乐闻世界logo
搜索文章和话题

What is the principle and defense method of TCP SYN Flood attack?

2月21日 17:09

TCP SYN Flood Attack and Defense Explained

SYN Flood is a common DDoS attack method that exploits the vulnerability of TCP three-way handshake, exhausting server resources and causing service unavailability.

SYN Flood Attack Principle

Attack Process

  1. Send Large Number of SYN Packets: Attacker sends large number of TCP SYN segments to server
  2. Forge Source IP: Use forged or random source IP addresses
  3. Server Response: Server receives SYN, sends SYN+ACK, and enters SYN_RCVD state
  4. Wait for ACK: Server waits for third handshake (ACK), but since source IP is forged, will never receive ACK
  5. Resource Exhaustion: Large number of connections are in SYN_RCVD state, exhausting server connection resources

Attack Harm

  • Connection Queue Full: Server's half-connection queue (SYN queue) is filled
  • Unable to Establish New Connections: Normal connection requests cannot be processed
  • Memory Exhaustion: Each half-connection occupies memory, large number of half-connections cause memory exhaustion
  • High CPU Usage: Processing large number of SYN packets consumes CPU resources

Defense Measures

1. SYN Cookies

  • Principle: Do not save half-connection state, encode connection information in the sequence number of SYN+ACK
  • Advantage: Does not occupy connection queue resources, strong defense capability
  • Implementation: Server generates Cookie based on source IP, source port, destination IP, destination port and other information
  • Verification: When receiving ACK, verify whether Cookie is correct

2. Increase Half-Connection Queue Size

  • Parameter: net.ipv4.tcp_max_syn_backlog
  • Purpose: Increase half-connection queue capacity, improve anti-attack capability
  • Limitation: Cannot fundamentally solve the problem, only delay resource exhaustion

3. Shorten Timeout

  • Parameter: net.ipv4.tcp_synack_retries, net.ipv4.tcp_syn_retries
  • Purpose: Reduce survival time of half-connections, quickly release resources
  • Trade-off: May affect establishment of normal connections

4. Limit SYN Sending Frequency

  • Principle: Limit SYN packet sending frequency of single IP address
  • Implementation: Use iptables, firewall and other tools
  • Effect: Reduce attack traffic, but may mistakenly affect normal users

5. Enable RST Cookie

  • Principle: Send RST to suspicious SYN packets, require client to re-initiate connection
  • Effect: Filter out attack traffic with forged IPs

Configuration Example

Linux System Configuration

bash
# Enable SYN Cookies
sysctl -w net.ipv4.tcp_syncookies=1

# Increase half-connection queue size
sysctl -w net.ipv4.tcp_max_syn_backlog=8192

# Shorten timeout
sysctl -w net.ipv4.tcp_synack_retries=2
sysctl -w net.ipv4.tcp_syn_retries=2

# Limit SYN sending frequency
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP

Related Questions

  • What is the implementation principle of SYN Cookies?
  • How to detect SYN Flood attacks?
  • Besides SYN Flood, what other TCP-related attack methods are there?
标签:TCP
热门标签
更多
Git(114)C语言(23)C++(15)React(34)前端(148)Cypress(27)JavaScript(56)Linux(20)Rust(10)Docker(65)Mongoose(18)TypeScript(27)MySQL(8)Vue(13)Tailwind CSS(29)CSS(19)ElasticSearch(24)网络(12)TypeORM(31)