In the TCP / IP network, as a normal TCP connection is established, the target host from the source host receives a SYN (synchronize / start) packet, and returns a SYN ACK (synchronization confirmation) packet. Target host in the connection established, it must be "heard" of a SYN ACK ACK (confirmation). This process is called "TCP three-way handshake." Figure 1:
Figure 1
Waiting for SYN ACK of the ACK, the target host on the limited size of the connection queue will follow pending completion of the connection. This queue typically will soon be vacated, because the ACK in the SYN ACK will arrive after a few milliseconds.
TCP SYN attack on the use of this design, which attacks the source host to generate a random source address of TCP SYN packets sent to the victim host. Victims of a random source address of the host to return a SYN ACK packet, add an entry to the connection queue. Because the SYN ACK is designed to use an incorrect or non-existence of the host, so "three-way handshake," could not complete the last part, but this entry has been in the connection queue until the timer times out, typically is about a minute. Generated through a high rate of random IP address from the TCP SYN packet fraudulent, they can fill the connection queue and legitimate users refuse to TCP services (such as email, file transfer, Web services). Figure 2:
Figure 2
And there is no simple way to track the initiator attacks, because the source address of attack is false.
The external expression of this problem include the inability to receive e-mail, can not receive and WWW or FTP service connection, or host state in SYN_RCVD a large number of TCP connections.
Defense attacks on the network equipment
1. Firewall equipment
TCP SYN attack from a large number of random IP addresses of SYN packets is characterized by the influx, if you can configure the firewall to block incoming SYN packets, then any device behind a firewall has been protected, do not need to take further protection. Many examples of this firewall, such as the Cisco PIX firewall configuration can be used also have access to the list of routers. Many media have a lot of this material, not discussed here.
2. The provision of public services, facilities
For a public web server or a mail server for the Internet is, no way to determine which incoming IP source address is friendly and which are malicious. Therefore, there is no universal means of defense that can deal with attacks from random IP addresses.
For the host for a number of options can be used as follows:
Increase the connection queue (SYN ACK queue) size
Reduce the waiting time of three times the length of the handshake timeout
If possible, use special software patch to detect and solve the problem.
Users should view the company is developing a TCP SYN ACK attack against a specific patch.
Note: IP address filtering on the server is invalid, because the attacker can change their IP addresses, and an address may be banned with a legitimate host's IP address of Taiwan the same.
So, how to prevent a network without the knowledge of an attack, "dens" mean?
Since this denial of service attack is a major mechanism of generating random IP addresses from the communication, then we can be suggested that filtering Internet traffic to those destinations. The basic idea is to have the source IP addresses of illegal packets to the Internet before they are discarded. This will not prevent the local network against denial of service attacks, but it attacks the network will help you out of the attack outside source. In addition, it also makes your network is not easy to become a base for such attacks.
1. To prevent the transmission of illegal IP address
Connected to the Internet through the router packet filtering, users can only allow those who have a legitimate source address of packets leaving the local network access to the Internet.
For example, if the user's local network is 172.16.0.0, the user's router using the serial 0 / 1 interface to connect to the ISP, then the user can use to access a list like this:
access list 111 permit ip 172.16.0.0 0.0.255.255 any
access list 111 deny ip any any log
interface serial 0 / 1
ip access group 111 out
Note: the last line of the access list to decide whether illegal source address of any communication to the Internet. This line is not critical, but it may help to locate the source of attacks.
2. To prevent the illegal IP address received
Network for providing services to the ISP end, we strongly recommend its confirmation, verification from the client into the type of data packets. This can be used in the border router into the type of data packet filter achieved. For example, if a client by a known serial 1 / 0 interface to connect to your router, then you can create the following access list:
Network number is 192.168.0.0 to 192.168.15.0, 172.18.0.0.
access list 111 permit ip 192.168.0.0 0.0.15.255 any
access list 111 permit ip 172.18.0.0 0.0.255.255 any
access list 111 deny ip any any log
interface serial 1 / 0
ip access group 111 in
Note: The access list determines whether the last line of the illegal source address of any communication to the Internet. This line is not critical, but it may help to locate the source of attacks.
Of course, these measures are not a panacea, but they help to reduce attacks.