Anti-DDOS attacks

Preface:This article is the sister-in-law of "Zhang Damin's happiness and troubles in IPv6" and "Zhang Damin's adventure in Jiangnan town". If you want to know the ins and outs of Zhang Damin, you can refer to these two articles.
This article uses his life and research to spread some boring network security knowledge.
　　Collation
At two o'clock in the morning, Zhang Damin's mobile phone began to scream. Zhang Damin fell asleep and looked up and looked at his mobile phone number, knowing that he had to answer the call. Recently, Zhang Damin changed his job. The new company provides security consulting and management for some major websites. Several major technical personnel are responsible for some customers. This call is called by the website administrator of a major customer. "So late, is the kid still at work ?", Zhang Damin muttered in his heart.
"Hello, Xiao Li", Zhang Damin reluctantly answered the phone.
"Brother Damin, a website has an accident !", On the other side of the phone, Xiao Li's voice is a little distorted.
"Why did something happen ?", Zhang Damin asked?
"I don't know. The traffic is so high that it has crashed for two times! The customer's phone is about to blow up the line, "said Xiao Li.
"Who calls your customer service in the middle of the night ?", Zhang Damin thinks that Xiao Li may be blinded by him.
"You don't know, Brother Damin. We have a lot of overseas customers on our website. The time difference is about a dozen hours. It's time for them to spend the afternoon !". Said Mr. Li.
"Okay, well, let me see it." Zhang Damin was helpless and had to wash his face with cold water in a hurry and rush to the data center as soon as possible.
At the data center, Zhang was informed of the severity of the problem. By analyzing the network traffic logs, Zhang found that this was the most common tcp syn Flood attack, that is, attacking the website's WEB server's http tcp port 80, the traffic is huge. Basically, 0.5 million tcp syn packets are received every second. Every SYN message will waste some resources of the WEB server. Almost all resources of the WEB server are occupied by this flood attack, and normal webpage access cannot be achieved. In addition, because the WEB server is overloaded for a long time, its performance is unstable and has crashed twice.
Zhang Damin has never seen a similar situation. In most cases, the source address of IP packets is forged. Sometimes, the private IP address in RFCl918 is used to prevent you from discovering the source of the attack. Once the source of these attacks is discovered, the network administrators will notify each other and the hosts will soon be deprecated by the Administrator. As a result, hackers will lose a controllable online resource.
Zhang Damin hopes that this attack is similar, because such flood attacks make the counterattack method very simple. Private addresses can only be used in private space and should not appear on the public internet, he only needs to configure some access control lists on the Gateway Router of the website and filter out the private address packets whose IP Source Address is RFCl918 in the IP Message, because these packets are certainly not valid packets.
However, after further analyzing the network traffic logs, Zhang Damin found that the attack was a partial flood attack. The source address of most IP packets is the real address on the Internet. Zhang Damin tried several addresses, which can be pinged. I scanned it with NMAP and found that most of them are
[Url = http://www.microsoft.com/china/]
Microsoft
[/Url]
It seems that all of them are "zombie" by OWN ". Zhang Damin estimated that there are about 40 thousands or 50 Thousands different IP addresses in the attack source. The log also contains many spoofed IP Source Address packets. For a moment, Zhang Damin cannot determine which are real IP addresses and which are forged IP addresses. It is estimated that the actual address will be around several hundred to one thousand machines, "awesome", and Zhang Damin secretly thinks. "It is not afraid to expose the real identity of the controlled host (attack source). It is estimated that the number of controlled hosts is more than the estimated number of DDOS attacks, so this guy doesn't care about losing thousands of bots ". "Don't just look at the logs." Xiao Li waited for a while. "Is there a way?
"Have you called your upstream ISP ?", Zhang Damin asked.
"No one answered the question." Xiao Li's voice was already crying.
"Alas", Zhang Damin sighed. In this case, the best way is to contact the ISP of the same game, so that the ISP can find the entrance of the DDOS network to the ISP network in their network, and disconnect it from the ISP network. Although DDOS is estimated to come from all directions, in most cases it will be integrated, and the entry points to the upstream ISP network are still limited. However, if the ISP's network administrator cannot be found in an emergency, there is basically no way.
"If I can't find them, I will have no discount. "Unless you want to configure tens of thousands of access control lists on your Gateway Router to eliminate the sources of these DDOS attacks one by one ".
"I have no more tonight," said Zhang Damin. Looking at the desperate face of his customer, Zhang Damin was not a taste in his heart. In his mind, he thought, "a little tall, a little devil, there must be a good way to counter these DDOS attacks, and it is not necessary to rush to the ISP's network management. I must study how to effectively counter DDOS attacks.
　　DDOS network attack definition
Although Zhang Damin has never been able to stand up for the actions of these DDOS guys, Zhang Damin still finds it challenging to defend against the characteristics of attacks. If there are thousands of "bots", network traffic is enough, zhang Damin has never done it, and he is too lazy to do it now. But it's hard to defend.
