2009년 9월 29일 화요일

Syn cookie

Syn cookie ?

기본에 충실하기 위해 TCP 기본 로직부터 알아보자.


TCP
로 세션이 생성 되려면 아래와 같은 기본적인 3-way-handshake를 거친다.

 

<기본>

 

사용자          서버
Syn      --->   
         <---   Syn + Ack
Ack      --->


<Syn flooding
공격의 경우>


공격자                           서버
Syn        --->        
           <---   Syn + Ack
Syn        --->   
           <---   Syn + Ack
Syn        --->   
           <---   Syn + Ack
Syn        --->   
           <---   Syn + Ack
Syn        --->   
           <---   Syn + Ack


 Syn cookie
를 사용하지 않는 경우 서버 각각의 모든 Syn packet에 대해 세션을

생성하고 공격자의 응답을 기다린다.

 

 공격이 대량으로 발생할 경우 서버는 세션 리소스는 모두 낭비 되고 결국 장애 상황에 이르게 된다.

L4는 어떨까구조상 L4가 중간에서 서버의 역할을 대신하는 것이므로 서버와 똑같이

세션 테이블 리소스를 모두 사용하고 장애 상황이 된다.


 
여기서 L4 Syn cookie 방식(Syn cookie 방식은 서버든 L4든 어디든 설정이 가능함)

L4 Server를 대신해서 사용자에게 Syn+Ack (Cookie)

먼저 응답을 하고 특정 시간을 기다린다.

 

 여기서 Cookie 값이 무엇인지는 아래에 상세하게 다시 설명한다.

어찌되었건, 먼저 L4가 응답을 하고 정상적인 사용자인 경우에는 이에 대한

응답을 하지만, Syn flooding 공격자인 경우는 응답이 없기에 L4 Server쪽으로 세션을

생성하지 아니한다. Syn Cookie L4에서도 세션 테이블을 생성하지 아니한다.

Cookie 값 안에 사용자가 응답 패킷으로 사용해야 하는 sequence 정보를 모두 포함하여

보내기 때문에 L4 Cookie로 응답하고 해당 요청에 대해 잊어버린다.

이러한 일련의 동작들은 대부분 kernel 이나 Hardware ASIC단에서 이루어지기 때문에 매우 많은 양의

공격도 효율적으로 방어가 가능하다.

 

 이해를 돕기 위해 정상적인 사용자와 공격자의 패킷 흐름도를 정리해보자.


<
정상 사용자의 경우, L4 Syn cookie 기능 활성상태>


사용자                                  L4                                              Server 
Syn                        --->   
                             <---   Syn + Ack (seq = cookie)
Ack (cookie + 1)     --->        
                                          Syn                        --->  
                                                                       <---            Syn + Ack


첫번째 Syn에 대해 L4에서 Syn + Ack (seq = cookie)로 응답하고 세션테이블을 생성하지 않는다.

이에, 정상 사용자는 응답을 시도하고 이 정상적인 응답 패킷의 cookie 값을 검증하여

정상 사용자로 판단하면 L4는 실제 Server로의 세션을 생성한다.


<Syn flooding
공격자인 경우, L4 Syn cookie 기능 활성상태>


공격자                        L4                                        Server 
Syn        --->   
           <---   Syn + Ack (seq = cookie)
Syn        --->   
           <---   Syn + Ack (seq = cookie)
Syn        --->   
           <---   Syn + Ack (seq = cookie)
Syn        --->   
           <---   Syn + Ack (seq = cookie)
Syn        --->   
           <---   Syn + Ack (seq = cookie)


공격자는 L4 Syn + Ack (seq = cookie) 패킷을 받을 수 없거나 (Source ip 변조),

응답을 하지 않기 때문에, L4 Syn + Ack (seq = cookie) 응답만 지속적으로 한다.

L4는 세션 불필요한 세션 테이블을 생성하지 않기 때문에 Syn flooding 공격으로 인한

세션 자원을 정상적인 사용자에게 할당 가능하게 된다.

 


<Cookie
에 대한 상세 정보>

 

TCP Packet header 정보에는 아래와 같은 정보가 포함된다.

