DoS (Denial of Service Denial of Service) and DDoS (Distributed Denial of Service Distributed Denial of Service) attacks are large-scale websites and web server security threats. February 2000, Yahoo, Amazon, CNN and other examples of attacks, had been carved in the history of major security incidents.
SYN Flood attacks because of its effect, has become the most popular means of DoS and DDoS attacks.
TCP SYN Flood Using protocol flaw, sending a large number of forged TCP connection requests, made by depletion of the attacking side, unable to respond to or deal with a normal service request. A normal TCP connection requires three-way handshake, the first client sends a SYN packet flag, then the server returns a SYN / ACK response packet that the client's request is accepted, the final client back a confirmation packet ACK, This complete TCP connection. Send a response packet in the server side, if the client does not send confirmation, the server will wait to timeout, during the semi-connected state are kept in a buffer queue space is limited; if a large number of SYN packets sent to the server does not answer after will make the server side TCP rapid depletion of resources, resulting in a normal connection can not enter, or even cause the server crash.
Firewall is usually used to protect the internal network from unauthorized access external networks, which is located between the client and server, so use a firewall to prevent DoS attacks can effectively protect the internal server. Against SYN Flood, firewall protection is usually three ways: SYN Gateway, Gateway, and SYN SYN passive relay.
SYN Gateway Firewall client's SYN packet received, the directly transmitted to the server; firewall before the server SYN / ACK packet, the hand will be SYN / ACK packet forwarding to the client, on the other hand to the name of the client to the server loopback an ACK packet to complete the TCP three-way handshake, the connection status to server side and a half into the connection state. When the client the real ACK packet arrives, the data is transmitted to the server, otherwise discard the packet. Because the server can bear the connection status is much higher than the semi-connected, so this method can effectively reduce the attack on the server.
Passive SYN Gateway SYN request to set the firewall time-out parameters, it is much smaller than the server time-out period. Firewall Client is responsible for forwarding the SYN packet sent to the server, the server sent to the client's SYN / ACK packet, and the client's ACK packet sent to the server. Thus, if the client when the timer expires in the firewall not to send ACK packets, the firewall is sending RST packets to the server, so the server from the queue by deleting the semi-connection. As the firewall timeout parameter is much smaller than the time-out period for the server, so it can effectively prevent SYN Flood attacks.
SYN Relay firewall received after the client's SYN packet is not forwarded to the server, but then take the initiative to record the status information back to the client to send SYN / ACK packet, if the received client's ACK packet, that is a normal visit by the firewall send SYN packets to the server and complete the three-way handshake. This agent is used by the firewall as a client and server-side connection, you can completely filter is not available to connect to the server.