Analysis and scheme of Doos attack

Distributed denial of Service attacks

distributed DenyService(ddos:distributed denial of service) attack refers to the use of client/server technology, multiple computers together as an attack platform, to one or more targets to launch a DDoS attack, thereby multiplying the power of denial of service attacks. Typically, an attacker would use a theft account to install a DDoS master program on a computer, where a set of time master programs will be associated with a large number of agentsCommunication, the agent has been installed on many computers on the network. An agent launches an attack when it receives an instruction. Leverage Customer/ServiceThe host program can activate hundreds of agents in seconds

attack PhenomenonEdit

1. There is a large waiting TCP connection on the attacked host;

2. The network is flooded with a lot of useless data packets;

3. The source address is false manufacturing high-traffic useless data, causing network congestion, so that the victim host can not be normal and external communication;

4. Making use of the flaw on the transmission protocol provided by the victim host to make the specific service request repeatedly, so that the host cannot handle all normal requests;

5. Severe, it can cause system panic.

6. 
   

7. More information: http://baike.baidu.com/link?url=uFA3D9ZUj7uWPJ-MtKm3C2xYQ-yt30zHbTlRTKP-vVCK1EYstjf_6G7ZZyCn63Fg
   

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/76/17/wKioL1ZJ7l7jUQeuAARz933U0iQ422.jpg "title=" The DDoS principle is shallow. jpg "alt=" wkiol1zj7l7juqeuaarz933u0iq422.jpg "/>

Analysis Solution:

Scenario-:

1 Preventing syn-Attack scripts

SYN Flood: is currently the most popular DOS (Denial of service attack) with a TCP protocol flaw that is used to send a large number of bogus TCP connection requests, thus causing the attacker to run out of resources (CPU full load or low memory) attack mode.

I. How to detect if you have suffered a DDoS attack

The first method: Here is a very useful command

# Netstat-an|grep SYN_RECV|WC –l

If the data displayed is large, you are likely to have already been recruited.

Netstat-an|grep Syn_recv|awk ' {print$5} ' |awk-f: ' {print$1} ' |sort|uniq-c|sort-rn|awk ' {if (>5) print $ ">&G T /tmp/dropip

For I in $ (CAT/TMP/DROPIP)

Do

/sbin/iptables-a input-s $i-j DROP

echo “ $i kill at ' date ' ” >>/var/log/ddos

Done

Scenario Two:

Executes a script: the number of connections to the same IP is closed. Based on Iptables.

#!/bin/shif [ -d  '/usr/local/ddos '  ]; then         echo; echo; echo  "Please un-install the previous version first"         exit 0else         mkdir /usr/local/ddosficlearecho; echo  ' installing dos-deflate 0.6 ';  echoecho; echo -n  ' Downloading source files ... ' wget -q -o /usr/local/ ddos/ddos.conf http://www.inetbase.com/scripts/ddos/ddos.confecho -n  '. ' wget -q -o /usr/local/ddos/license http://www.inetbase.com/scripts/ddos/licenseecho - n  '. ' wget -q -o /usr/local/ddos/ignore.ip.list http://www.inetbase.com/scripts/ddos/ ignore.ip.listecho -n  '. ' wget -q -o /usr/local/ddos/ddos.sh http://www.inetbase.com/scripts/ddos/ddos.shchmod  0755 /usr/local/ddos/ddos.shcp -s /usr/local/ddos/ddos.sh /usr/local/sbin/ddosecho  ' ... done ' echo;  echo -n  ' Creating cron to run script every minute ..... (default setting) '/usr/local/ddos/ddos.sh --cron > /dev/null 2>&1echo  ' ... done ' echo; echo  ' installation has completed. ' echo  ' config file is at /usr/local/ddos/ddos.conf ' echo  ' Please send in  your comments and/or suggestions to [email protected] ' echocat /usr/ Local/ddos/license | less

Test:

Ab-n 1000-c 10

Ab

Options

-A Auth-username:password

Provides a basic authentication trust to the server. The user name and password are separated by a: and sent in Base64 encoded form. This string is sent regardless of whether the server is required (that is, if the 401 authentication requirement code is sent).

-C concurrency

The number of requests produced at one time. The default is one at a time.

-C Cookie-name=value

Attach a cookie to the request: line. Its typical form is a parameter pair of Name=value. This parameter can be repeated.

-D

The message "percentage served within XX [MS] table" is not displayed (supported for previous versions).

-E Csv-file

Produces a comma-delimited (CSV) file that contains the corresponding percentage (in subtle units) of time that is required to process requests for each corresponding percentage (from 1% to 100%). This format is more useful than the ' gnuplot ' format because it is "binary".

-G Gnuplot-file

Writes all test results to a ' gnuplot ' or a TSV (tab-delimited) file. This file can be easily imported into gnuplot, IDL, Mathematica, Igor or even Excel. One of the first behavior headings.

-H

Displays the usage method.

-H Custom-header

Additional header information is attached to the request. A typical form of this parameter is a valid header information row that contains a pair of fields and values separated by colons (for example, "Accept-encoding:zip/zop;8bit").

-I.

Executes the head request instead of get.

-K

Enable the HTTP KeepAlive feature, which is to execute multiple requests in an HTTP session. By default, the KeepAlive feature is not enabled.

-N Requests

The number of requests executed in the test session. By default, only one request is executed, but usually its result does not represent meaning.

-P Post-file

A file that contains the data that needs to be post.

-P Proxy-auth-username:password

Provides a basic authentication trust for a transit agent. The user name and password are separated by a: and sent in Base64 encoded form. This string is sent regardless of whether the server is required (that is, if the 401 authentication requirement code is sent).

-Q

If the number of requests processed is greater than 10%, AB outputs a progress count in stderr each time the request is processed by approximately one or 100 requests. This-Q flag can suppress this information.

-S

Used to compile (Ab-h will display relevant information) using SSL for protected HTTPS instead of HTTP protocol. This feature is experimental and very rudimentary. It's better not to use.

-S

Median and standard divergence values are not displayed, and warning or error messages are not displayed when the mean and median values are 1 to twice times the standard deviation value. By default, values such as min/mean/maximum values are displayed. (Support for previous versions).

-T TimeLimit

The maximum number of seconds the test takes. Its internal implied value is-n 50000. It allows you to limit the testing of the server to a fixed total time. By default, there is no time limit.

-T Content-type

The Content-type header information used by the post data.

-V verbosity

Setting the level of detail to display information-4 or greater displays header information, 3 or greater values can display response codes (404, 200, etc.), and 2 or greater values can display warnings and other information.

-V

Displays the version number and exits.

-W

Outputs the result in the format of an HTML table. By default, it is a table with a two-column width on a white background.

-X <table>-attributes

A string that sets the <table> property. This property is filled in <table here;.

-X proxy[:p ORT]

Use a proxy server for requests.

-Y <tr>-attributes

A string that sets the <tr> property.

-Z <td>-attributes

A string that sets the <td> property.

Defects

There are various statically declared fixed-length buffers in the program. In addition, parsing of command-line arguments, the response headers of the server, and other external inputs can be very simple, which may have undesirable consequences.

It does not realize the http/1.x completely; Accept only certain ' expected ' response formats. The frequent use of STRSTR (3) can lead to performance problems, that is, you may be testing the performance of AB rather than the server.

To be continued, additional testing tools are attached later.

This article is from the "• m ¹d#̧ô 6" blog, please be sure to keep this source http://mifan6.blog.51cto.com/9954601/1713305

Analysis and scheme of Doos attack