About DoS attacks and DDoS attacks

Source: Internet
Author: User
Red) virus and the upgraded version of Nimda (Nimda) virus are rampant on the Internet. The small worm virus has infected millions of servers and PCs around the world and has forced websites in batches.
Closed, network interruptions or LAN congestion in many enterprises, and efficient e-commerce and network office systems are paralyzed ...... The powerful destructive power has caused more than 10 billion US dollars in losses to global networks. No exaggeration
The impact of the red code and Nimda on the online world is not inferior to the economic impact of the 911 terrorist events that shocked the world on the United States. So what makes these two viruses so powerful? I want
While recognizing the terrible and rapid spread of viruses over the internet, we should also consider the Important Ideology of DOS in this smoke-free network war.
What is DoS attack?
What is dos? Earlier contacts with the PC will directly think of the Microsoft disk operating system DOS-disk operation
System? Oh, no, no. I don't think Gates are the hacker! This DOS is also known as DOS, namely, denial
Service. DOS refers to the defect of the intentional attack network protocol or the cruelly depletion of the resources of the attacked object through brutal means, in order to make the target computer or network unable
Provides normal service or resource access to stop or even crash the target system service system. This attack does not include intrusion into the target server or target network device. These service resources include network bandwidth and File System
System space capacity, open processes or allowed connections. This type of attack will result in a shortage of resources. No matter how fast the computer processes, how large the memory capacity is, and how fast the network bandwidth is, this attack cannot be avoided.
. You need to know that everything has a limit, so you can always find a way to make the request value greater than the limit value, so it will intentionally lead to a shortage of service resources, on the surface, it seems that service resources cannot be full.
Sufficient requirements. Therefore, do not assume that a server with sufficient bandwidth and fast enough has a high-performance website that is not afraid of DoS attacks. DoS attacks will make all resources very small.
Actually, we make an image metaphor to understand dos. Street restaurants provide catering services to the public. If a group of hooligans want dos restaurants, there will be a lot of means, such as occupying the dining table and blocking the restaurant
The door does not give way, harassment of restaurant waiters or cooks can not work, or even worse ...... The corresponding computer and network system are Internet
Users provide Internet resources. If a hacker wants to launch DoS attacks, there are as many methods as possible! Today's most common DoS attacks include bandwidth attacks and connectivity attacks on computer networks. Bandwidth attack
Hitting refers to impacting the network with a great deal of traffic, so that all available network resources are exhausted, and finally legal user requests fail. A connectivity attack means that a large number of connection requests are used to impact the computer, so that all
The used operating system resources are exhausted, and the computer cannot process the requests of legal users.
What is DDoS?
Traditionally, the main problem facing attackers is network bandwidth.
Attackers cannot send too many requests due to small network scale and slow network speed restrictions. Although similar to "the ping
The Death attack type only requires a small number of packages to destroy a UNIX system that has not been patched, but most DoS attacks still require considerable bandwidth, hackers in the unit of individuals
It is difficult to use high-bandwidth resources. To overcome this shortcoming, DOS attackers have developed distributed attacks. Attackers simply use tools to collect a large amount of network bandwidth to launch a large number of attacks to the same target at the same time.
This is a DDoS attack.
DDoS (Distributed Denial
This type of Distributed Denial of Service (DoS) attacks are exploited by hackers to intrude into and control different high-bandwidth hosts (possibly hundreds, tens of thousands of hosts)
A large number of DOS service programs are installed on them. They wait for commands from the central attack Control Center. The central attack Control Center starts the DOS service processes of all controlled hosts in a timely manner and sends them to a specific target.
As many network access requests as possible, a DOS flood hits the target system, and DoS attacks on the same website. The Attacked Target website will soon lose its response and will not
Timely handling of normal access and even system crashes. It can be seen that the biggest difference between DDoS and DOS is the large volume of human resources. DOS is a machine attack target, and DDoS is a lot of machines controlled by the central attack center.
