Analysis on DOS Denial-of-Service attack principles

Zhanhailiang Date: 2014-10-26

TCP three-way handshake protocol

TCP is a reliable connection. To ensure the reliability of the connection, TCP connections are divided into several steps. We call this connection process "three-way handshake ". Next we will analyze the process of establishing a connection from an instance.

Step 1: the client sends a TCP packet to the server, indicating that the request establishes a connection. To this end, the client sets the SYN bit of the data packet to 1 and the serial number seq = 1000 (assumed as 1000 ).

Step 2 the server receives the packet and learns from the SYN bit 1 that this is a connection to establish the request. The server also sends a TCP packet to the client. Because it is a response request from the client, the server sets Ack to 1, sak_seq = 1001 (1000 + 1) and its serial number seq = 2000 (assuming 2000 ).

Step 3 the client receives the TCP of the server and obtains the confirmation information from the server from ack 1 and ack_seq = 1001. Therefore, the client also sends confirmation information to the server. The client sets Ack = 1, ack_seq = 2001, seq = 1001, and sends it to the server. So far, the client has completed the connection.

In the last step, the server is confirmed and the connection is complete.

Through the above steps, a TCP connection is established. Of course, errors may occur during the establishment process, but the TCP protocol can ensure that you can handle the errors yourself.

DOS DoS attack Principle

The client performs the first step. After the server receives the message, perform the second step. Follow the normal TCP connection, the client should perform the third step.

However, the attacker does not actually perform the third step. Because the client modifies its own IP address during the first step, and fills a nonexistent IP address in the IP address column of the sender of the IP address package. In this way, because no one actually receives the IP address sent by the server, the server will not receive the confirmation signal in step 3, so that the server will wait for time_wait until the timeout.

In this way, when a large number of customers send similar requests, the server will have a large number of TCP connections waiting for time_wait until all server resources are used up, therefore, resources cannot be allocated to receive requests from other clients.

In this way, when a normal user sends a request to the server, the request cannot be successful because there is no resource. Therefore, DOS denial-of-service attacks are generated.

Summary

The main reason for DOS DoS attacks is that the TCP connection is established as a blocking process, therefore, when the server sends a data packet in step 2, it will wait until it fails to receive the confirmation data packet from the client. As a result, it occupies a large amount of server resources and thus cannot provide resources for legal and valid requests.

Analysis on DOS Denial-of-Service attack principles