One feature (disadvantage) of IPv4 network design is that anyone can send messages to anyone on the Internet, even if you don't want others to send messages to your host, however, as long as your IP address is a public IP address, you cannot stop it. In addition, when designing TCP, one of the design ideas is that all hosts on the Internet should be good people. Everyone is honest on the Internet. If there is a network congestion, TCP will automatically reduce the network sending traffic, and the network conditions will be better. TCP will try again to increase the network traffic at, so as not to burden the network as much as possible. When TCP on hosts all over the world operates in this way, we have today's Internet. Everyone can make a splash on any website. Just like on a highway, all drivers are polite to the first three to ensure that the highway is not congested.
However, no matter how many hackers are there, they are like the young people who are racing on the highway, hitting the Internet on the highway. The host is mine. I want it to do everything. I don't need to give the three secrets, or follow the TCP protocol, or do not follow the status specified by the TCP state machine.
Denial-of-Service (DOS) attacks are developed in this way. People who have learned the basic principles of the network in school know the TCP three-way handshake protocol, that is, the TCP client wants to send a SYN packet, the server returns a SYNACK packet, and the customer returns an ACK packet, the TCP connection is established in two aspects.
In this process, the server must track the complex status of TCP for each TCP connection segment, so as to better ensure the normal operation of the TCP connection. Denial-of-service attacks do not work according to the TCP status transition diagram. They only act as the server releasing tcp syn packets. The server assumes that they are a TCP connection to be established, because it thinks the opposite must be a law-abiding Internet citizen who will establish a status for the TCP connection and allocate memory. Customers at the network end do not follow the rules. It only publishes a large number of High-Speed tcp syn packets to the server. However, the server is still kind confident that every tcp syn packet is followed by a law-abiding Internet citizen who continues to allocate memory to them, resulting in a lot of waste. What's worse is that the act of this law-abiding host makes other law-abiding hosts unable to access this server, because almost all resources are occupied by this law-abiding host, other law-abiding hosts cannot enjoy the services provided by this server. This is why such a service is called a Denial-of-Service attack. When people realize this problem, the simplest solution is to block these irresponsible hosts. The only way to shield these hosts is to determine the unique identifier of a host in the IPv4 world based on the IP address of these hosts.
Hackers also have a solution. Well, aren't you trying to block me from my IP address? Then I will forge my IP source address, so that you can't guess where I came from, and my source address is random, every newspaper is changing, in this way, you don't know where I came from. As a result, the website administrator cannot block the website administrator. How can this problem be solved? The website administrator finds the system administrator and network administrator. They can see that this solution is good. Hackers can forge IP source addresses, but these machines can all be managed by the network administrator and system administrator, no matter how the IP address changes, there is only one attack source. You can block the attack source. But the hacker said, Well, you want to shield my attack source, right? Then I will get hundreds or thousands of attack sources, each attack source is still on a different network. Use a random IP address for each attack source. In this way, both the website administrator, system administrator, and network administrator are scratching their heads.
And they scratched their heads until today. Today, the Division-based Denial of Service (DDOS) attack is the biggest headache in the network engineering field, because the attack source division is located in different corners of the world, you cannot contact your network administrator or system administrator one by one. This is the afternoon, and it may be the early morning. In addition, the current business website has a large amount of cash traffic, and the hourly cost of turning offline can reach millions of dollars. The response time should be within several seconds. It takes at least a few hours to contact the network administrator and the system administrator to locate the problematic host and cut off the attack source.
It is precisely because there is no feasible solution that some malicious hackers are beginning to use this attack method more and more freely and gradually develop to use this attack method to extort large commercial websites from money, this will bring your website offline, causing greater losses. If you give money, it will be even worse. All hackers know that you are bullied and blackmailed. If you can get the money, you will become the target of everyone.
　　Anti-DDOS Method
Zhang Damin, who has many friends in both black and white circles in the network security field, is not familiar with these situations.
Zhang Damin felt that the construction was easy to damage, and this rule was also applicable to the research and development of network protocols. The biggest characteristic of TCP is its scalability. At any time, no more than a few millions of people around the world use TCP, or even tens of millions (considering so many websites ). So many TCP connections exist on the Internet at the same time, and each connection can ensure certain transmission performance, which is not easy to achieve.
When I went to college, I saw the TCP status chart and thought it was very complicated. Now I know that it is necessary to know the complex status. It is to ensure that TCP is represented as a modest gentleman on the Internet, avoid network congestion, so that everyone who wants to use the internet can use it anytime, anywhere. When I tried to debug TCP that year, the entire Internet had to go offline several times before TCP debugging was successful. The efforts of all of them could be imagined. With such a big effort, it is really amazing that an unreasonable TCPSYN flood attack makes a poor decision.
　　Use ISP to counter DDOS attacks
One of them is to block the attack source. However, the power of the road is too high.