Analysis and Countermeasures of DoS Attacks

Some sites in China suffered large-scale DoS (D. O.S) attacks (including Ddos attacks against large international websites such as yahoo in the early stage-distributed denial-of-service attacks) in the last period ). Websites include well-known news websites, commercial websites, securities websites, and even some network security websites. The cause is that the site cannot be accessed, and the response speed is extremely slow, affecting other hosts in the surrounding network segments. So far, many sites have not recovered and cannot be accessed normally.

As the first network security site in China, our main site www.isbase.com was also under severe denial-of-service attacks. The company's technical staff immediately responded: In response to the attack methods and possible attack methods, a feasible and complete solution was proposed to minimize the harm of the attack. Although the website is still operating normally, the impact on the server has been minimized without affecting the normal operation of the server. At the same time, we actively contacted other attacked peer sites, indicating that the attack came from the same type of techniques, possibly from someone (group) who deliberately did it. In addition, according to our recent emergency response to other sites, the scale and intensity of this attack are terrible. After adopting our solutions, all websites that receive emergency responses have returned to normal.

We made a preliminary analysis report on this large-scale denial-of-service attack based on the attacks on our site:

According to the symptoms of the attack, the attack has the following types: distributed denial-of-service (DoS) attacks, Syn-Flood attacks, and icmp bombs. This estimation is based on the record review of our site after the attack, and the preliminary conclusion obtained after these records are analyzed.

To prevent DoS attacks, we must first strengthen ourselves.

We have taken the following measures in advance to address the current implementation of D. O.S Attacks:

1. to prevent Syn-Flood attacks (for details about the principles of Syn-Flood attacks, refer to the Technical article on this site), we have strengthened the default installed system by recompiling the kernel, and set the corresponding kernel parameters to force the system to reset the connection packet for the timeout Syn request. At the same time, by shortening the timeout constant and increasing the waiting queue, the system can quickly process invalid Syn request packets. If you do not forcibly clear and reset these invalid packets, the system load will be greatly increased and the system will eventually lose response.

2. To prevent icmp bomb attacks, the traffic of icmp packets is limited in the system kernel. And adjust the limit value in system parameters. To prevent the loss of response caused by the system.

3. Add a firewall system to the system and use the firewall system to filter all inbound and outbound data packets.

4. carefully adjust the server parameters. Based on the high site access volume, we can pre-increase the number of Web servers and Mail servers, that is, by pre-loading the servers to a certain extent, in this way, the load of the entire system will not change significantly when the traffic volume changes. If there is a great change, it is very likely that the server will crash. This is consistent with the principle of prestressing technology widely used in construction.

After the server is strengthened, some effective methods and rules must be used to detect and discover DoS attacks, and corresponding countermeasures can be taken after the DoS attacks are detected.

There are many detection methods, which can be achieved by checking the router record, system record, and current site status. Generally, when designing a firewall, we filter some special types of IP data packets (no record is required ). These special IP addresses cannot appear on the Internet (cannot be routed ). To launch a Denial-of-Service attack, the attacker's real address and identity are usually the most important data packets that have no response. The appearance of such addresses often marks the beginning of a Denial-of-Service attack. In this category, the addresses are 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12,192.168 .0.0/16. As far as our firewall rules are concerned, the three IP address segments completely reject any data packets: deny all. Then, the system checks the counts of these rules to determine whether certain attacks exist. For example, if we find the following in our counter:

0 0 deny ip from any to 127.0.0.0/8 4552 553302 deny ip from 10.0.0.0/8 to any 0 0 deny ip from any to 10.0.0.0/8 0 0 deny ip from 172.16.0.0/12 to any 0 0 deny ip from any to 172.16.0.0/12 97601 11024404 deny ip from 192.168.0.0/16 to any 0 deny ip from any to 192.168.0.0/16

In this case, we can infer that someone is launching a denial of service attack. When we use "netstat-an | grep SYN_RCVD" to detect the number of network connections at that time, we will find a large number of SYN_RCVD connections:

Tcp4 0 0 202.109.114.50.80 203.93.217.52.2317 SYN_RCVD tcp4 0 0 202.109.114.50.80 61.136.54.73.1854 SYN_RCVD

This indicates that the server is under Syn-Flood attack. Recording the IP addresses of such attacks is meaningless (because these IP addresses are forged by changing the data packet header in the program ).

For distributed denial-of-service (DoS) attacks, the use of large-volume attacks will cause congestion on the vro of the CIDR Block, thus reducing the available bandwidth of almost all servers in the CIDR block, this vulnerability causes access failure. At this time, the main router of the network segment is also subject to great load. For Linux systems, you can re-compile the kernel, enable tcp_syncookie in the network, start it with the new kernel, and run it in/etc/rc. d/rc. add and run echo 1>/proc/sys/net/ipv4/tcp_syncookies on the command line to prevent synflood attacks.

For an ICMP packet bomb attack, you can set a record on the firewall to detect the attack. Once a certain amount of ICMP packets flood in, and the kernel reports a warning due to the traffic overload of the ICMP packet, this indicates the existence of such attacks. At this time, we can see from the logs recorded by the system, similar to the following records:

Deny ICMP route 202.109.114.50 in Deny ICMP 202.96.113.53 202.109.114.50 in Deny ICMP route 202.109.114.50 in Deny ICMP route 202.109.114.50 in Deny ICMP route 202.109.114.50 in

After detecting the attack behavior, we should take some measures to minimize the impact of the attack.

Currently, there is no effective way to defend against distributed attacks. What we can do is to allow the ISP to throttling the main router to reduce the impact of attacks.

For SYN-FLOOD attacks, on the one hand to the server side to apply Syn-flood patch, on the other hand, the need to make some configuration adjustments on the vro of the network segment. These adjustments include limiting the traffic and number of Syn half-open data packets, making necessary TCP interception at the router's front end (currently limited to Cisco Series IOS12.0), and setting quite strict timing Constants on the router, the TCP interception technology of the router enables only data packets that have completed the TCP three-way handshake to enter the CIDR block. This effectively protects the servers in this segment from such attacks. At the same time, deny access to the three virtual network segments 10.0.0.0/8, 172.16.0.0/12,192.168 .0.0/16 in the access list of the vro. For linux, you can use firewall rules to restrict the commands from these datagram:

Ipchains-I input-I lo-s 127.0.0.02-j ACCEPT

Ipchains-I input-s 127.0.0.02-j DENY

Ipchains-I input-s 192.168.0.0/16-j DENY

Ipchains-I input-s 172.16.0.0/12-j DENY

Ipchains-I input-s 10.0.0.0/8-j DENY

Method 1 for ICMP attacks: reject all ICMP packets on the server; (for Linux systems, run echo 1>/proc/sys/net/ipv4/icmp_echo_ignore_all, add the command to/etc/rc. d/rc. local)

To completely eliminate denial-of-service attacks, you must trace the source to find the machines and attackers under attack. It is not easy to track attackers. Once they stop the attack, it is difficult to find it. The only feasible method is to search for the attack source header Based on the router information and attack packet characteristics during the attack. At this time, coordination between all levels of departments is required to complete the process well.