Attackers can exploit their high-bandwidth attack targets to easily attack target websites. In addition, DDoS attacks are more automated. Attackers can install their programs on multiple machines in the network.
The attack methods are hard to be noticed by the attack object. These machines initiate attacks at the same time until the attacker sends unified attack commands. DDoS attacks are a set of DoS attacks that are centrally controlled by hackers.
Now, this method is considered to be the most effective form of attack and is very difficult to resist.
Both dos and DDoS attacks are just a hacker method that destroys network services. Although the specific implementation methods are ever-changing, they all have one thing in common, the fundamental purpose is to make the victim host or network unable to receive and process external requests in a timely manner, or to respond to external requests in a timely manner. The specific expressions are as follows:
1. creates large amounts of useless data, resulting in network congestion to the attacked host, making the attacked host unable to communicate with the outside world.
2. Use the attacked host to provide services or transport protocols to handle duplicate connection defects, repeatedly and frequently send aggressive duplicate service requests, so that the attacked host cannot process other normal requests in a timely manner.
3. using the service programs provided by the attacked host or the implementation defects of the transmission protocol itself, the attacker repeatedly sends malformed attack data, causing system errors to allocate a large number of system resources, so that the host is suspended or even crashed.
Common DoS Attacks
Denial-of-Service (DoS) attacks are a type of malicious attack that seriously harms the network. Today, DOS attack methods include ping of death, Teardrop, UDP flood, SYN flood, land attack, and IP spoofing dos. Let's see how they are implemented.
1. Ping of death: ICMP (Internet Control Message
Protocol (Internet Control Information Protocol) is used for error handling and transfer control information on the Internet. One of its functions is to contact the host by sending an "echo request"
Request) check whether the host is "alive ". The most common Ping program is this function. In the RFC documents of TCP/IP, the maximum package size is strictly limited.
The TCP/IP protocol stack of the operating system specifies ICMP.
The package size is 64 KB. After reading the title header of the package, you must generate a buffer for the payload based on the information contained in the header. "Ping of death"
This is to intentionally generate a malformed Ping (packet Internet groper) package, claiming that its size exceeds the ICMP upper limit, that is, the loaded size exceeds
The maximum size of 64kb causes memory allocation errors in the network system that has not taken protective measures. As a result, the TCP/IP protocol stack crashes and the receiver switches to the machine.
2. Teardrop)
: The tear-down attack uses the information contained in the header of the packet in the trusted IP fragment in the TCP/IP protocol stack to achieve its own attack. IP
Segment contains information indicating which segment of the original package is contained in the segment, some TCP/IP protocol stacks (such as NT in Service Pack 4
Previously) the system crashes when it receives forged segments with overlapping offsets.
3. UDP flood (UDP flood)
: UDP (user data packet Protocol) is widely used on the Internet. Many service devices that provide services such as WWW and mail usually use Unix servers.
Malicious exploitation of the UDP Service by hackers. For example, the echo service will display each received packet, and the chargen service originally used as a test function will randomly feedback some words when receiving each packet.
. UDP flood counterfeit attack is to use these two simple TCP/IP service vulnerabilities for malicious attacks by forging chargen with a host
A udp connection between services. The reply address points to a host with the echo service enabled.
The echo service transmits useless and full-bandwidth junk data back and forth, and generates enough useless data streams between the two hosts, this denial-of-service attack quickly consumes the available bandwidth of the network.

