1. The SYN flood attack
SYN Flood (semi-open attack) is a denial of service (DDoS) attack. It consumes all available server resources to make the server unavailable for legitimate traffic. By repeatedly sending initial Connection Request (SYN) packets, an attacker is able to overwhelm all available ports on the target server machine, causing the target device to simply not respond to legitimate traffic.
For example, the client forged a large number of false IP addresses, and repeatedly sent SYN to our server, and the server replied ACK+SYN to a large number of false IP addresses, and made a large number of connections in SYN_RCVD state, so that our server will burst the semi-connection queue, so that we can not respond to those legitimate requests.
2. How do I cope with SYN Flood attacks
2.1 Increasing the number of SYN connections: tcp_max_syn_backlog
But this only slows down the half-connection queue
2.2 Reducing the Number of SYN+ACK attempts: tcp_synack_retries
The number of retries is controlled by /proc/sys/net/ipv4/tcp_synack_retries. By default, it is five. If you are attacked, it is necessary to set this value to a smaller value to reduce the number of retries and speed up connection cancels
2.3 tcp_syncookies mechanism
The SYN Cookie is used to defend against SYN Flood attacks by modifying the three-way handshake on the TCP server. Here’s how it works
- When the TCP server receives a TCP SYN packet and returns a TCP SYN + ACK packet, it does not allocate a dedicated data area, but instead calculates a cookie value based on the SYN packet.
- This cookie serves as the initial sequence number of the SYN ACK packet to be returned.
- When the client returns an ACK packet, the cookie is calculated according to the packet header information and compared with the returned confirmation sequence number (initial sequence number + 1). If the same, it is a normal connection. Then, resources are allocated and the connection is established.