{"id":1300,"date":"2021-03-02T03:05:00","date_gmt":"2021-03-02T02:05:00","guid":{"rendered":"https:\/\/mikadmin.fr\/blog\/?p=1300"},"modified":"2021-09-19T01:33:00","modified_gmt":"2021-09-18T23:33:00","slug":"syn-flood-attack-ddos","status":"publish","type":"post","link":"https:\/\/mikadmin.fr\/blog\/syn-flood-attack-ddos\/","title":{"rendered":"Qu&rsquo;est-ce qu&rsquo;une attaque  SYN Flood ?"},"content":{"rendered":"<span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\"><\/span> <span class=\"rt-time\"> 3<\/span> <span class=\"rt-label rt-postfix\">min read<\/span><\/span><p>Views: 591<\/p>\n<div style=\"height:24px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Une attaque <strong><span style=\"color:#cf2e2e\" class=\"tadv-color\">SYN flood<\/span><\/strong> (attaque semi-ouverte) est un type d\u2019attaque par&nbsp;<a href=\"https:\/\/www.cloudflare.com\/fr-fr\/learning\/ddos\/what-is-a-ddos-attack\" target=\"_blank\" rel=\"noreferrer noopener\">d\u00e9ni de service (DDoS)<\/a>&nbsp;qui vise \u00e0 rendre un serveur indisponible pour le trafic l\u00e9gitime en consommant toutes les ressources serveur disponibles. <\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-image is-style-default\"><figure class=\"aligncenter is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.imperva.com\/learn\/wp-content\/uploads\/sites\/13\/2019\/01\/syn-flood.jpg\" alt=\"Progression of a SYN flood.\" width=\"473\" height=\"339\"\/><\/figure><\/div>\n\n\n\n<hr class=\"wp-block-separator has-text-color has-background has-vivid-cyan-blue-background-color has-vivid-cyan-blue-color is-style-wide\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h1 class=\"has-text-align-center wp-block-heading\" style=\"font-size:35px\"><strong>Three-way handshake<\/strong><\/h1>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">L&rsquo;attaque <strong><span style=\"color:#cf2e2e\" class=\"tadv-color\">SYN Flood<\/span><\/strong> exploite le principe du <strong>three-way handshake<\/strong> du protocole <strong><a href=\"https:\/\/mikadmin.fr\/blog\/activer-lip-forwarding-sous-linux\/\" target=\"_blank\" rel=\"noreferrer noopener\">TCP<\/a><\/strong>.  <\/p>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Lors d&rsquo;une connexion classique entre un <strong>client<\/strong> et un <strong>serveur<\/strong> il y a 3 \u00e9tapes :<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">\u2705 Le client envoie un paquet <strong>SYN<\/strong>.<\/p>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">\u2705 Le serveur r\u00e9pond ensuite avec un paquet <strong>SYN-ACK<\/strong> accusant la r\u00e9ception.<\/p>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">\u2705 Le client envoie un paquet <strong>ACK<\/strong> et la connexion <strong>TCP<\/strong> est donc \u00e9tablie.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/docs.aws.amazon.com\/whitepapers\/latest\/aws-best-practices-ddos-resiliency\/images\/image5.png\" alt=\"\"\/><\/figure><\/div>\n\n\n\n<hr class=\"wp-block-separator is-style-default\"\/>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"has-text-align-center wp-block-heading\" style=\"font-size:35px\">D\u00e9roulement de l&rsquo;attaque <\/h2>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">En envoyant \u00e0 plusieurs reprises des paquets de demande de connexion initiale (<strong>SYN<\/strong>), l\u2019attaquant est en mesure de submerger tous les ports disponibles sur une machine serveur cibl\u00e9e, ce qui oblige l\u2019appareil cibl\u00e9 \u00e0 r\u00e9pondre lentement au trafic l\u00e9gitime, ou l\u2019emp\u00eache totalement de r\u00e9pondre.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/upload.wikimedia.org\/wikipedia\/commons\/thumb\/c\/c6\/Tcp_syn_flood.png\/400px-Tcp_syn_flood.png\" alt=\"SYN flood \u2014 Wikip\u00e9dia\"\/><\/figure><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Les <strong><span style=\"color:#cf2e2e\" class=\"tadv-color\">SYN Flood<\/span><\/strong> sont fr\u00e9quemment effectu\u00e9es par des bots se connectant \u00e0 partir d\u2019<strong>adresses IP usurp\u00e9es<\/strong> afin de rendre l\u2019attaque plus difficile \u00e0 identifier et \u00e0 att\u00e9nuer. Les <strong>botnets <\/strong>peuvent lancer des <strong><span style=\"color:#cf2e2e\" class=\"tadv-color\">SYN Flood<\/span><\/strong> en tant qu\u2019<a href=\"https:\/\/www.f5.com\/fr_fr\/services\/resources\/glossary\/distributed-denial-of-service-ddos-attack\" target=\"_blank\" rel=\"noreferrer noopener\">attaques par d\u00e9ni de service distribu\u00e9 (DDoS)<\/a>.