This article is a mirror article of machine translation, please click here to jump to the original article.

Architect_Programmer_Code Agriculture Network»Architect Other Technologies Windows/Linux See how my linux protects against SYN attacks
View: 12603|Reply: 2

[linux] See how my linux protects against SYN attacks

[Copy link]
Posted on 12/12/2015 12:04:58 AM | | | |

When I arrived at the company this morning, I felt quite slow when I logged in to the company's official website, logged in to the server to check the access status of the official website:

[root@web ~]# netstat -anp |awk '{print $6}'|sort|uniq -c |sort -rn

     172 ESTABLISHED

     59 CONNECTED

    589 SYN_RECV

     15 STREAM

SYN is actually so high, continue to trace the SYN sent by those IPs:

[root@tweb ~]# netstat -an | grep SYN | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq -c | sort -nr | more

570 x.x.x.x   

(The IP is not written, it is an IP of Shandong Zaozhuang Unicom), but this one IP has sent so many SYN request connections, and the concurrency of our web server is not very high, so that normal user requests cannot be corresponded, and the page cannot be opened. Because the hardware firewall is managed by the group's IT department, I have no authority, so I can only take some measures on the local server to partially mitigate the SYN attack.

First of all, let's talk about the attack principle of SYN:

In the TCP/IP protocol, the TCP protocol provides reliable connection services by using a three-way handshake to establish a connection.

First handshake: When establishing a connection, the client sends a syn packet (syn=j) to the server and enters the SYN_SEND state, waiting for the server to confirm.

The second handshake: When the server receives the SYN packet, it must confirm the customer's SYN (ack=j+1), and also send a SYN packet (syn=k), that is, SYN+ACK packet, at which time the server enters the SYN_RECV state.

Third handshake: The client receives the SYN+ACK packet from the server and sends the confirmation packet ACK (ack=k+1) to the server. After three handshakes, the client and server start transmitting data.


If the user initiates a connection request with the server only to shake hands for the second time and does not respond to the server, the server will keep waiting for the user's confirmation. So we make the following changes directly from the SYN connection:

Check the default SYN configuration in Linux:

[root@web ~]# sysctl -a | grep _syn

net.ipv4.tcp_max_syn_backlog = 1024

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_synack_retries = 5

net.ipv4.tcp_syn_retries = 5

tcp_max_syn_backlog is the length of the SYN queue, and increasing the length of the SYN queue can accommodate more network connections waiting to be connected. tcp_syncookies is a switch to turn on the SYN cookie function, which can prevent partial SYN attacks. tcp_synack_retries and tcp_syn_retries define the number of retry connections for the SYN, and reduce the default parameters to control the number of SYN connections as much as possible.

The following are the parameters I have modified, which can be modified according to the actual situation of my server:

[root@web ~]# more /etc/rc.d/rc.local

#!/bin/sh

# This scrip{filter}t will be executed *after* all the other init scrip{filter}ts.

# You can put your own initialization stuff in here if you don't

# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

ulimit -HSn 65535

/usr/local/apache2/bin/apachectl start

#####

sysctl -w net.ipv4.tcp_max_syn_backlog=2048

sysctl -w net.ipv4.tcp_syncookies=1

sysctl -w net.ipv4.tcp_synack_retries=3

sysctl -w net.ipv4.tcp_syn_retries=3

In order for the configuration to take effect immediately without restarting the server, it can be performed

#sysctl -w net.ipv4.tcp_max_syn_backlog=2048

#sysctl -w net.ipv4.tcp_syncookies=1

#sysctl -w net.ipv4.tcp_synack_retries=3

#sysctl -w net.ipv4.tcp_syn_retries=3

Some people like to use access control lists to prevent SYN attacks, which slows down SYN attacks to a certain extent:

Syn flood attack

#iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT

--limit 1/s limit the number of syn concurrency to 1 time per second

Anti-port scanning

# iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

Ping of death

# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

#>iptables-save >/etc/sysconfig/iptables

To view, #iptables -L

ACCEPT     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5

ACCEPT     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5

ACCEPT     icmp --  anywhere             anywhere            icmp echo-request limit: avg 1/sec burst 5

Check the syn connection again:

[root@web ~]# netstat -an | grep SYN | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq -c | sort -nr | more

     20 10.92.10.220

      1 125.43.36.199

Obviously the number of SYN connections has come down.






Previous:"Sorry, you are not installing a genuine app, the installer cannot continue to perform discuz" workaround
Next:SC Create creates a Windows system service

Related Posts
Posted on 12/13/2015 10:53:04 AM |
What a powerful look
Posted on 12/14/2015 3:55:43 PM |
Disclaimer:
All software, programming materials or articles published by Code Farmer Network are only for learning and research purposes; The above content shall not be used for commercial or illegal purposes, otherwise, users shall bear all consequences. The information on this site comes from the Internet, and copyright disputes have nothing to do with this site. You must completely delete the above content from your computer within 24 hours of downloading. If you like the program, please support genuine software, purchase registration, and get better genuine services. If there is any infringement, please contact us by email.
Mail To:help@itsvse.com