We will encounter DDoS attacks when we operate on the service device. So know the principle of DDoS attack is very important, then we need to know not only the concept of DDoS attack principle, but more importantly to know the back of the DDoS attack intent may be said to be DDoS attack from how to start.
The principle of DDoS invasion of a little know:
Because some time ago carefully know the TCP/IP protocol and RFC documents, a little experience. Together, some of the contents of the article are referred to Shaft's articles translated. Want to know DOS invasion to complete the mechanism, it is necessary to TCP have certain know. Therefore, this article is divided into two, the top some of the analysis of some complete DDoS attacks associated with the agreement, and the second some analysis of DDoS attacks common methods.
What is DDoS incursion?
DDoS Assault is the abbreviation of Distributed Denial's service, which means that it is not a Microsoft DOS operation system. It was like a joke in the 5?1. Rebuffed service, the equivalent of Pizza Hut in full time no longer let people into the same, oh, you want to eat pie, it is necessary to wait in the doorway. Dos attacks the attackers find ways to stop the policy machine from providing service or resource calls that include disk space, memory, processes, and even network bandwidth, and then block calls from normal users. Example:
Attempts to flood the service, blocking legitimate network traffic
Damage the connection between the two machines and hinder the call service
Discourage special users from visiting the service
Damage to the service may be caused by the service device panic
However, as long as those who are more vicious than the attacker to use the Dos attacks alone, damage to the service device. In general, Dos attacks will be as an invasion of a certain, for example, around the invasion of the detection system, generally from a lot of attacks to start, incur aggression detection system log too much may be unresponsive, so that the invaders can be in the tide of the invasion of the invading detection system.
The principle of DDoS invasion principles guide the discussion of TCP protocol:
We know that TCP (Transmission Control Protocol, Transmission Manipulation Protocol) is used to provide secure, end-to-end word-saving communication protocols on unreliable Internet, formal definitions in RFC793, and some disposal of wrongdoing in RFC In 1122, RFC 1323 has the function of TCP extension.
We often see in the TCP/IP protocol, not guaranteed to transmit the datagram correctly to the intention, TCP from the local machine to withstand the user's data stream, its dividend does not exceed 64K bytes of data fragments, each piece of data as a separate IP data packages sent out, Finally, in the intention to combine the machine into a good word savings, TCP protocol is necessary to ensure the reliability of the.
TCP transmission of sending and receiving parties communicates data in the form of data segments, a data segment includes a fixed 20-byte head, plus optional Some, followed by data, TCP protocol from the sender to send a data segment of the time, but also to launch a timer, when the data section arrived at the intention, the host will send back a data section, There is an acknowledgment number, which equals the order number of the next data segment that is expected to be received, and if the timer times out before admitting the information arrives, the sender sends the data section from the beginning.
Above, we generally know a little TCP protocol, it is important to understand the TCP data header (header). Because the data flow transmission is the most important thing in the header, as far as the data sent, only the header attached. The client and service end of the service echo is the header inside the data association, the two ends of the information communication and communication is based on the contents of the header to implement, so, to complete the DOS, it is necessary to know the contents of the header.
TCP Data Segment header pattern associated with the DDoS invasion principle:
Source Port and Destination port: Local ports and policy ports
Sequence number and acknowledgment number: is the order numbers and acknowledgment numbers, and the acknowledgment number is the byte number that is expected to be accepted. This is all 32 bits, and in the TCP stream, each byte of data is numbered.
Data Offset: Indicates how many 32-bit words the TCP header includes to determine the length of the header, because the optional field length in the header is variable.
Reserved: Saved 6 bits, now useless, are 0 next 6 1-bit mark, this is two computer data communication information mark.
The acceptance and dispatch of a variety that determines the flow of information based on these markings. Here are some analyses:
URG: (Urgent pointer field significant) urgent pointer. The time value of 1 is used to prevent the TCP data stream from being aborted.
ACK: (acknowledgment field significant) when 1 marked recognition (acknowledgment number) as legal, 0 of cent marked data paragraph does not include recognition information, recognition number was negligent.
PSH: (push Function), push-tagged data, and the data section that is being solicited at 1 o'clock can be sent directly to the application after the receiving party has been received, without the need for a buffer full.
RST: (Reset the connection) is used to reset the fault connection caused by some cause, and to use it back and forth with no legal data and entreaties. If the acceptance of the RST bit, the general occurrence of some fault.
SYN: (Synchronize sequence numbers) is used to establish cohesion, in the articulation of the supplication, syn=1,ack=0, the convergence echoes, syn=1,ack=1. That is, SYN and ACK to distinguish connection request and connection accepted.
FIN: (no more data from sender) is used to acquit the connection, indicating that the sender has no data to send.
This paper comes from http://www.mgddos.com (DDoS attack software)