What is a SYN Flood attack? How to protect?

SYN The flood （ Half open connection attack ） It's a denial of service (DDoS) attack , Designed to exhaust available server resources , As a result, the server cannot transmit legitimate traffic . Send initial connection request by repeating (SYN) Data packets , An attacker will be able to destroy all available ports on the target server computer , As a result, the target device is slow or even unresponsive when responding to legitimate traffic .

SYN How flood attacks work ？
SYN Flood attack utilization TCP The handshake process of the connection launches an attack . Under normal circumstances ,TCP The connection will complete three handshakes to establish the connection .

1、 First , The client sends to the server SYN Packets to initiate a connection .
2、 next , Server pass SYN/ACK The packet responds to the initial packet , To confirm the communication .
3、 Last , The client returns ACK Packets to confirm receipt of packets sent by the server . After completing this series of packet sending and receiving operations ,TCP The connection will be open and able to send and receive data .

TCP Three way handshake diagram
To launch a denial of service attack , An attacker needs to take advantage of the fact that ： Receive initial SYN After the packet , The server will pass through one or more SYN/ACK The packet echoes , Wait for the last step of the handshake process . It works as follows ：

1、 Attackers often use forged IP Address sends a large number of... To the target server SYN Data packets .
2、 then , The server responds to each connection request , And make sure that the open port is ready to receive the response .
3、 Wait on the server for the last ACK Data packets （ Never arrive ） In the process of , The attacker will continue to send more SYN Data packets . Whenever there's a new one SYN Packet arrival , The server will temporarily open a new port and keep connected for a specific period of time ; After using all available ports , The server will not function properly .

SYN Flood DDoS attack
In the network , If the server connection is open but the machine connection at the other end is not open , It is considered as a half open connection . In this case DDoS In attack , The target server will keep the connection open , Wait for each connection to time out , Avoid opening ports again . therefore , Such attacks can be regarded as “ Half open connection attack ”.

Malicious users can initiate... In three different ways SYN Flood attack ：
1、 Direct attack ： No forgery IP Address of the SYN Flood attacks are called direct attacks . In such attacks , The attacker doesn't shield his IP Address . Due to the fact that the attacker uses real IP Address of a single source device to launch an attack , So it's easy to find and clean up attackers . To make the target machine half open , Hackers will prevent personal machines from accessing the server SYN-ACK The packet responds . So , It is usually implemented in the following two ways ： Deploy firewall rules , Stop except SYN All kinds of outgoing data packets other than data packets ; perhaps , For all incoming SYN-ACK Packet filtering , Prevent it from reaching malicious user machines . actually , This method is rarely used （ Even if used, it is rare ）, Because such attacks are fairly easy to mitigate – Just block every malicious system IP Address . Even if an attacker uses a botnet （ Such as Mirai Botnet ）, It is usually not intended to shield infected devices IP.
2、 Deceptive attack ： Malicious users can also forge the messages they send SYN Packet IP Address , In order to prevent mitigation measures and make identity exposure more difficult . Although the packet may be disguised , But you can still trace the source through these packets . Such testing is difficult to carry out , But not impossible ; especially , If Internet Service provider (ISP) Willing to help , It's easier to achieve .
3、 Distributed attack （DDoS）： If you use botnets to launch an attack , The possibility of tracing the source of the attack is very low . As the level of confusion rises , The attacker may also order each distributed device to forge its sending packet IP Address . Even if an attacker uses a botnet （ Such as Mirai Botnet ）, It is usually not intended to shield infected devices IP.
Malicious users can SYN A flood attack attempts to create a denial of service in the target device or service , Its flow rate is much lower than that of other DDoS attack .SYN The attack is not a capacity depletion attack , The goal is not to saturate the network infrastructure around the target , Just ensure that the available backlog is greater than the target operating system . If an attacker can determine the size of the backlog and how long each connection remains open （ If the time is exceeded, it will enter the timeout state ）, An attacker will be able to find the exact parameters needed to disable the system , This minimizes the total traffic required to create a denial of service .

How to alleviate SYN Flood attack ？
SYN Flood loopholes have long been known to the world , And created a lot of mitigation methods . Some of these methods include ：

Expand the backlog of work queues
Each operating system installed on the target device allows a certain number of semi open connections . To respond to a large number of SYN Data packets , One way is to increase the maximum number of half open connections allowed by the operating system . To successfully expand the maximum backlog , The system must reserve additional memory resources to handle all kinds of new requests . If the system does not have enough memory , Unable to cope with the increased backlog of work queue size , Will have a negative impact on system performance , But it's still better than denial of service .

Recycle the first created TCP Half open connection
Another mitigation strategy is to overwrite the first half open connection created after filling the backlog . This strategy requires that the time to fully establish a legal connection is less than that of a malicious connection SYN The time the packet fills the backlog . When the attack volume increases or the backlog is smaller than the actual demand , This particular defense measure will not work .

SYN Cookie
This policy requires the server to create Cookie. To avoid disconnecting while filling the backlog , Server usage SYN-ACK The packet responds to each connection request , Then delete from the backlog SYN request , At the same time, delete the request from memory , Ensure that the port remains open and ready to re-establish the connection . If the connection is a legal request and the last ACK Packets are sent from the client machine back to the server , The server will be rebuilt （ There are some limitations ）SYN Backlog of work queue entries . Although this mitigation measure is bound to lose some TCP Connection information , But it's better than causing a denial of service attack on legitimate users .

How to alleviate SYN Flood attack ？
Use our CDN protective SYN attack , By isolating the target server from SYN Flood attacks to mitigate such attacks . When the initial SYN When asked , Will be in CDN To complete the handshake process , Refused to establish connection with the target server , Until completion TCP Handshake process . This strategy makes the target server no longer need to waste resources and forge SYN Packet connection .