Attack principle and defense method of DDoS

Source: Internet
Author: User
Tags ack log reset version time interval client access

Dos attacks, DDoS attacks, and DrDoS attacks believe that everyone has already heard of it! DOS is the shorthand for denial of service, which is denial of services, and DDoS is the distributed denial of service is the short of distributed denial-of-service, and DrDoS is distributed Reflection denial Abbreviation for service, which is the meaning of distributed reflective denial of service.

But the most powerful attack in this 3 is DDoS, the DrDoS attack is a new attack method, but it is only the distortion of DDoS attack, its only difference is not to occupy a large number of "broiler". All three of these methods exploit TCP's three-handshake vulnerabilities, so they are all about the same defensive approach.

Dos attack is the first to appear, its attack method is plainly singled out, is better than the performance of the machine, fast. But now the rapid development of technology, the general Web site hosts have more than 10 hosts, and the processing capacity of each host, memory size and speed of the network have a rapid development, and some network bandwidth even more than the gigabit level. So our one-on-one attack will have little effect, and the machine will die. For example, if your machine can send 10 packets per second to attack, the machines you attack (performance, network bandwidth are top-notch) can receive and process 100 of attack packets per second, so that your attack will be useless and very likely to crash. You know, if you send this 1VS1 attack, your machine's CPU occupancy rate is more than 90%, your machine if the configuration is not high enough, then you are dead.

However, technology is developing and hackers ' technology is developing. The so-called while, the devil is a battle. After countless times, hackers finally found a new Dos attack method, this is the DDoS attack. It's the principle of the white is a brawl, with a lot of machines to the target machine to launch a Dos attack, but this is not a lot of hackers to participate in, this attack is only a hacker to operate. The hacker does not have a lot of machines, he is through his machine on the network to occupy a lot of "chicken", and control these "chickens" to launch DDoS attacks, or how otherwise called distributed. Or just that example, your machine can send 10 attack packets per second, and the attacked machine can accept 100 packets per second, so your attack will not work, and you can use 10 or more machines to attack the target machine, hey! I will not tell you the result.

DrDoS distributed reflective denial of service attack This is a variant of the DDoS attack, unlike DDoS, where DrDoS does not need to occupy a large number of "chickens" before the attack. Its attack principle is similar to the Smurf attack principle, but DrDoS can be done on the WAN, while the Smurf attack is done on the LAN. It works based on the broadcast address and the response request. When a computer sends a special packet of data to another computer, such as a ping request, it receives a response, and if the request packet is sent to the broadcast address of the network, it will actually reach all the computers on the network, and then all the computers will respond. These responses are required to be received by the computer processing, each processing one will occupy a system of resources, if the simultaneous response to all computers on the network, the receiver's system is likely to be unbearable, like a DDoS attack. However, no one is stupid enough to attack themselves, but this method has a great power to improve by hackers. The hacker sends the request packet to the broadcast address, all the computer receives the request, but does not send the response to the hacker, but sends to the attack host. This is because the hacker is impersonating the attacked host. The hacker sends the request package to use the software is may falsify the source address, receives the forgery data packet the host to send the response according to the source address, this certainly is the attack host's address. Hackers also reduce the time interval for sending request packets, so that a large number of request packets can be sent in a short time, allowing the attacked host to receive a flood response from the spoofed computer, as if a DDoS attack caused the system to crash. Hackers use all the computers in the network to attack victims without having to capture the spoofed hosts in advance, which is the Smurf attack. And DrDoS attack is this principle, hackers also use a special contract tool, the first to fake the source address of the SYN connection request packet sent to those deceived computers, according to the TCP three times handshake rules, these computers will send syn+ack or RST packets to the source IP response to this request. As with the Smurf attack, the source IP address of the request packet sent by the hacker is the address of the attacking host, so that the spoofed host will send the response to the attacking host, and the attack host is busy handling these responses and paralysis.


SYN: (Synchronize sequence numbers) is used to establish the connection, in the connection request, syn=1,ack=0, the connection response, Syn=1,ack=1. That is, SYN and ACK to differentiate connection request and connection accepted.

RST: (Reset the connection) is used to reset error connections that occur for some reason and to reject illegal data and requests. Some errors usually occur when the RST bit is received.

ACK: (acknowledgment field significant) when 1 indicates that the confirmation number (acknowledgment numbers) is valid, 0 when the data segment does not contain confirmation information, the confirmation number is ignored.

TCP Three-time handshake:

Suppose we are going to establish a connection and the server is in a normal listening state.

The first step: We are the client sent a request with a SYN bit, to the server to indicate the need for a connection, assuming the request packet serial number is 10, then: syn=10,ack=0, and then wait for the server response.

Step two: After the server receives such a request package, see if the specified port is being answered, and if not, send a rst=1 response and refuse to establish the connection. If the request packet is received, then the server sends a confirmation response, SYN is an internal code of the server, assuming that the 100,ack bit is the client's request number plus 1, the data sent in this example is: syn=100,ack=11, with such data to us. Show us that the server connection is ready and waiting for our confirmation. When we receive a response, we analyze the resulting information and prepare to send a confirmation connection signal to the server.

Step three: We send the information confirming the connection to the server. The SYN bit of the acknowledgment information is the ACK bit sent by the server, and the ACK bit is the SYN bit plus 1 sent by the server. namely: syn=11,ack=101.

So our connection is built up.

How does DDoS attack? The most popular and best use of the attack is to use Syn-flood to attack, Syn-flood is the SYN flood attack. Syn-flood does not complete the third step of TCP's three handshake, that is, not sending information to the server confirming the connection. In this way, the server will not be able to complete the third handshake, but the server will not immediately give up, the server would continue to retry and wait for a certain amount of time to abandon the unfinished connection, which is called SYN Timeout, this time about 30 seconds-about 2 minutes. It's not a big deal if a user's problem with a connection causes a thread in the server to wait 1 minutes, but if someone uses special software to simulate a lot of this, the consequences can be imagined. A server consumes a lot of system resources and network bandwidth to handle these vast amounts of half-open information, so that the server will no longer be free to handle normal user requests (because the customer's normal request ratio is very small). This server will not work, this attack is called: Syn-flood attack.

So far, the defense of DDoS attacks is more difficult. First of all, this attack is characterized by the use of TCP/IP protocol vulnerabilities, unless you do not use TCP/IP, it is possible to completely protect against DDoS attacks. But that doesn't mean we have no way to block DDoS attacks, we can do our best to reduce DDoS attacks. Here are some defense methods:

1. Make sure the server's system files are the latest version and update the system patches in a timely manner.

2. Turn off unnecessary services.

3. Limit the number of SYN connections that are open concurrently.

4. Shorten the timing out of a SYN semi-connection.

5. Set up firewalls correctly

Prohibit access to non-open services for a host

Restricting access to specific IP addresses

Enable anti-DDoS properties for firewalls

Strictly restricting the outward access of the server to the open door

Run the port mapper scourge port scanner to carefully check the privileged and unprivileged ports.

6. Carefully check the logs for network devices and host/server systems. As long as the log is compromised or the time changes, the machine may be attacked.

7. Limited to network file sharing outside the firewall. This will give hackers the opportunity to intercept system files, the host of information exposed to hackers, is undoubtedly giving each other an opportunity to invade.

8. Router

Take the Cisco router as an example

Cisco Express Forwarding (CEF)

Using unicast Reverse-path

Access Control List (ACL) filtering

Set the SYN packet flow rate

Upgraded version is too low ISO

Create log server for routers

Can understand the principle of DDoS attack, our defense measures in the improvement, we can block a part of the DDoS attack, know the enemy, win well.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.