Shulou(Shulou.com)06/01 Report--

Editor to share with you how SYN uses the TCP protocol to launch attacks, I believe most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's learn about it!

SYN attack is a means of hacker attack. SYN flooding attacks are based on the design of a three-way handshake when establishing a connection based on TCP. The third packet verifies that the connection initiator has the ability to accept the packet on the source IP address used in the first request, that is, its return is reachable.

To understand the fundamentals of this attack, start with the process of establishing a TCP connection:

As we all know, TCP is connection-based, that is to say, in order to transfer TCP data between the server and the client, we must first establish a virtual link, that is, a TCP connection. The standard process for establishing a TCP connection is as follows:

In the first step, the requesting side (client) sends a TCP message containing the SYN flag. The SYN is synchronized. The synchronization message indicates the port used by the client and the initial sequence number of the TCP connection.

In the second step, after receiving the SYN message from the client, the server will return a SYN+ACK message indicating that the client's request is accepted. At the same time, the TCP sequence number is increased by one, and the ACK is confirmed.

In the third step, the client also returns an acknowledgement message ACK to the server, and the TCP serial number is added to one, and the TCP connection is completed.

The above connection process is called a three-way handshake in the TCP protocol.

The problem lies in the three-way handshake of the TCP connection. If a user suddenly crashes or goes offline after sending a SYN message to the server, the server cannot receive the client's ACK message after sending the SYN+ACK reply message (the third handshake cannot be completed). In this case, the server will usually retry (send the SYN+ACK to the client again) and discard the incomplete connection after waiting for a period of time. The length of this period of time is called SYN Timeout, which is generally in the order of minutes (about 30 seconds-2 minutes).

It's not a big problem that a user exception causes a thread on the server to wait for 1 minute, but if a malicious attacker simulates this situation, the server will consume a lot of resources in order to maintain a very large list of semi-connections-tens of thousands of semi-connections, even simply saving and traversing will consume a lot of CPU time and memory. What's more, you have to keep retrying the IP in this list with SYN+ACK.

In fact, if the server's TCP/IP stack is not strong enough, the end result is often a stack overflow crash-even if the server-side system is powerful enough, the server side will be too busy processing fake TCP connection requests from attackers to pay attention to normal customer requests.

The above is all the content of the article "how SYN attacks with TCP protocol". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.