Web server suffered a SYN attack is down 22 hours

My website is the first time encountered this kind of thing continued until 17:00 the next day from 19:00 pm on May 8, 20 a few hours during the server can not access. Service providers, according to the space engine room notice a SYN attack, TMD really depressed the extreme! Not much else to say, the recurrence of such a problem must go to a refund of space.

In addition, from the photographs I have seen yesterday, the site statistics more visits, visits Alfa Romeo 8C ( Alfa Romeo 8C Spider, ) is pretty good.

SYN attack points SYN Flood and SYN cookie two kinds:

SYN Flood is the most popular DoS (denial of service attacks) and DDoS (distributed denial of service attacks), one of the ways, this is a TCP protocol defects, sending a large number of forged TCP connection requests, allowing the attacker resources depleted (the CPU at full load or insufficient memory) attack.

To understand the basic principles of such an attack, or from the TCP connection establishment process to begin:

As we all know, TCP and UDP, it is based on the connection, In other words: In order to transmit TCP data between server and client must first establish a virtual circuit, which is a TCP connection, the establishment of a TCP connection to the standard procedure is this:

First, the request (client) sends a SYN flag of TCP packets, SYN or synchronize the Synchronize synchronization packets specified by the client using the port and TCP initial sequence numbers;

The second step, after receipt of the client's SYN packet, the server will return a SYN + ACK packet, indicating that the client's request was accepted, while the TCP sequence number plus one, an ACK is recognized (Acknowledgement).

The third step, the client returns a confirmation message ACK to the server side, the same TCP sequence number plus one, this is a TCP connection is completed.

The course of more than one connection in the TCP protocol is called three-way handshake (Three-way the Handshake).

The second method is to set the SYN cookie, a cookie is requesting a connection to each IP address assignment, the rapid succession by repeated SYN packets of an IP, it is identified by an attack from this IP address after The package will be Yigai discarded.

But the above two methods can only deal with the original SYN Flood attacks, shortening the SYN the Timeout time in each other's only entry into force of attack frequency is not high, the SYN Cookie is more dependent on each other to use the real IP address, if the attacker to the number of million / sec sending a SYN packet, while taking advantage of the the SOCK_RAW random rewrite the source address in the IP packet, the above method will be entirely useless.

. . . . No way, Who I stand sits such a thing? Can not visit friends, do not worry, will get better!

Collection, sharing this article!