A SQL injection of tc case 2: the infinite war-CodePudding

reference

antecedents review:

After black dress person and Lao zhou cooperation, finally cleared Linux empire web virus invasion, and fix the loopholes, didn't want to anger the black hand behind the scenes, a new wind and rain is coming,

See: a SQL injection of tc major

Small Q is Linux empire network department is responsible for the TCP connection of civil servants,

Work is pretty easy, have been less overtime, but since Mr Ma to Linux empire has opened nginx company, small Q workload it is big, often work overtime, for this small Q behind didn't complain less,

Early in the morning, nginx start on time, binding the 80 port to monitor, start the business today,

Before long, the first client coming today,

Small Q is as usual, after received the packet with the SYN flag, to create a connection request, and then put it in the port 80 of connection requests in the queue, respond to a packet with the SYN and ACK signs, opened a timer, waiting for the third handshake is complete,

Hadn't waited long before, the customer sent a letter, three-way handshake is complete, small Q the connection request block moved to port 80 corresponding connection in the ready queue, and pressed the bell,

Hearing the bell nginx thread awoke from epoll_wait function, call the accept function, from the queue to get the new customers, began to service,

This is the small Q daily, he has the job too long, good

Soon came to the middle of the night, the little Q to nap, estimation is not work so late,

Didn't just lay down and went to a connection request, small Q rubbing his bleary, prepare to deal with, and then quickly to the second, third, fourth......

Strangely, every client sends a SYN did not only news, watching the connection requests in the queue request more and more, the last is no space put new request block, small Q began to realize that things start to go wrong, sound the alarm for the imperial security · · · · · ·

all the army attack

Ten minutes ago......

"Wake up, a message coming", also in sleep, o D awakened,

"-- - finally remind of me, I went to the Windows empire is almost a month, there has been no indication, just let me keep silent, I suppress bad,", o D reached yawn, got up and call recv function get news:

After reading the message, D o use raw socket constructs a TCP packet, will the SYN tag light, forged a source IP address, send it out,

After a call routing forwarding, the packet is finally came to the empire of Linux, but has no one to reception, eyebrows, it turns out that already there are innumerable TCP packet plugging in the door, there are numerous similar TCP packets are flowing into...

the SYN Flood

At the moment, senior empire are held an emergency meeting,

Firewall: "now there are countless Internet connection to come in, in order to the safety of the empire, I had to shut down the network first, put the packet out,"

Mascherano: "need to take measures to quickly return to normal, we every second in nginx company lost a lot of customers, this is a huge loss!"

Empire security minister: "little Q, you introduce the current situation, everybody together to advise,"

Small Q: "ok, TCP three-way handshake as most of you know, after receiving the SYN packet, I need to prepare a block of data to store client information, the enemy is aimed at this, send me a large number of SYN packet, I will need to assign a large number of data blocks, until the empire space runs out,"

Mascherano: "I'm sorry I interrupting, why don't you dropped the invalid data block release in time, make room?"

Small Q: "of course, I have a timeout mechanism, timeout after the third handshake hasn't come yet, I will to release, but the problem is now the enemy is huge, just make space would be diverted immediately,"

Mascherano: "that is simple, you put the timeout, a little as soon as possible release of invalid data blocks is not line!"

Small Q: "if they are too small, normal users because the network reasons, time delay is bigger, it's not just killed?"

Mascherano: "well, that you weigh, take an appropriate value, now also have no other way, to resume production is quickly!"

Security minister: "little Q, so give it a try first"

Q: "ok, I'll go to"

· · · · · · · · · · · · in half an hour

Small Q: "adult, I have been instructed to perform, but the network connection more and more, I'm afraid it can't support for too long, or early planning is,"

Security minister: "WAF company, what do you have to do without?"

WAF company men: "adult, we focus on business is web application security, the SYN Flood, it would be good at waiting,"

Live in silence for a long time...

Firewall for a long time, broke the silence: "small Q, why have to shake hands after receipt of the first SYN packet and then establish a data block? If the data block set up time after the third handshake?"

Small Q: "if at first don't have to establish a data block to take up space, it has solved the big trouble! Don't build data block, however, that how to put the client's information stored?"

Firewall: "what information saved?"

The small Q: "the client's IP, port, serial number of these,"

Firewall: "the information in the third handshake to packets also have ah, don't have to save in advance!"

Small Q: "also said, alas, is wrong, shook hands for the third time I have to check each other from the ACK is the second time I sent him the serial number of + 1, allocate data block in advance if I don't send me to save his serial number, and can't do the check! No, you have to save in advance!"

Firewall: "is there any way, don't need to advance deposit, also can do check?"

Q: "this, how to do this?"

Firewall: there!" For the second time sent to the client's serial number, if not a random value, but according to the client information and other information comprehensive calculated a hash value, received the third handshake, we get the client reply ACK, again to recalculate the hash value, if the hash value + 1=ACK, it can, to a vice is wrong package, simply discard!"

Contemplation before a small Q, the security minister got up and applauded, "fine! This is really a wonderful idea! Small Q, by this way, go to do!"

rescue

Small Q to go back to work, according to the firewall provide ideas changed the strategy, then notify the firewall to open the network terminals, but exactly how effective, small Q heart or pinched the 1,

Network restoring moment, countless TCP SYN packet poured in, this time, small Q no longer allocated block, just quickly calculate a hash value as a serial number, reply to the client, small Q busy sweating, but to see an increase in storage space was not crazy, small Q heart breathed a sigh of relief,

Messages are received in the room there was a big round of applause!
Security minister: "the experience is worth bearing in mind, let's take a name to this plan, told empire of the universe other bits to help everybody together against the dark forces,"

WAF men first speech: "I think the way the key point is to store calibration information from the server to the client, a bit like cookies in web technology, or we are called the SYN cookies!"

Firewall: "well, this name is good, the summary is in place,"

An hour later, the madness of the TCP SYN packet tides recede gradually, Linux empire finally back to peace of the past, nginx company's business has returned to normal, small Q looked up, and the sky is dim, this is through the long night finally,

To be continued......

The

reference

egg
"Adult, Linux empire has a firewall, the WAF bunch guards, have had little effect, we attack"

"Do you think they really are on their own ability to win? Just give them a lesson this time, our game has just begun, "

How to realize things, pay attention to the follow-up wonderful...

The

reference

highlights:
A SQL injection of tc major
The kernel address space adventures: system call
Make Linux empire: nginx entrepreneurial story
An HTTP packets fantasy trip
Far away: the legend of the history of security software free-for-all
I am a rogue software thread
Products vs programmer: do you know how the WWW?
nullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnullnull