This article mainly describes the DDoS attack instance SYN flood attack, we all know Syn-flood is currently the most widely used DDoS attack means, the earlier DOS means in the distributed phase of the development has also experienced the process of the bridge.
Syn-flood attack effect is the best, should be all the hackers have chosen the reason for it. So let's take a look at the details of Syn-flood.
Syn-flood is currently the most popular method of DDoS attack, the previous DOS means in the distributed phase of the development of the time also experienced the process of sand scouring the waves. Syn-flood attack effect is the best, should be all the hackers have chosen the reason for it. So let's take a look at the details of Syn-flood.
Syn Flood principle-handshake three times
Syn Flood leverages the inherent vulnerabilities of the TCP/IP protocol. The connection-oriented TCP Three handshake is the foundation of the existence of SYN flood.
Three handshake of TCP connection
As shown in figure two, in the first step, the client presents a connection request to the server. At this point the TCP SYN flag is placed. The client tells the server that the serial number area is legitimate and needs checking. The client inserts its own isn in the serial number area of the TCP header. After the server receives the TCP fragment, it responds with its own isn (SYN flag bit) in the second step, confirming the receipt of the first TCP segment (ACK flag set) for the client. In the third step, the client confirms that the ISN (ACK flag position) is received at the service end. So far to establish a full TCP connection, start Full-duplex mode of the data transfer process.
Syn flood attackers do not complete three handshake
If a user sends a SYN message to the server and suddenly freezes or drops the line, then the server is unable to receive the client's ACK message after sending the Syn+ack answer message (the third handshake cannot be completed), in which case the server side will generally try again (send Syn+ack to the client again) And wait a while to discard this unfinished connection, the length of which we call Syn Timeout, which is generally the order of magnitude of minutes (about 30 seconds-2 minutes);
A user exception that causes one thread in the server to wait 1 minutes is not a big problem, but if a malicious attacker simulates this massively, the server will consume a lot of resources to maintain a very large semi-join list----Tens of thousands of connections, Even a simple save and traverse will consume a lot of CPU time and memory, not to mention the constant syn+ack of the IP in this list.
In fact, if the server's TCP/IP stack is not strong enough, the end result is often a stack overflow crash---even if the server-side system is strong enough, the server side will be too busy handling the attacker's spoofed TCP connection request to ignore the client's normal request (after all, the client's normal request ratio is At this point, from a normal customer's point of view, the server has lost its response, which we call: The server side was subjected to a SYN flood attack (SYN flood attack).
Here is the actual process of a SYN flood attack I simulated in my lab
This LAN environment, only one attack aircraft (Piii667/128/mandrake), is attacked by a Solaris 8.0 (Spark) host, network device is Cisco's hundred Gigabit Switch. This is a Snoop record on Solaris prior to the attack, and Snoop, like Tcpdump, is a good tool for network capture and analysis. You can see that before the attack, the target host received basically some ordinary network packets. ...
...
? -> (broadcast) ether type=886f (Unknown), size = 1510 bytes
? -> (broadcast) ether type=886f (Unknown), size = 1510 bytes
? -> (multicast) ether type=0000 (llc/802.3), size = bytes
? -> (broadcast) ether type=886f (Unknown), size = 1510 bytes
192.168.0.66-> 192.168.0.255 NBT Datagram Service type=17 source=gu[0]
192.168.0.210-> 192.168.0.255 NBT Datagram Service type=17 source=rootdc[20]
192.168.0.247-> 192.168.0.255 NBT Datagram Service type=17 source=tsc[0]
? -> (broadcast) ether type=886f (Unknown), size = 1510 bytes
192.168.0.200-> (broadcast) ARP C who 192.168.0.102, 192.168.0.102?
? -> (broadcast) ether type=886f (Unknown), size = 1510 bytes
? -> (broadcast) ether type=886f (Unknown), size = 1510 bytes
192.168.0.66-> 192.168.0.255 NBT Datagram Service type=17 source=gu[0]
192.168.0.66-> 192.168.0.255 NBT Datagram Service type=17 source=gu[0]
192.168.0.210-> 192.168.0.255 NBT Datagram Service type=17 source=rootdc[20]
? -> (multicast) ether type=0000 (llc/802.3), size = bytes
? -> (broadcast) ether type=886f (Unknown), size = 1510 bytes
? -> (broadcast) ether type=886f (Unknown), size = 1510 bytes
...
...
Then, the attack aircraft began to contract, DDoS began ..., suddenly the Snoop window on the Sun mainframe began to flip the screen quickly, showing a large number of SYN requests. The screen is like a window on a 300-kilometer train. This is the result of the Snoop output of the SYN flood attack: ...
...
127.0.0.178-> lab183.lab.net AUTH C port=1352
127.0.0.178-> lab183.lab.net TCP d=114 s=1352 Syn seq=674711609 len=0
127.0.0.178-> lab183.lab.net TCP d=115 s=1352 Syn seq=674711609 len=0
127.0.0.178-> lab183.lab.net Uucp-path C port=1352
127.0.0.178-> lab183.lab.net TCP d=118 s=1352 Syn seq=674711609 len=0
127.0.0.178-> lab183.lab.net NNTP C port=1352
127.0.0.178-> lab183.lab.net TCP d=121 s=1352 Syn seq=674711609 len=0
127.0.0.178-> lab183.lab.net TCP d=122 s=1352 Syn seq=674711609 len=0
127.0.0.178-> lab183.lab.net TCP d=124 s=1352 Syn seq=674711609 len=0
127.0.0.178-> lab183.lab.net TCP d=125 s=1352 Syn seq=674711609 len=0
127.0.0.178-> lab183.lab.net TCP d=126 s=1352 Syn seq=674711609 len=0
127.0.0.178-> lab183.lab.net TCP d=128 s=1352 Syn seq=674711609 len=0
127.0.0.178-> lab183.lab.net TCP d=130 s=1352 Syn seq=674711609 len=0
127.0.0.178-> lab183.lab.net TCP d=131 s=1352 Syn seq=674711609 len=0
127.0.0.178-> lab183.lab.net TCP d=133 s=1352 Syn seq=674711609 len=0
127.0.0.178-> lab183.lab.net TCP d=135 s=1352 Syn seq=674711609 len=0
...
...
This time the content is completely different, can not receive just those normal network packets, only DDoS packets. Note that all of the SYN flood attack packets are spoofed from the source address, which is very difficult to trace. How many SYN connections have been accumulated on the attacked host? Let's take a look at the netstat:
# Netstat-an | grep SYN
...
...
192.168.0.183.9 127.0.0.79.1801 0 0 24656 0 SYN_RCVD
192.168.0.183.13 127.0.0.79.1801 0 0 24656 0 SYN_RCVD
192.168.0.183.19 127.0.0.79.1801 0 0 24656 0 SYN_RCVD
192.168.0.183.21 127.0.0.79.1801 0 0 24656 0 SYN_RCVD
192.168.0.183.22 127.0.0.79.1801 0 0 24656 0 SYN_RCVD
192.168.0.183.23 127.0.0.79.1801 0 0 24656 0 SYN_RCVD
192.168.0.183.25 127.0.0.79.1801 0 0 24656 0 SYN_RCVD
192.168.0.183.37 127.0.0.79.1801 0 0 24656 0 SYN_RCVD
192.168.0.183.53 127.0.0.79.1801 0 0 24656 0 SYN_RCVD
...
...
Where SYN_RCVD represents the currently unfinished TCP SYN queue, Statistics:
# Netstat-an | grep SYN | Wc-l
5273
# Netstat-an | grep SYN | Wc-l
5154
# Netstat-an | grep SYN | Wc-l
5267
.....
Half-connections with more than 5,000 syn are stored in memory. At this time, the attack was unable to respond to the new service request, the system runs very slowly, and can not ping.
The above is a description of the details of the SYN-flood attack on the DDoS attack instance, hopefully giving you some help in this regard.
Article from DDoS tutorial http://www.blddos.com/gonggao/2012/1016/9.html