1. Port 정보, Sequence 정보, Header 길이.

2. Flag 정보

3. Checksum 정보

4. Options 40byte 정보를 가질 수 있다.  (MSS, Timestamp )
   MSS = maximum segment size)

 

Syn Cookie는 이중에 4 Option 최대 40byte중에 3비트를 제외한 나머지 공간을 활용하여

sequence 값을 인코딩한 정보를 이부분에 포함하여 Client로 보낸다.

Client는 이 인코딩된 정보를 받아서 자신이 다시 응답해야할 패킷을 생성한다


 
다소 복잡한가? 간단히 설명을 해보면, 최초 사용자가 Syn flag를 가진 패킷으로

세션을 만들기 위한 시도를 하면, L4 Cookie 정보에 사용자가 다시 응답시에 필요한

정보를 미리 포함하여 사용자에게 던지고는 L4는 해당 내용에 대해 잊어 버린다.

정상적인 사용자라면 해당 정보를 잘 분석해서 재응답 패킷을 만들어 보낼 것이고,

이 패킷의 cookie 값을 분석하여 정상적인 세션 연결 응답이라고 L4가 판단을 하면

그때 정상적인 세션 프로세스를 거친다는 방식이다.

그래도 어려운가? 이제 어쩔 수 없다.

IP Setup Script

IP 바꾸는게 귀찮을 경우 ipchagne유틸리티도 있지만 직접 만들어서 사용하자.
다른 어플리케이션보다 적용이 빠르며 구미에 맞게 설정할수 있다.
@ECHO OFF
:START
CLS
ECHO -------------------    IP SETTING VER 1.0   -------------------------
ECHO 1 - DHCP (IP, DNS)
ECHO 2 - Triple-IP FIX (192.168.1.119/24, 10.9.8.119/24, 10.10.10.119/24)
ECHO 3 - Gateway 192.168.1.1(Default Gateway)
ECHO 4 - Gateway 10.9.8.1 (TEST gateway)
ECHO 5 - Gageway 10.10.10.1 (Maintenance gateway)
ECHO 6 - DNS SET 164.124.101.2
ECHO 7 - VIEW IPCONFIG
ECHO 8 - EXIT
ECHO ---------------------------------------------------------------------


SET /P Menu=SELECT 1 - 8 :

IF %MENU%==1 GOTO DHCP
IF %MENU%==2 GOTO IPFIX
IF %MENU%==3 GOTO DEFAULT
IF %MENU%==4 GOTO BIGIP
IF %MENU%==5 GOTO MAINT
IF %MENU%==6 GOTO DNS
IF %MENU%==7 GOTO VIEW
IF %MENU%==8 GOTO END
:DHCP
netsh interface ip set address "wire" source=dhcp
netsh interface ip set dns name="wire" source=dhcp
GOTO END

:IPFIX
netsh interface ip set address name="wire" static 192.168.1.119 255.255.255.0 192.168.1.1 1
netsh interface ip add address "wire" 10.10.10.119 255.255.255.0
netsh interface ip add address "wire" 10.9.8.119 255.255.255.0
ECHO 192.168.1.119/24 10.10.10.119/24 10.9.8.119/24 G/W 192.168.1.1
ECHO press any key exit
Pause
GOTO END

:DEFAULT
netsh interface ip set address "wire" gateway=192.168.1.1 gwmetric=1
GOTO END

:BIGIP
netsh interface ip set address "wire" gateway=10.9.8.1 gwmetric=1
GOTO END

:MAINT
netsh interface ip set address "wire" gateway=10.10.10.1 gwmetric=1
GOTO END

:DNS
netsh interface ip set dns name="wire" source=static 164.124.101.2 PRIMARY
GOTO END

:VIEW
ipconfig /all
ECHO press any key exit
pause

:END

TCP 관련

SOL7559: Overview of the TCP profile

Reset on Timeout

Specifies, when checked (enabled), that the system sends a reset and deletes the TCP connection when the connection exceeds the idle timeout value. The default is checked (enabled).

Idle 타임아웃 값을 초과할 때  상대방에 리셋을 보내고 TCP 연결을 삭제한다


Time Wait Recycle

Specifies, when checked (enabled), that connections in a TIME-WAIT state are reused when the system receives a SYN packet, indicating a request for a new connection. When this setting is not enabled, connections in a TIME-WAIT state remain unused for a specified length of time (typically twice the maximum segment lifetime), to ensure that the original transmission is complete. Using this setting enabled, the system can recycle a wait-state connection immediately upon receipt of a new connection request instead of having to wait until the connection times out of the wait state. The default is checked (enabled).

TIME-WAIT 상태를 빠르게 recycling 하도록 도와준다.
TCP연결이 종료되기 위해서는 FIN패 킷 교환이 이루어진다. 이때 정당한 종료가 이루어지기 위해서는 총 4번의 패킷교환이 필요하게 된다. 정당한 종료라는 것은 연결된 호스트 양쪽이 모두 연결이 종료되었음을 알게 되는 상태다. 만약 FIN 패킷을 보냈는데, 상대 호스트에서 ACK 패킷을 보내지 않고 종료해버리는 경우 FIN을 보낸측은 정확한 종료를 위해서 일정시간 ACK를 기다리게 된다. 리눅스의 경우 대략 90초 정도를 기다린다.
TIME_WAIT상태일 경우 해당 포트를 계속 점유하는데, 연결이 빈번한 네트워크 서비스일 경우 연결거부와 관련된 문제가 발생할 수 있다.
리눅스 Kernel에서는 tcp_tw_recycle, tcp_tw_reuse 옵션이 있다.


Delayed Acks

Specifies, when checked (enabled), that the system can send fewer than one ACK (acknowledgment) segment per data segment received. The default is checked (enabled).
RFC 1122에 지정된 대로 TCP는 지연된 응답을 사용하여 미디어의 송신 패킷 수를 줄입니다.
0.2초가 경과하거나 n개의 패킷이 모두 수신 되었을 때
ACK동작을 제어하는 관련 옵션 - TCPNoDelay TcpAckFrequency

Proxy Maximum Segment

Specifies, when checked (enabled), that the system advertises the same maximum segment size (MSS) to the server as that of the client. The default is unchecked (disabled).
최대 세그먼트 크기를 클라이언트에 광고한다.

Proxy Options

Specifies, when checked (enabled), that the system advertises an option (such as time stamps) to the server only when the option is negotiated with the client. The default is unchecked (disabled).

Proxy Buffer Low

Specifies the proxy buffer level, in bytes, at which the receive window is opened. The default is 4096.

Proxy Buffer High

Specifies the proxy buffer level, in bytes, at which the receive window is closed. The default is 16384.

Idle Timeout

Specifies the length of time that a connection is idle (has no traffic) before the connection is eligible for deletion. The default is 300 seconds. 커넥션에 대해 특정기간동안 트래픽이 없을 경우 삭제

·         Specify: Specifies a number of seconds that the TCP connection can remain idle before the system deletes it.

·         Indefinite: : Specifies that the system does not delete TCP connections regardless of how long they remain idle.

Time Wait

Specifies the length of time that a TCP connection remains in the TIME-WAIT state before entering the CLOSED state. The default is 2000 milliseconds.

·         Specify: Specifies the number of milliseconds that a TCP connection can remain in the TIME-WAIT state before the system closes it.

·         Immediate: : Specifies that the system closes the connection immediately after the connection enters the TIME-WAIT state.

·         Indefinite: : Specifies that the system does not close TCP connections regardless of how long they remain in the TIME-WAIT state.

Fin Wait

Specifies the length of time that a TCP connection is in the FIN-WAIT or CLOSING state before closing. The default is 5 seconds.

·         Specify: Specifies the number of seconds of that a TCP connection is in a FIN-WAIT or CLOSING state before closing.

·         Immediate: : Specifies that the TCP connection closes immediately after entering the FIN-WAIT or CLOSING state.

·         Indefinite: : Specifies that TCP connections in the FIN-WAIT or CLOSING state do not quit.

 

Close Wait

Specifies the length of time that a TCP connection remains in the LAST-ACK state before quitting. The default is 5 seconds.