4. SYN Flood (SYN flood): We know that when a user performs a standard TCP (Transmission Control)
Protocol) a three-way handshake is performed during the connection. First, request the service provider to send a SYN (synchronize Sequence
Number) message, the Service side receives the SYN, will send a SYN-ACK to the request side to confirm, when the request side receives the SYN-ACK, again to the Service side to send an ACK message,
The TCP connection is successfully established. "Syn
Flooding is a DoS attack on the TCP protocol stack during the initialization of the handshake between the two hosts. in the implementation process, only the first two steps are performed: when the service provider receives
After the SYN-ACK confirms the message, the requester uses Source Address Spoofing and other means to make the service side unable to receive the ACK response, so the Service side will wait for a certain period of time to receive the request ACK message. While
For a server, the available TCP connections are limited because they only have limited memory buffers used to create connections. If the buffer zone is filled with initial information of a false connection, the server will be connected
The connection stops responding until the connection attempt in the buffer zone times out. If a malicious attacker rapidly sends such connection requests consecutively, the available TCP connection queue of the server will soon be blocked and the system will have available resources.
A sharp decrease in network bandwidth and a rapid reduction in available bandwidth. In the long run, the server will not be able to provide normal and legal services to users except for the requests of a few lucky users that can be responded to between a large number of fake requests.
5. Land
(Land Attack) Attack: In a land attack, hackers use a specially crafted SYN
Package -- both its original address and target address are set as a server address for attack. This will cause the receiving server to send a SYN-ACK message to its own address, and the address is returned again
ACK message and create an empty connection. Every such connection will be retained until timeout. In the Land Attack, many UNIX will crash, NT
Very slow (lasting about five minutes ).
IP spoofing DoS Attacks: these attacks are implemented using the RST bit of the TCP protocol stack. IP spoofing forces the server to reconnect Valid users.
Affects the connection of Valid users. Assume that a valid user ( has established a normal connection with the server. Attackers construct the TCP data of the attack and pretend to be
Your IP address is, and a TCP Data Segment with RST bits is sent to the server. After the server receives such data
If the connection sent by is incorrect, the established connection in the buffer zone is cleared. At this time, the legitimate user then sends the legal data, the Service
The user is denied and can only start a new connection again.

Common DDoS attacks
Smurf, Fraggle
Attack, Trinoo, Tribe Flood
Network (TFN), TFN2k, and Stacheldraht are common DDoS attack programs. Let's look at their principles and their attack ideas are similar.

1. Smurf attack: Smurf is a simple but effective DDoS attack.
In terms of attack technology, smurf still uses the Ping program to launch attacks by directly broadcasting fake source IP addresses. Information can be broadcast on the Internet through certain means (through broadcast addresses or other machines
To the machine in the network. When a machine uses a broadcast address to send an ICMP Echo Request Packet (for example, Ping), some systems will respond to an ICMP
Echo response package, so that a packet will receive many response packages. Smurf attacks are carried out using this principle, and it also requires a fake source address. That is to say, Smurf is in the Network
The source address sent in is the host address to attack, and the destination address is the ICMP address of the broadcast address
The echo request packet allows many systems to respond and send a large amount of information to the attacked host at the same time (because the address is spoofed by attackers ). Smurf uses a forged source address to ping one or
Multiple Computer Networks. As a result, the host address that all computers respond to is not an attack computer that actually sends this information package. This spoofed source address is actually the target of the attack and will be greatly attacked.
The amount of response information is drowned. The computer network responding to the counterfeit information package becomes an uninformed accomplice to the attack. A simple Smurf
The attack will eventually cause network congestion and third-party crash. This attack is more effective than ping of death.
The flood traffic is one or two orders of magnitude higher. This method of sending a packet using the network and receiving a large number of responses is also called smurf "amplification ".
2. Fraggle attack: the Fraggle attack makes a simple modification to the Smurf attack, using UDP to respond to messages rather than ICMP.
3. "trinoo"
Attack: Trinoo is a complex DDoS attack program based on UDP
Flood attack software. It uses the "master" program to automatically control any number of "proxies" that actually launch attacks. Of course, before the attack, the attacker has been controlled to install software.
Computers with master programs and all computers with proxies. The attacker connects to the computer where the master program is installed, starts the master program, and then
The master program is responsible for starting all the proxies. Next, the proxy program uses UDP
An information packet impacts the network and sends a zero-byte 4-byte UDP packet to the random port of the target host. When these packets exceed the processing capability, the network performance of the attacked host is constantly decreasing.
