IP SCFW, SYN Cookies Firewall
SYN cookies are a technique to prevent SYN flooding attack. It was originated from D. J. Bernstein and Eric Schenk, and it is now a standard part of Linux kernel. However, the implementation in Linux is now aimed to protect only the box. The IP SCFW tries to create a firewall feature in Linux that provides SYN cookies protection for the entire internal network. You can use this firewall to interdict half-open TCP connection, so the protected server will not enter half-open state (TCP_SYN_RECV). When the connection is fully established, the firewall relays the connection between the client and the server.

What is SYN flooding attack? (Quoted from CERT's alert)
When a system (called the client) attempts to establish a TCP connection to a system providing a service (the server), the client and server exchange a set sequence of messages. This connection technique applies to all TCP connections-telnet, Web, email, etc.

The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message. The connection between the client and the server is then open, and the service-specific data can be exchanged between the client and the server. Here is a view of this message flow:

              Client                  Server
              ------                  ------
               SYN-------------------->

                 <--------------------SYN-ACK

               ACK-------------------->

               Client and server can now
               send service-specific data

The potential for abuse arises at the point where the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message. This is what we mean by half-open connection. The server has built in its system memory a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially open connections.

Creating half-open connections is easily accomplished with IP spoofing. The attacking system sends SYN messages to the victim server system; these appear to be legitimate but in fact reference a client system that is unable to respond to the SYN-ACK messages. This means that the final ACK message will never be sent to the victim server system.

The half-open connections data structure on the victim server system will eventually fill; then the system will be unable to accept any new incoming connections until the table is emptied out. Normally there is a timeout associated with a pending connection, so the half-open connections will eventually expire and the victim server system will recover. However, the attacking system can simply continue sending IP-spoofed packets requesting new connections faster than the victim system can expire the pending connections.

In most cases, the victim of such an attack will have difficulty in accepting any new incoming network connection. In these cases, the attack does not affect existing incoming connections or the ability to originate outgoing network connections.

However, in some cases, the system may exhaust memory, crash, or be rendered otherwise inoperative.

The location of the attacking system is obscured because the source addresses in the SYN packets are often implausible. When the packet arrives at the victim server system, there is no way to determine its true source. Since the network forwards packets based on destination address, the only way to validate the source of a packet is to use input source filtering.

What are SYN cookies?
SYN cookies are an implementation of TCP that can respond to the TCP SYN request with a cookie. Following the descriptions above, in normal TCP implementation, when the server received a SYN packet, it responds with a SYN-ACK to acknowledge, and enter the TCP_SYN_RECV state (half-open connection) to wait the last ACK. The server uses a data structure describing all pending connections, and the data structure is of finite size. Therefore, the attacker may fill up the structure.

In the SYN cookies implementation of TCP, when the server received a SYN packet, it responds a SYN-ACK packet with the ACK sequence number calculated from source address, source port, source sequence, destination address, destination port and a secret seed. Then the server releases state. If an ACK comes from the client, the server can recalculate it to determine if it is a response to the former SYN-ACK. If it is, the server can directly enter the TCP_ESTABLISHED state and open the connection. In this way, the server avoids to keep watch half-open connections.

This is just the basic idea of SYN cookies. There are still many mechanics in the implementation.

What is the SYN cookies firewall?
SYN cookies firewall is an extension of SYN cookies. SYN cookies is built in the TCP stack of a Linux, it protects the Linux box. SYN cookies firewall adds a firewall feature in Linux, you can use it as a firewall to protect your network to avoid SYN flooding attacks.

            client           firewall           server
            ------          ----------          ------
   1.        SYN----------- - - - - - - - - - ->
   2.           <------------SYN-ACK(cookie)
   3.        ACK----------- - - - - - - - - - ->
   4.           - - - - - - -SYN--------------->
   5.           <- - - - - - - - - ------------SYN-ACK
   6.           - - - - - - -ACK--------------->

   7.           -----------> relay the  ------->
                <----------- connection <-------

   1. A SYN is sent from C (client) to S (server)
   2. The firewall acts as S to respond a SYN-ACK with SYN cookie.
   3. C sends the ACK. Then the connection should be established.
   4. The firewall acts as C to send a SYN to S.
   5. S responds to the SYN and sends it to C.
   6. The firewall acts as C to send the ACK. Then the connection is established.
   7. The firewall relays data between C and S.

If the server is under attack, the step 3 will never occur. Nevertheless, both the firewall and the server do not hold corresponding data of the SYN received in step 1. SYN flooding has therefore been beat.

