SOCK_RAW rewrite the IP packet random source addresses, the above method useless. SYNFLOOD never be able to resist anything, except you do not go on forever.