How does SYN use the TCP protocol to launch attacks?

SYN attack is a common method used by hackers and is one of the methods of DDoS. SYN attacks exploit TCP protocol flaws by sending a large number of semi-connection requests, consuming CPU and memory resources. In addition to affecting hosts, SYN attacks can also harm network systems such as routers and firewalls. In fact, SYN attacks do not matter what system the target is, as long as these systems open TCP services, they can be implemented.

To understand the basic principles of this attack, we still need to start with the process of establishing a TCP connection:

Everyone knows that TCP is based on connections, that is to say: in order to transmit TCP data between the server and the client, a virtual link, that is, a TCP connection, must be established first. The standard process of establishing a TCP connection is as follows :

In the first step, the requesting end (client) sends a TCP message containing the SYN flag. SYN means synchronization. The synchronization message will indicate the port used by the client and the initial sequence number of the TCP connection;

In the second step, after receiving the SYN message from the client, the server will return a SYN+ACK message, indicating that the client's request is accepted. At the same time, the TCP sequence number is increased by one, and ACK is confirmed.

In the third step, the client also returns a confirmation message ACK to the server. The TCP sequence number is also increased by one, and a TCP connection is completed.

The above connection process is called a three-way handshake in the TCP protocol.

The problem lies in the three-way handshake of the TCP connection. Suppose a user suddenly crashes or disconnects after sending a SYN message to the server. Then the server cannot receive the client's ACK message after sending a SYN+ACK response message. (The third handshake cannot be completed). In this case, the server will generally retry (send SYN+ACK to the client again) and wait for a period of time before discarding the unfinished connection. The length of this period is called SYN Timeout, generally speaking, this time is on the order of minutes (about 30 seconds-2 minutes).

It is not a big problem for a user to have an exception that causes a thread of the server to wait for 1 minute, but if a malicious attacker simulates this situation in large numbers, the server will consume a lot of money to maintain a very large semi-connection list. Many resources - tens of thousands of semi-connections. Even simple saving and traversing will consume a lot of CPU time and memory, not to mention the need to constantly retry SYN+ACK for the IPs in this list. .

In fact, if the server's TCP/IP stack is not powerful enough, the final result is often a stack overflow crash---even if the server-side system is powerful enough, the server-side will be busy processing the TCP connection requests forged by the attacker and will have no time to pay attention to the normal operations of the client. ask.

The above is the detailed content of How does SYN use the TCP protocol to launch attacks?. For more information, please follow other related articles on the PHP Chinese website!