Section 5.4 Defeating SYN Flood Attacks

   


5.4 Defeating SYN Flood Attacks

graphics/twodangerlevel.gif

The previous section explained how this DoS works. The solution simply is to upgrade your kernel if it is older than 2.0.36. Note that kernels at least as old as 2.0.30 offer this fix but have a different bug that allows TCP spoofing so you definitely want at least 2.0.36. Once you have kernel 2.0.36 or later you need to build it with the defined constant CONFIG_SYN_COOKIES defined. This normally is done during kernel configuration via any of the following commands invoked from /usr/src/linux. (It is time to move to at least the later 2.2 kernels.)

 
 make xconfig     under X windows make menuconfig  menu make config      old method 

CONFIG_SYN_COOKIES works by recognizing that the queue of "half-open" connections, where it remembers the opening details, is a finite size. It first dedicates half this queue to communicating with systems that it has recently successfully completed, on the assumption that these systems are probably legitimate.

If the server runs out of queue space, rather than trying to enqueue the "opening details" of each TCP session, it encodes the data in 32 bits and includes this information in the SYN/ACK packet as the initial sequence number. If the client is legitimate, it then bumps this packet number up by one and includes it in the subsequent ACK packet. The server system then subtracts one from this packet number and has the information needed to complete the connection. If the SYN packet was due to a SYN flood attack, after the kernel sends the SYN/ACK back it has forgotten all about it (other than to log "Warning: possible SYN flooding. Sending cookies.") Most recent versions of Linux have this option on by default.


       
    Top


    Real World Linux Security Prentice Hall Ptr Open Source Technology Series
    Real World Linux Security Prentice Hall Ptr Open Source Technology Series
    ISBN: N/A
    EAN: N/A
    Year: 2002
    Pages: 260

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net