When TCP initiates a connection, the first thing it does is send a special packet to the destination, with the flag set to indicate the start of a connection. This flag is known as the
SYN flag. The destination host responds by sending an acknowledgment packet back to the source, called (appropriately) a SYNACK. Then the destination waits for the source to return an acknowledgment, showing that both sides have agreed on the parameters of their transaction. Once these three packets are sent (this process is called the “three-way handshake”), the source and destination hosts can transmit data back and forth.
Because it’s possible for multiple hosts to simultaneously contact a single host, it’s important that the destination host keep track of all the SYN packets it gets. SYN entries are stored in a table until the three-way handshake is complete. Once this is done, the connection leaves the SYN tracking table and moves to another table that tracks established connections.
A SYN flood occurs when a source host sends a large number of SYN packets to a destination with no intention of responding to the SYNACK. This results in overflow of the destination host’s tables, thereby making the operating system unstable. Obviously, this is not a good thing.
Linux can prevent SYN floods by using a syncookie, a special mechanism in the kernel that tracks the rate at which SYN packets arrive. If the syncookie detects the rate going above a certain threshold, it begins to aggressively get rid of entries in the SYN table that don’t move to the “established” state within a reasonable interval. A second layer of protection is in the table itself: If the table receives a SYN request that would cause the table to overflow, the request is ignored. This means it may happen that a client will be temporarily unable to connect to the server—but it also keeps the server from crashing altogether and kicking everyone off!
First use the sysctl tool to display the current value for the tcp_syncookie setting. Type
[root@serverA ~]# sysctl net.ipv4.tcp_syncookies
net.ipv4.tcp_syncookies = 0
The output shows that this setting is currently disabled (value=0). To turn on tcp_syncookie support, enter this command:
[root@serverA ~]# sysctl -w net.ipv4.tcp_syncookies=1
net.ipv4.tcp_syncookies = 1
Because /proc entries do not survive system reboots, you should add the following line to the end of your /etc/sysctl.conf configuration file. To do this using the echo command,
type echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
source :- Steve shah & Wale soyinka
No comments:
Post a Comment