Recently, I suddenly remembered that the state of last_ack seemed to be used. The party who actively cut off the connection intentionally did not send the last ack, would it run out of server resources?
To the development of the Internet today, Half_Opened and Half_Closed attacks against TCP have been thoroughly studied. It is becoming more and more difficult to exhaust the server's CPU and memory resources.
The server does not receive Last_ACK and will not release the state information of the TCP connection, which will consume the server's memory resources. At the same time, in order to retransmit the "FIN" message, the server must consume the server's CPU resources.
The server, or firewall protecting the server, monitors the number of Half_Opened and Half_Closed in real time. Once it exceeds the preset upper limit, the protection mechanism will be activated. When the upper limit is often exceeded, there is a high probability of malicious attack behavior.
In a coffee shop, some customers sit for a while without spending, which is nothing. If you are sitting in a house and there are not many paying, see if the coffee shop will report the alarm! !! !! Server protection is very similar to coffee shops!
The server is not so bullying, once the protection mechanism is activated, the following measures will be taken:
Accelerate memory aging
Compress the "Half_Closed" connection to stay in the system. This measure is passive defense. It is very gentle and gentle. It is achieved by the following measures:
o Reduce the number of retransmissions
o Shorten the retransmission interval
o Retransmission to the upper limit will send Reset and release memory
Rate-Limit
Proactive defense requires stronger speed limit measures! Once a malicious attack is detected on some IPs, "Rate-Limit" will be applied to these IPs, and the attack using this IP will be speed limited immediately!
Block IP
If you want to be more aggressive, then use the IP blacklist directly to directly block all communications with the IP. This shielding time can be customized, it can be 1 hour, 1 day, 1 week.
However, if the speed limit or blocking IP is only implemented on the server or the device protecting the server, it will lose its own ingress bandwidth. Because malicious attack traffic will still reach the ingress link, once the bandwidth of the ingress link is filled to 100%, the traffic of other legitimate users will also not be able to reach the server, which is also a Denial of Service attack. To better protect the ingress link bandwidth, traffic cleaning is usually implemented.
Traffic cleaning
Obviously, this needs to purchase a traffic cleaning service from the operator to mask or discard malicious attack traffic, so that malicious attack traffic does not have the opportunity to enter the ingress link again.
Using "Last_ACK" to attack the server, the biggest difficulty is that the attacker cannot forge IP! Because once forged, the server cannot receive the "SYN + ACK", which means that the TCP connection will not be established at all, and it will not reach the "Last_ACK" state. So it means that this attack is limited.
With the "SYN Flood" attack, the attacker can arbitrarily modify his own IP and port number. The attacker does not need to receive any packets from the server, so the server cannot use the above countermeasures. The server can think of countermeasures:
o Firewall proxy mode, only after completing the three-way handshake can it communicate with the server
o Cookies, only those who carry the server's legal TCP cookie can communicate with the server
Obviously, these measures are passive defenses, which are not effective in the face of a large amount of attack traffic.
The above is the news sharing from the PASSHOT. I hope it can be inspired you. If you think today' s content is not too bad, you are welcome to share it with other friends. There are more latest Linux dumps, CCNA 200-301 dumps and CCNP Written dumps waiting for you.
Comments