![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後更新: 2015-09-14
介紹
SYN cookie is a technique used to resist SYN flood attacks.
* compiled into the RHEL kernel, and enabled by default
目錄
tcp_syncookies Setting
SYN cookies are a method by which TCP connections can continue to be established when a socket's listen backlog fills up
(faces a temporary SYN flood, or when the application does not accept new connections fast enough or at all)
Checking "Enable"
sysctl -n net.ipv4.tcp_syncookies
OR
cat /proc/sys/net/ipv4/tcp_syncookies
Checking under attack
netstat -nt | grep SYN_RECV
原理:
不分配一個專門的數據區
1. C -- "SYN" --> S
2. C <-- "SYN+ACK" -- S (不分配一個專門的數據區)
3. C -- "ACK" --> S (根據那個cookie值檢查這個TCP ACK包的合法性)
syncookies 原理: Sequence numbers
A SYN cookie is created by crafting a special SYN+ACK where the TCP Sequence Number is S.
T: be a slowly incrementing timestamp
M: be the maximum segment size (MSS)
let S be the result of a cryptographic hash function computed over
the server IP address and port number,
the client IP address and port number, and the value T and M
The server then performs the following operations:
Checks the value t against the current time to see if the connection has expired.
Recomputes s to determine whether this is, indeed, a valid SYN cookie.
Decodes the value m from the 3-bit encoding in the SYN cookie, which it then can use to reconstruct the SYN queue entry.
"SYN" 隊列的長度
# Maximum number of remembered connection requests,
# which did not yet receive an acknowledgment from connecting client.
sysctl -n net.ipv4.tcp_max_syn_backlog
512
當被攻擊時
當 cookies 發揮功能時, 會見到 log
possible SYN flooding on port 443. Sending cookies.
Note, that syncookies is fallback facility.
It MUST NOT be used to help highly loaded servers to stand against legal connection rate.
they occur because of overload with legal connections,
you should tune another parameters until this warning disappear.
See:
tcp_max_syn_backlog
tcp_synack_retries
net.ipv4.tcp_syn_retries:
Changing this cannot have any effect on inbound connections (it only affects outbound connections)
Backlog
When an application chooses to listen, it must provide a backlog value,
which determines how many un-accepted connections can sit waiting for the application to accept them.
(The maximum length of the queue of pending connections)
It is desirable to increase this when under a TCP SYN flood attack.
A connection in the socket backlog will still perform a TCP handshake.
(sending SYN+ACK when a SYN comes in)
/etc/sysctl.conf
net.core.somaxconn = 10240 net.core.netdev_max_backlog = 10240 net.ipv4.tcp_max_syn_backlog = 10240 net.ipv4.tcp_max_tw_buckets = 800000
Apache
# Default: 511 ListenBacklog 10240
* listen() syscall which has a backlog argument.
This function also seems to put an upper limit on the backlog size. (在 Apache 上是 Listen Backlog)
Nginx
server {
listen 80 backlog=10240;
listen 443 ssl backlog=10240;
}
