SYN Flooding之研究

Abstract

在SYN Flooding網路攻擊中，攻擊者把大量的SYN封包傳送到欲攻擊的伺服器，並且在這些SYN封包中的來源位址皆填入假造的IP位址。因此，被攻擊的伺服器其連線佇列中充滿了SYN+ACK封包，原因是無法收到相對應的ACK封包。此時受到攻擊的伺服器就不能繼續提供服務，因為它的連線佇列已滿並且不能接受合法的SYN連線要求。 本篇論文研究了現有的一些防禦方法並且比較其優缺點。我們透過修改SYN Cache的機制改進SYN Cookie的方法。配合我們的構想提出一個新的解決方案，並在FreeBSD平台上實作一個雛型系統，然後實測其效能表現。實驗的結果說明了我們所提出的方法能夠有效地防禦SYN Flooding攻擊。

Under the SYN Flooding attack, the attacker sends a large volume of SYN packets to a victim. However, the source IP addresses in the packets are spoofed addresses. Therefore, the victim's backlog queue is full of SYN+ACK packets because it never receives ACK packet from the spoofed address. The victim then cannot provide service because its backlog queue fills up and cannot receive incoming legitimate SYN requests. This thesis summarizes the existing approaches for preventing SYN Flooding and compares their pros and cons. We refine the SYN Cookie mechanism by modifying the SYN Cache approach. Furthermore, we propose a new solution and implement a prototype system on FreeBSD platform. The experimental results show that the proposed approach can effectively prevent the victim from SYN Flooding attack.