5.4 Defeating SYN Flood AttacksThe previous section explained how this DoS works. The solution simply is to upgrade your kernel if it is older than 2.0.36. Note that kernels at least as old as 2.0.30 offer this fix but have a different bug that allows TCP spoofing so you definitely want at least 2.0.36. Once you have kernel 2.0.36 or later you need to build it with the defined constant CONFIG_SYN_COOKIES defined. This normally is done during kernel configuration via any of the following commands invoked from /usr/src/linux. (It is time to move to at least the later 2.2 kernels.) make xconfig under X windows make menuconfig menu make config old method CONFIG_SYN_COOKIES works by recognizing that the queue of "half-open" connections, where it remembers the opening details, is a finite size. It first dedicates half this queue to communicating with systems that it has recently successfully completed, on the assumption that these systems are probably legitimate. If the server runs out of queue space, rather than trying to enqueue the "opening details" of each TCP session, it encodes the data in 32 bits and includes this information in the SYN/ACK packet as the initial sequence number. If the client is legitimate, it then bumps this packet number up by one and includes it in the subsequent ACK packet. The server system then subtracts one from this packet number and has the information needed to complete the connection. If the SYN packet was due to a SYN flood attack, after the kernel sends the SYN/ACK back it has forgotten all about it (other than to log "Warning: possible SYN flooding. Sending cookies.") Most recent versions of Linux have this option on by default. |
Top |