<\/p>\n\n\n\n<hr class=\"wp-block-separator is-style-default\"\/>\n\n\n\n<div style=\"height:11px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Voil\u00e0 un exemple d&rsquo;attaque <strong><span style=\"color:#cf2e2e\" class=\"tadv-color\">SYN Flood<\/span><\/strong> &amp; <strong><span style=\"color:#0693e3\" class=\"tadv-color\">DNS Flood<\/span><\/strong>:<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter\"><img decoding=\"async\" src=\"https:\/\/www.imperva.com\/learn\/wp-content\/uploads\/sites\/13\/2019\/01\/syn-flood-ddos-attack.png\" alt=\"Imperva mitigates a 38 day-long SYN flood and DNS flood\u00a0multi-vector DDoS attack.\"\/><figcaption><em>Imperva mitigates a 38 day-long SYN flood and DNS flood&nbsp;<\/em><a href=\"https:\/\/www.imperva.com\/blog\/funded-persistent-multi-vector-ddos-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\">multi-vector DDoS attack.<\/a><\/figcaption><\/figure><\/div>\n\n\n\n<hr class=\"wp-block-separator is-style-default\"\/>\n\n\n\n<h2 class=\"has-text-align-center wp-block-heading\" style=\"font-size:35px\">Prot\u00e9ger votre serveur contre le SYN Flood<\/h2>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Dans cet exemple, nous avons <strong>deux machines<\/strong> en local :<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center\" style=\"font-size:18px\">\u2b50 Une machine attaquante : <strong>192.168.1.27<\/strong><\/p>\n\n\n\n<p class=\"has-text-align-center\" style=\"font-size:18px\">\u2b50Une machine victime : <strong>192.168.1.23<\/strong><\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Avant de vouloir prot\u00e9ger notre machine, nous allons voir un filtre <strong><span style=\"color:#00d084\" class=\"tadv-color\">wireshark<\/span><\/strong> nous permettant de d\u00e9tecter une attaque <strong><span style=\"color:#cf2e2e\" class=\"tadv-color\">SYN Flood<\/span><\/strong>.<\/p>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-c\" data-line=\"\">tcp.flags.syn == 1 and tcp.flags.ack == 0<\/code><\/pre>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"726\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/03\/image-3-1024x726.png\" alt=\"\" class=\"wp-image-1374\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/03\/image-3-1024x726.png 1024w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/03\/image-3-300x213.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/03\/image-3-150x106.png 150w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/03\/image-3-768x545.png 768w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/03\/image-3.png 1200w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"839\" height=\"454\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/03\/image-4.png\" alt=\"\" class=\"wp-image-1381\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/03\/image-4.png 839w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/03\/image-4-300x162.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/03\/image-4-150x81.png 150w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/03\/image-4-768x416.png 768w\" sizes=\"auto, (max-width: 839px) 100vw, 839px\" \/><\/figure>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Comme nous pouvons le voir, nous avons un tr\u00e8s grand nombre de <strong>paquets SYN<\/strong> en destination de notre victime qui est <strong>192.168.1.23<\/strong> et en provenance d&rsquo;<strong>adresse IP usurp\u00e9es<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Nous pouvons aussi d\u00e9tecter une attaque <strong><span style=\"color:#cf2e2e\" class=\"tadv-color\">SYN Flood<\/span><\/strong> \u00e0 l&rsquo;aide de la commande suivante qui va nous renvoyer le nombre de connexion dans l&rsquo;\u00e9tat <strong><span style=\"color:#fcb900\" class=\"tadv-color\">SYN_RECV<\/span><\/strong> :<\/p>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-bash\" data-line=\"\">netstat -npt | awk &#039;{print $6}&#039; | sort | uniq -c | sort -nr | head<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p><\/p>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Il est temps d&rsquo;ajouter des param\u00e8tres nous permettant de <strong>limiter<\/strong> ce type d&rsquo;attaque.