It cannot provide normal services or even crash. It does not fake IP addresses, so this attack method is not used much.
4. "Tribal Flood Network" and
"TFN2k" attack: Tribe Flood
Like Trinoo, the network uses a master program to communicate with attack agents on multiple networks, and uses ICMP to run commands on the proxy server. The source can be fake.
TFN can launch countless DoS attacks in parallel in a variety of types. It can also create information packages with disguised source IP addresses. Attacks that can be initiated by TFN include SYN
Flood, UDP
Flood, ICMP echo request flood, smurf (using multiple servers to send massive data packets, DoS attacks) and other attacks. TFN2k
Data Packet Encryption makes it harder to query command content. The command source can be fake, and a backdoor is used to control the proxy server.
5. "Stacheldraht" attack: Stacheldraht is also
Based on the same Client/Server mode as TFN and Trinoo, the master program communicates with thousands of potential proxies. When an attack is initiated, the attacker and the master program
Connection. Stacheldraht adds a new feature: the communication between attackers and the master program is encrypted, the command source is fake, and some routers can be prevented from using rfc2267.
Filter: If a filter is detected, it only performs the last eight digits of the false IP address, so that the user cannot know which machine of the network segment is under attack. At the same time, RCP (remote
Copy, remote replication) technology automatically updates the agent. Stacheldraht
Similar to TFN, You can launch countless DoS attacks in parallel in a variety of types. You can also create information packages with disguised source IP addresses. Attacks initiated by Stacheldraht include
UDP, tcp syn, and ICMP echo.

How to Prevent DoS/DDoS attacks
Since the birth of the Internet, DoS Attacks
With the development of the Internet, it has been constantly developing and upgrading. It is worth mentioning that it is not difficult to find dos tools. The network communities in which hackers reside share the tradition of hacking software and will communicate with each other.
With the attack experience, you can easily obtain these tools from the Internet. As mentioned above, these DoS attack software can be freely found on the Internet. So any Internet access
Users may constitute potential threats to network security. DoS attacks pose a major threat to the rapidly developing security of interconnected networks. However, to a certain extent, DoS attacks will never disappear and technically at present
There is no fundamental solution.
In the face of the fierce DoS attack, how should we deal with hacker attacks at any time? Let's first summarize the technical issues that cause DoS attack threats. DoS attacks are caused by the following reasons:
Software vulnerabilities are security-related system defects contained in operating systems or applications. These defects are mostly caused by incorrect programming and careless source code reviews, unintentional side effects or improper binding
. Because the software used is almost completely dependent on the developer, the vulnerability caused by the software can only be patched to install hot fixes and services.
Packs. When an application is found to have a vulnerability, the developers immediately release an updated version to fix the vulnerability. DoS attacks caused by defects inherent in the development protocol can be implemented through
Simple patch to make up for system defects.
2. misconfiguration will also become a security risk for the system. These misconfigurations usually occur on hardware devices, systems, or applications.
Is not responsible for employees or wrong theories. If you correctly configure the routers, firewalls, switches, and other network connection devices in the network, the possibility of these errors will be reduced. If
Ask a professional technician to fix these vulnerabilities.
3. Overload Denial of Service attacks caused by repeated requests. A denial of service (DoS) attack is triggered when repeated requests to resources greatly exceed the payment capability of resources (for example, excessive requests to fully loaded web servers overload them ).
To prevent the system from DoS attacks, from the past two points, the network administrator should actively and cautiously maintain the system to ensure no security risks and vulnerabilities; for the third-point malicious attack method, you need to install firewall and other security devices to filter out DoS attacks. At the same time, it is strongly recommended that the network administrator check the logs of security devices on a regular basis to detect security threats to the system in a timely manner.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.