- 论坛徽章:
- 0
|
关于SYN FLOOD攻击原理的一点探讨
原帖由 "bingocn" 发表:
echo 1 >; /proc/sys/net/ipv4/tcp_syncoocies 大家都说这个可以,我没测过。那这个用的是什么原理呢?从理论上来说,SYN flood根本没有办法阻止,因为进入包的IP/MAC都是伪造的,没有办法区分是否是用户真正发..........
我和你的观点一样,syncookies也不过是一种抵抗手段而已,无法阻止。但关于syn cookies的原理,网上资料很多,这里有一段你可以参考:
原帖由 "http://ipsysctl-tutorial.frozentux.net/chunkyhtml/x321.html" 发表:
3.3.26. tcp_syncookies
The tcp_syncookies variable is used to send out so called syncookies to hosts when the kernels syn backlog queue for a specific socket is overflowed. This means that if our host is flooded with several SYN packets from different hosts, the syn backlog queue may overflow, and hence this function starts sending out cookies to see if the SYN packets are really legit.
This variable is used to prevent an extremely common attack that is called a "syn flood attack". The tcp_syncookies variable takes an boolean value which can either be set to 0 or 1, where 0 means off. The default setting is to turn this function off.
There has been a lot of discussions about the problems and flaws with syncookies in the past. Personally, I choose to look on SYN cookies as something fairly usefull, and since it is not causing any strangeness under normal operation, it should not be very dangerous. However, it may be dangerous, and you may want to see below.
The tcp_syncookies option means that under high load the system will make new connections without advanced features like ECN or SACK being used. If syncookies are being triggered during normal load rather than an attack you should tune the tcp queue length and the servers handling the load.
You must not use this facility to help a highly loaded server to stand down from legal connections. If you start to see syn flood warnings in your logs, and they show out to be legit connections, you may tune the tcp_max_syn_backlog, tcp_synack_retries and tcp_abort_on_overflow variables.
注:文中的“syn backlog queue”是内核中一个用来存放半连接的队列。它被灌满后,内核就开始要求用syn cookie筛选连接了。而且其实syncookie也有很多漏洞可钻,你可以参考Suse的一些安全文档。 |
|