<\/p>\n\n\n\n<div style=\"height:5px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Dans un premier temps, nous allons travailler avec le fichier <strong>\/etc\/sysctl.conf<\/strong> puis changer les variables suivantes :<\/p>\n\n\n\n<div style=\"height:5px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-bash\" data-line=\"\">net.ipv4.tcp_syncookies = 1\nnet.ipv4.tcp_max_syn_backlog = 2048\nnet.ipv4.tcp_synack_retries = 3\nnet.ipv4.conf.all.rp_filter = 1<\/code><\/pre>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\"> Pour plus d&rsquo;informations sur ces derni\u00e8res je vous recommande cet <a href=\"https:\/\/linoxide.com\/firewall\/snapshot-syn-flood-attack\/#:~:text=If%20you%20suspect%20a%20SYN,are%20in%20%E2%80%9CSYN_RECEIVED%E2%80%9D%20state.\" target=\"_blank\" rel=\"noreferrer noopener\">article<\/a>.<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Nous pouvons \u00e9galement mettre en place des r\u00e8gles <strong>iptables<\/strong> permettant de <strong>limiter<\/strong> ceci comme par exemple :<\/p>\n\n\n\n<div style=\"height:5px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<pre class=\"wp-block-prismatic-blocks\"><code class=\"language-markdown\" data-line=\"\"># Cr\u00e9ation d&#039;une nouvelle cha\u00eene nomm\u00e9e syn_flood\niptables -N syn_flood\n\n# Match les segments TCP pour cette derni\u00e8re\niptables -A INPUT -p tcp --syn -j syn_flood\n\n# Si la limite match alors on continue \u00e0 lire les autres r\u00e8gles\niptables -A syn_flood -m limit --limit 1\/s --limit-burst 3 -j RETURN\n\n# Si \u00e7a ne match pas on drop le paquet\niptables -A syn_flood -j DROP<\/code><\/pre>\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p class=\"has-text-align-center has-medium-font-size\">Apr\u00e8s avoir mis en place ceci on constate que la cha\u00eene <strong>syn_flood<\/strong> commence \u00e0 <strong>DROP<\/strong> des paquets.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"737\" height=\"159\" src=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/03\/image-5.png\" alt=\"\" class=\"wp-image-1391\" srcset=\"https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/03\/image-5.png 737w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/03\/image-5-300x65.png 300w, https:\/\/mikadmin.fr\/blog\/wp-content\/uploads\/2021\/03\/image-5-150x32.png 150w\" sizes=\"auto, (max-width: 737px) 100vw, 737px\" \/><\/figure><\/div>\n\n\n\n<div style=\"height:15px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p><strong>Sources : <\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>cloudflare<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>f5.com<\/li><\/ul>\n\n\n\n<ul class=\"wp-block-list\"><li>linoxide.com<\/li><\/ul>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n","protected":false},"excerpt":{"rendered":"<p><span class=\"span-reading-time rt-reading-time\" style=\"display: block;\"><span class=\"rt-label rt-prefix\"><\/span> <span class=\"rt-time\"> 3<\/span> <span class=\"rt-label rt-postfix\">min read<\/span><\/span>Une attaque SYN flood est un type d\u2019attaque par d\u00e9ni de service (DDoS) qui vise \u00e0 rendre un serveur indisponible. <a href=\"https:\/\/mikadmin.fr\/blog\/syn-flood-attack-ddos\/\" class=\"more-link\">Continuer la lecture <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":1323,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"categories":[4,2],"tags":[56,5,9,31,55],"class_list":["post-1300","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-infosec","category-network","tag-ddos","tag-infosec","tag-linux","tag-network","tag-tcp"],"aioseo_notices":[],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/1300","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/comments?post=1300"}],"version-history":[{"count":0,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/posts\/1300\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media\/1323"}],"wp:attachment":[{"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/media?parent=1300"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/categories?post=1300"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mikadmin.fr\/blog\/wp-json\/wp\/v2\/tags?post=1300"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}