·         Specify: Specifies the number of seconds of that a TCP connection is in the LAST-ACK state before closing.

·         Immediate: : Specifies that the TCP connection closes immediately immediately after entering the LAST-ACK state.

·         Indefinite: : Specifies that TCP connections in the LAST-ACK state do not close until they meet the maximum retransmissions timeout.

Send Buffer

Specifies the SEND window size. The default is 32768 bytes.

Receive Window

Specifies the RECEIVE window size. The default is 32768 bytes.

Keep Alive Interval

Specifies, when enabled, how frequently the system sends data over an idle TCP connection, to determine whether the connection is still valid. The default is 1800 seconds.

·         Specify: Specifies the interval at which the system sends data over an idle connection, to determine whether the connection is still valid.

·         Indefinite: : Specifies that the system does not send keep-alive communications.

Maximum Syn Retransmissions

Specifies the maximum number of times that the system resends a SYN when it does not receive a corresponding SYN-ACK. The default is 3.

Maximum Segment Retransmissions

Specifies the maximum number of times that the system resends data segments. The default is 8.

IP ToS

Specifies the L3 Type of Service (ToS) level that the system inserts in TCP packets destined for clients. The default is 0.

·         Specify: Specifies the IP ToS setting that the system inserts in the IP packet header. You can specify a number between 0 and 255.

·         Pass Through: Specifies that the IP ToS setting remains unchanged.

·         Mimic: Specifies that the system sets the ToS level of outgoing packets to the same ToS level of the most-recently received incoming packet. For example if the most-recently received packet had a ToS level of 3, the system sets the ToS level of the next outgoing packet to 3.

Link QoS

Specifies the L2 Quality of Service (QoS) level that the system inserts in TCP packets destined for clients. The default is 0.

Selective ACKs

Specifies, when checked (enabled), that the system processes data using selective ACKs (SACKs) whenever possible, to improve system performance. Enabling this setting improves packet flow in a lossy network because the system can acknowledge successfully received packets out of order. This is a negotiated option and is automatically disabled if not supported by a peer. The default is checked (enabled). Note that F5 recommends that you use the default setting.
 TCP 헤더의 옵션필드를  사용하여  수신측에  잘도착한  패킷시퀀스에대해 알려주기 때문에 송신 측은  SACK을 통해 알려진 손실 패킷들에 대해 재전송

Extended Congestion Notification

Specifies, when checked (enabled), that the system uses the TCP flags CWR (congestion window reduction) and ECE (ECN-Echo) to notify its peer of congestion and congestion counter-measures. The default is unchecked (disabled). Note that F5 recommends that you use the default setting. When enabled, this setting can interfere with overall congestion calculations. The setting also allows for potential security issues, whereby an intermediate device can stimulate poor performance by spoofing CWR packets.

혼잡 상황이 일어나기 전에 혼잡 상황을 감지하여 미리 윈도우 크기를 줄일 수 있도록 하는 기능 

 

Extensions for High Performance (RFC 1323)

Specifies, when checked (enabled), that the system uses the timestamp and window scaling extensions for TCP (as specified in RFC 1323) to enhance high-speed network performance. The default is checked (enabled). These options are used to help calculate the round trip time, as well as the available resources on a peer. They are fundamentally linked with congestion control. Also, these options are normally negotiated, and you should not need to disable them unless a network device or peer does not implement them correctly.

Limited Transmit Recovery

Specifies, when checked (enabled), that the system uses limited transmit recovery revisions for fast retransmits (as specified in RFC 3042) to reduce the recovery time for connections on a lossy network. The default is checked (enabled). Enabling this setting allows TCP to temporarily stretch the congestion window when first receiving a duplicate ACK packet. This in turn allows for faster retransmissions and a quicker recovery from the small congestion window. With this setting enabled, the aggressive transmit behavior is limited to the recovery period.

