The most direct manifestation of the SYN attack method is to fill up the TCP semi-connection queue, so that when the TCP semi-connection queue is full, subsequent SYN packets received will be discarded , resulting in the failure of the client to establish a connection with the server.
There are four ways to avoid SYN attacks:
- Increase netdev_max_backlog;
- Increase the TCP semi-connection queue;
- Open tcp_syncookies;
- Reduce the number of SYN+ACK retransmissions
Method 1: Increase netdev_max_backlog
When the network card receives data packets faster than the kernel can process them, there will be a queue to hold these data packets. The maximum value of the control queue is as follows. The default value is 1000. We need to increase the value of this parameter appropriately, for example, set it to 10000
Method 2: Increase the TCP semi-connection queue
To increase the TCP semi-connection queue, the following three parameters must be increased at the same time:
- Increase net.ipv4.tcp_max_syn_backlog
- Increase the backlog in the listen() function
- increase net.core.somaxconn
Specifically, why are three parameters determining the size of the TCP semi-connection queue? You can read this article: You can read this article: What happens when the TCP semi-connection queue and full connection queue are full? How should we deal with it?
Method 3: Open net.ipv4.tcp_syncookies
Turning on the syncookies function can successfully establish a connection without using the SYN semi-connection queue, which is equivalent to bypassing the SYN semi-connection to establish a connection.
Specific process:
- When the "SYN queue" is full, the subsequent server will not discard the SYN packet received, but calculate a
cookie
value according to the algorithm;- Put the cookie value in the "serial number" of the second handshake message, and then the server returns the second handshake to the client;
- When the server receives the response message from the client, the server will check the legitimacy of the ACK packet. If legal, put the connection object into the "Accept Queue".
- Finally, the application
accpet()
retrieves the connection from the "Accept Queue" by calling the interface.It can be seen that when tcp_syncookies is enabled, even if the SYN queue is full due to a SYN attack, the normal connection can be successfully established.
The net.ipv4.tcp_syncookies parameter mainly has the following three values:
- A value of 0 means that the function is turned off;
- A value of 1 means that it is enabled only when the SYN semi-join queue cannot fit;
- A value of 2 means that the function is enabled unconditionally;
Then when dealing with SYN attacks, you only need to set it to 1.
Method 4: Reduce the number of SYN+ACK retransmissions
When the server is attacked by SYN, there will be a large number of TCP connections in the SYN_REVC state. The TCP in this state will retransmit SYN+ACK. When the number of retransmissions exceeds the upper limit, the connection will be disconnected.
Then for the SYN attack scenario, we can reduce the number of SYN-ACK retransmissions to speed up the disconnection of the TCP connection in the SYN_REVC state.
The maximum number of retransmissions of the SYN-ACK message is tcp_synack_retries
determined by the kernel parameter (the default value is 5 times), for example, reduce tcp_synack_retries to 2 times:
Why does waving need four times?
Let's look back at the process of FIN
waving the , and you can understand why it takes four times.
- When the connection is closed, when the client sends to the server
FIN
, it only means that the client no longer sends data but can still receive data. FIN
When the server receives the message from the client , it will return aACK
response message first, and the server may still have data to process and send. When the server no longer sends data, it will sendFIN
a message to the client to express its agreement. Now close connect.- From the above process, it can be seen that the server usually needs to wait for the completion of sending and processing the data
ACK
, so the data and data of the serverFIN
are generally sent separately, so four waves are required . - 4.1 TCP three-way handshake and four-way wave interview questions | Kobayashi coding
#The second wave is lost, what happens?
When the server receives the first wave from the client, it will first return an ACK confirmation message, and the connection of the server enters the state at this time CLOSE_WAIT
.
We also mentioned earlier that the ACK message will not be retransmitted, so if the server's second wave is lost, the client will trigger the timeout retransmission mechanism and retransmit the FIN message until it receives the server's first wave. Wave twice, or reach the maximum number of retransmissions .
For example, assuming that the parameter value of tcp_orphan_retries is 2, when the second wave is always lost, the process that occurs is as follows:
For the connection closed by the close function , since data can no longer be sent and received,FIN_WAIT2
the state cannot last for too long, and tcp_fin_timeout
the duration of the connection in this state is controlled, and the default value is 60 seconds.
Note, however, that if the active closing party uses the shutdown function to close the connection, specifying that only the sending direction is closed, but the receiving direction is not closed, it means that the active closing party can still receive data.
If the active closing party has not received the third wave, the connection of the active closing party will always be in FIN_WAIT2
the state ( tcp_fin_timeout
the connection closed by shutdown cannot be controlled ). As shown below: