Diagnosing and Treating TCP Flood Attacks (SYN Flood)

Cyber Security
1

Diagnosing and Treating TCP Flood Attacks (SYN Flood)

Introduction

TCP flood attacks, specifically SYN flood attacks, are a type of Denial of Service (DoS) and Distributed Denial of Service (DDoS) attack that exploits the TCP protocol. This article aims to provide a comprehensive guide on diagnosing and treating these attacks.

Understanding SYN Flood Attacks

A SYN flood attack involves sending a large number of forged TCP connection requests to a server, typically using a fake IP address or IP segment number. The attacker sends a SYN packet, which is the first handshake packet, and never receives the response packet (SYN + ACK packet). The server, expecting a response, keeps the connection in a “semi-connected” state, retrying the default response five times a second, leading to a depletion of resources (CPU full load or insufficient memory).

Diagnosis

When a business experiences a drop in traffic, the first step is to check the machine and DNS. If the external web machine is slow to respond, and high CPU load is detected, it may indicate a TCP flood attack. Check the system syslog for messages related to SYN flooding.

Evidence of SYN Flood Attacks

Run the following command to check the number of connections:

# netstat -n | awk '/^tcp/ {++S[$NF]} END {for (a in S) print a, S[a]}'

Look for the following features:

  • A large number of connections in the SYN_RECV state
  • A high number of TIME_WAIT connections

Emergency Treatment

To temporarily block the attack, use iptables to seal the largest suspected attack IP or IP segment:

# iptables -A INPUT -s 173.0.0.0/8 -p tcp -dport 80 -j DROP

Long-term Solution

After the emergency treatment, adjust the system parameters to prevent future attacks:

  1. tcp_synack_retries: Set this parameter to 0 to prevent the server from retrying the SYN + ACK packet. This will accelerate the recovery of “semi-connected” connections.
  2. net.ipv4.tcp_max_syn_backlog: Set this parameter to 200,000 to limit the number of connections in the SYN_RECV state.

Reference Material

  • usr/include/linux/fs.h for information on file handles
  • http://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/tcpvariables.html for a detailed explanation of kernel parameters

Conclusion

TCP flood attacks are a serious threat to server resources. By understanding the diagnosis and treatment of SYN flood attacks, you can quickly respond to these attacks and prevent them from causing significant damage.