syn_cookies

最後更新: 2015-09-14

介紹

SYN cookie is a technique used to resist SYN flood attacks.

* compiled into the RHEL kernel, and enabled by default

目錄

 


tcp_syncookies Setting

 

SYN cookies are a method by which TCP connections can continue to be established when a socket's listen backlog fills up

(faces a temporary SYN flood, or when the application does not accept new connections fast enough or at all)

Checking "Enable"

sysctl -n net.ipv4.tcp_syncookies

OR

cat /proc/sys/net/ipv4/tcp_syncookies

Checking under attack

netstat -nt | grep SYN_RECV

原理:

不分配一個專門的數據區

1. C -- "SYN" --> S
2. C <-- "SYN+ACK" -- S (不分配一個專門的數據區)
3. C -- "ACK" --> S (根據那個cookie值檢查這個TCP ACK包的合法性)

 

syncookies 原理: Sequence numbers

A SYN cookie is created by crafting a special SYN+ACK where the TCP Sequence Number is S.

T: be a slowly incrementing timestamp

M: be the maximum segment size (MSS)

let S be the result of a cryptographic hash function computed over

the server IP address and port number,

the client IP address and port number, and the value T and M

The server then performs the following operations:

Checks the value t against the current time to see if the connection has expired.

Recomputes s to determine whether this is, indeed, a valid SYN cookie.

Decodes the value m from the 3-bit encoding in the SYN cookie, which it then can use to reconstruct the SYN queue entry.

"SYN" 隊列的長度

# Maximum number of remembered connection requests,

# which did not yet receive an acknowledgment from connecting client.

sysctl -n net.ipv4.tcp_max_syn_backlog

512

當被攻擊時

當 cookies 發揮功能時, 會見到 log

possible SYN flooding on port 443. Sending cookies.

Note, that syncookies is fallback facility.

It MUST NOT be used to help highly loaded servers to stand against legal connection rate.

they occur because of overload with legal connections,

you should tune another parameters until this warning disappear.

See:

tcp_max_syn_backlog

tcp_synack_retries

net.ipv4.tcp_syn_retries:

Changing this cannot have any effect on inbound connections (it only affects outbound connections)

 


Backlog

 

When an application chooses to listen, it must provide a backlog value,

which determines how many un-accepted connections can sit waiting for the application to accept them.

(The maximum length of the queue of pending connections)

 

It is desirable to increase this when under a TCP SYN flood attack.

A connection in the socket backlog will still perform a TCP handshake.

(sending SYN+ACK when a SYN comes in)

 

/etc/sysctl.conf

net.core.somaxconn = 10240
net.core.netdev_max_backlog = 10240
net.ipv4.tcp_max_syn_backlog = 10240
net.ipv4.tcp_max_tw_buckets = 800000

Apache

# Default: 511
ListenBacklog 10240

 * listen() syscall which has a backlog argument.

   This function also seems to put an upper limit on the backlog size. (在 Apache 上是 Listen Backlog)

Nginx

server {
    listen 80 backlog=10240;
    listen 443 ssl backlog=10240;
}

 

Creative Commons license icon Creative Commons license icon