Several ways for firewalls to prevent DDOS distributed denial of service attacks

DoS (Denial of Service Denial of Service) and DDoS (Distributed Denial of Service) attacks are one of the security threats for large websites and web servers. In February 2000, Yahoo, Amazon, and CNN were attacked and so on, and they were engraved in the history of major security incidents. SYN Flood has become the most popular DoS and DDoS attack method due to its good attack effect.

SYN Flood uses TCP protocol defects to send a large number of forged TCP connection requests, which makes the attacked party resource exhausted and unable to respond or process normal service requests in time. A normal TCP connection requires a three-way handshake. First, the client sends a packet containing the SYN flag. The server then returns a SYN/ACK response packet indicating that the client's request is accepted. Finally, the client returns an acknowledgement packet ACK. This completes the TCP connection. After the response packet is sent by the server, if the client does not issue an acknowledgment, the server waits for a timeout, during which the semi-connected state is stored in a buffer queue with limited space; if a large number of SYN packets are sent to the server without answering, This will cause the server-side TCP resources to run out quickly, resulting in a normal connection that cannot be entered, or even a server system crash.

Firewalls are often used to protect internal networks from unauthorized access by external networks. They are located between the client and the server, so firewalls are used to prevent DoS attacks from effectively protecting internal servers. For SYN Flood, firewalls usually have three protection methods: SYN gateway, passive SYN gateway, and SYN trunk.

When the SYN gateway firewall receives the SYN packet from the client, it directly forwards it to the server. After receiving the SYN/ACK packet from the server, the firewall forwards the SYN/ACK packet to the client. Send an ACK packet to the server in the name of the client, complete the three-way handshake of TCP, and let the server enter the connection state from the semi-connected state. When the client's real ACK packet arrives, the data is forwarded to the server, otherwise the packet is discarded. Since the server can withstand the connection state much higher than the semi-connected state, this method can effectively mitigate the attack on the server.

Passive SYN Gateway Set the SYN request timeout parameter of the firewall so that it is much smaller than the server's timeout period. The firewall is responsible for forwarding the SYN packet sent by the client to the server, the SYN/ACK packet sent by the server to the client, and the ACK packet sent by the client to the server. Thus, if the client does not send an ACK packet when the firewall timer expires, the firewall sends a RST packet to the server to cause the server to remove the semi-join from the queue. Because the timeout parameter of the firewall is much smaller than the timeout period of the server, this can effectively prevent the SYN Flood attack.

After receiving the SYN packet from the client, the SYN relay firewall does not forward to the server but logs the status information and then actively sends back the SYN/ACK packet to the client. If the client receives the ACK packet, , indicating normal access, sending a SYN packet to the server by the firewall and completing the three-way handshake. In this way, the firewall acts as a proxy to implement the connection between the client and the server, and can completely filter the unavailable connection to the server.