本文介绍了4个概念
一:介绍SYN
二:什么是SYN洪水攻击
三:什么是SYN cookie

四:什么是SYN cookie防火墙
C=client(客户器)
S=Server(服务器)
FW=Firewall(防火墙)
一:介绍SYN
SYN cookie是一个防止SYN洪水攻击技术。他由D. J. Bernstein和Eric Schenk发明。现在SYN COOKIE已经是linux内核的一部分了(我插一句,默认的stat是no),但是在linux系统的执行过程中它只保护linux系统。我们这里只 是说创建一个linux防火墙,他可以为整个网络和所有的网络操作系统提供SYN COOKIE保护你可以用这个防火墙来阻断半开放式tcp连接,所以这个受保护的系统不会进入半开放状态(TCP_SYN_RECV)。当连接完全建立的 时候,客户机到服务器的连接要通过防火墙来中转完成。二:什么是SYN洪水攻击?(来自CERT的警告)
当一个系统(我们叫他客户端)尝试和一个提供了服务的系统(服务器)建立TCP连接,C和服务端会交换一系列报文。这种连接技术广泛的应用在各种TCP连接中,例如telnet,Web,email,等等。
首先是C发送一个SYN报文给服务端,然后这个服务端发送一个SYN-ACK包以回应C,接着,C就返回一个ACK包来实现一次完整的TCP连接。就这样,C到服务端的连接就建立了,这时C和服务端就可以互相交换数据了。下面是上文的图片说明:)
Client Server
—— ——
SYN——————–>
<——————–SYN-ACK
ACK——————–>
Client and server can now
send service-specific data
在S返回一个确认的SYN-ACK包的时候有个潜在的弊端,他可能不会接到C回应的ACK包。这个也就是所谓的半开放连接,S需要耗费一定的数量的系统资源来等待这个未决的连接,虽然这个数量是受限的,但是恶意者可以通过创建很多的半开放式连接来发动SYN洪水攻击。
通过ip欺骗可以很容易的实现半开放连接。攻击者发送SYN包给受害者系统,这个看起来是合法的,但事实上所谓的C根本不会回应这个SYN-ACK报文,这意味着受害者将永远不会接到ACK报文。
而此时,半开放连接将最终耗用受害者所有的系统资源,受害者将不能再接收任何其他的请求。通常等待ACK返回包有超时限制,所以半开放连接将最终超时,而 受害者系统也会自动修复。虽然这样,但是在受害者系统修复之前,攻击者可以很容易的一直发送虚假的SYN请求包来持续攻击。
在大多数情况下,受害者几乎不能接受任何其他的请求,但是这种攻击不会影响到已经存在的进站或者是出站连接。虽然这样,受害者系统还是可能耗尽系统资源, 以导致其他种种问题。攻击系统的位置几乎是不可确认的,因为SYN包中的源地址多数都是虚假的。当SYN包到达受害者系统的时候,没有办法找到他的真实地 址,因为在基于源地址的数据包传输中,源ip过滤是唯一可以验证数据包源的方法。
三:什么是SYN cookie?
SYN cookie就是用一个cookie来响应TCP SYN请求的TCP实现,根据上面的描述,在正常的TCP实现中,当S接收到一个SYN数据包,他返回一个SYN-ACK包来应答,然后进入TCP- SYN-RECV(半开放连接)状态来等待最后返回的ACK包。S用一个数据空间来描述所有未决的连接,然而这个数据空间的大小是有限的,所以攻击者将塞 满这个空间。在TCP SYN COOKIE的执行过程中,当S接收到一个SYN包的时候,他返回一个SYN-ACK包,这个数据包的ACK序列号是经过加密的,也就是说,它由源地址, 端口源次序,目标地址,目标端口和一个加密种子计算得出。然后S释放所有的状态。如果一个ACK包从C返回,S将重新计算它来判断它是不是上个SYN- ACK的返回包。如果这样,S就可以直接进入TCP连接状态并打开连接。这样,S就可以避免守侯半开放连接了。
以上只是SYN COOKIE的基本思路,它在应用过程中仍然有许多技巧。请在前几年的kernel邮件列表查看archive of discussions的相关详细
内容。
4,什么是SYN COOKIE 防火墙
SYN COOKIE 防火墙是SYN cookie的一个扩展,SYN cookie是建立在TCP堆栈上的,他为linux操作系统提供保护。SYN cookie防火墙是linux的一大特色,你可以使用一个防火墙来保护你的网络以避免遭受SYN洪水攻击。
下面是SYN cookie防火墙的原理
client firewall server
—— ———- ——
1. SYN———– - - - - - - - - - ->
2. <————SYN-ACK(cookie)
3. ACK———– - - - - - - - - - ->
4. - - - - - - -SYN—————>
5. <- - - - - - - - - ————SYN-ACK
6. - - - - - - -ACK—————>
7. ———–> relay the ——->
<———– connection <——-
1:一个SYN包从C发送到S
2:防火墙在这里扮演了S的角色来回应一个带SYN cookie的SYN-ACK包给C
3:C发送ACK包,接着防火墙和C的连接就建立了。
4:防火墙这个时候扮演C的角色发送一个SYN给S
5:S返回一个SYN给C
6:防火墙扮演C发送一个ACK确认包给S,这个时候防火墙和S的连接也就建立了
7:防火墙转发C和S间的数据
如果系统遭受SYN Flood,那么第三步就不会有,而且无论在防火墙还是S都不会收到相应在第一步的SYN包,所以我们就击退了这次SYN洪水攻击
五:下载
ip_scfw-0.92.tar.gzhttp://www.bronzesoft.org/projects/scfw/ip_scfw- 0.9.2.tar.gz)是最新的版本,他包括一个for linux 2.2.17内核的补丁和管理工具,下载他并按照readme文件安装。
Designhttp://www.bronzesoft.org/projects/scfw/Design)是一个详细的解释了这个代码的文档,它也包含在这个tar-gz包内,你也可以在线阅读它
ChangeLoghttp://www.bronzesoft.org/projects/scfw/ChangeLog)说到了这个计划的进展。
tcpdos.tgzhttp://www.bronzesoft.org/projects/scfw/tcpdos.tgz)是一个发起SYN洪水攻击的工具,你可以使用它来测试你的SYN cookie防火墙