Slow Start

Specifies, when checked (enabled), that the system uses Slow-Start Congestion Avoidance as described in RFC3390 in order to ramp up traffic without causing excessive congestion on the link. Slow start as specified in RFC3390 is more aggressive than traditional slow start, but has been found to provide better real-world response on Ethernet links, while not overwhelming networks and causing congestion. When disabled, the system sends traffic as if the link is initially uncongested, and attempts to opportunistically transmit as much as possible until congestion is experienced. The default is checked (enabled). If you disable this setting, the system initializes the congestion window to the maximum window scale and attempts to transmit as much data as possible until congestion occurs. Consequently, in networks with unlimited bandwidth (such as directly-connected local peers), more data can initially be transmitted.

Deferred Accept

Specifies, when checked (enabled), that the system defers allocation of the connection chain context until the system has received the payload from the client. Enabling this setting is useful in dealing with 3-way handshake denial-of-service attacks. The default is unchecked (disabled).

Bandwidth Delay

Specifies, when checked (enabled), that the system attempts to calculate the optimal bandwidth to use to the client, based on throughput and round-trip time, without exceeding the available bandwidth. The default is checked (enabled).

Nagle's Algorithm

Specifies, when checked (enabled), that the system applies Nagle's algorithm to reduce the number of short segments on the network. The default is checked (enabled). When the system receives packets that are less than the maximum segment size (MSS), the packets are coalesced until the peer has sent the ACK packet for the previous segment. This helps to reduce congestion by creating fewer packets on the network. Note that enabling this setting for interactive protocols such as telnet might cause degradation on high-latency networks.

Acknowledge on Push

Specifies, when checked (enabled), significantly improved performance to Microsoft Windows and MacOS peers who are writing out on a very small send buffer. The default is unchecked (disabled).

MD5 Signature

Specifies, when checked (enabled), to use RFC2385 TCP-MD5 signatures to protect TCP traffic against intermediate tampering. The default is unchecked (disabled).

MD5 Signature Passphrase

Type the plain-text passphrase from 1 to 80 characters in length, that is used in a shared-secret scheme to implement the spoof-prevention parts of RFC2385. The default is blank.

Congestion Control

Specifies the algorithm to use to share network resources among competing users to reduce congestion. The default is New Reno.

·         None: Specifies that the system does not use a network-congestion-control mechanism, even when congestion occurs.

·         High Speed: Specifies that the system uses a more agressive, loss-based algorithm.

·         New Reno: Specifies that the system uses a modification to the Reno algorithm that responds to partial acknowledgements when SACKs are unavailable

·         Reno: Specifies that the system uses an implementation of the TCP Fast Recovery algorithm, which is based on the implementation in the BSD Reno release.

·         Scalable: Specifies that the system uses a TCP algorithm modification that adds a scalable, delay-based and loss-based component into the Reno algorithm.

Congestion Metrics Cache

Specifies, when checked (enabled), that the system uses a cache for storing congestion metrics. Subsequently, because these metrics are already known and cached, the initial slow-start ramp for previously-encountered peers improves. The default is checked (enabled).

Appropriate Byte Counting (RFC 3465)

When checked (enabled), increases the congestion window by basing the increase amount on the number of previously unacknowledged bytes that each ACK covers. The default is checked (enabled). Note that F5 recommends that you use the default setting. When this setting is disabled, in situations with lost ACK packets, the congestion window remains small for a longer period of time.

D-SACK (RFC 2883)

Specifies, when checked (enabled), the use of the selective ACK (SACK) option to acknowledge duplicate segments. If a peer does not send duplicate segments, the system disables SACK processing altogether. Note that when enabled, this setting requires more processing, to always populate the SACK with all duplicate segments. The default is unchecked (disabled).

Packet Lost Ignore Rate

Specifies the threshold of packets lost per million at which the system performs congestion control. Valid values range from 0 to 1,000,000. The default is 0, meaning the system performs congestion control if any packet loss occurs. If you set the ignore rate to 10 and packet loss for a TCP connection is greater than 10 per million, congestion control occurs.

Packet Lost Ignore Burst

Specifies the probability of performing congestion control when multiple packets are lost, even if the Packet Lost Ignore Rate was not exceeded. Valid values range from 0 to 4,294,967,295. The default is 0, meaning that the system performs congestion control if any packets are lost. Higher values decrease the chance of performing congestion control.