DDOS attack analysis method and Analysis

DDOS attack analysis method and Analysis
Introduction to DDOS

The full name of DDOS in English is Distributed Denial of Service Distributed Denial of attack. It is the most common and difficult to defend against network attacks. Similar to traditional DOS, the attack uses reasonable service requests to occupy too much service resources, so that legal users cannot receive service responses. DDOS is an enhanced version of traditional DOS ". Attacks from a traditional single PC are extended to attacks from a large number of PCs (generally hackers occupy a zombie machine, that is, "bots") clusters. The attack effect and scale are incomparable to those of traditional DOS attacks, which are DDOS Attacks:

For example, hackers usually send their attack commands through the "stepping stone", that is, the 2 control machine in the figure, and the slave machine will initiate a flood of attacks to the victim after receiving the attack command. If normal service requests are drowned, normal services cannot be implemented.

DDOS type

There are many DDOS attack methods, which can be divided into three categories:

Mainly attacks that consume system resources

The Representative is syn flood and simulated attacks that consume a large amount of system resources, such as repeated database queries for normal user access requests. Attacks that consume system resources can achieve good results without a large amount of traffic. For example, SYN flood and windows2000 systems, when the physical memory is 4 GB, the core memory is less than 300 MB, all core modules of the system must use the core memory, so the core memory that can be used for semi-connection queues is very small. Windows 2003? The 80 port of the eb server receives 5000 SYN packets per second. Once a minute, the website cannot be opened. Standard SYN data ?? 4-byte 5000 equal to 5000*64*8 (converted to bit)/1024 = 2500K, that is, mbps bandwidth, so small bandwidth can paralyze the server port, because the source IP address of the attack package is forged, it is difficult to trace the attack source, so there are many such attacks.

Attacks that consume network resources

Representatives include UDP flood, ICMP flood, smurf, etc. Such attacks mainly flood normal data requests through a large number of forged data packets to achieve Denial of Service. Most of the data packets of such attacks are large packets, and the forgery phenomenon is obvious. It is worth noting that UDP flood can consume network resources and consume system resources of the attacked host. This is related to the design principle of UDP. When the attacked host receives a request that has no UDP port enabled for itself, it will send back the ICMP port inaccessible information. When a large number of requests come, the resources consumed by sending ICMP messages are getting larger and larger. It is best to cause the system to have no resources allocated to normal requests.

Attacks against system or network device bugs

The representatives include ping of death, land-based and teardrop. Most of these attacks are well-designed. Using system vulnerabilities can cause server or network device downtime or restart, and thus cannot provide normal services. Such attacks are rarely seen in reality.

DDOS attack analysis

The reality caused by DDOS attacks is obvious. For example, the network bandwidth is greatly consumed, the network utilization rate is close to 100%, and the server CPU and memory consumption are very high, normal service response is slow or completely unresponsive. When the customer encounters this phenomenon, the first response is: I was attacked. But what exactly is the attack? How to take measures? We recommend that you use the packet capture Analysis Method for understanding and analysis.

Packet Capture analysis can intuitively and accurately reflect the current network situation and understand attack behaviors and methods. Only when we have a clear understanding of the attack can we adopt targeted defense, which is active and effective.

Here we use several common DDOS attacks for analysis.

SYN flood.

 

The specific principles are not elaborated. SYN Flood attacks are relatively easy to implement and difficult to defend against. Before analyzing this attack, we first set our TCP Parameters Using the powerful custom chart function of KKE. I specified two TCP request Monitoring tables, click "new panel" in the upper-right corner of "my charts"

We select TCP synchronous transmission and TCP synchronous confirmation sending.

For SYN flood, we can also use the alarms provided by kelai for prevention. We set alarms:

We set an alarm to be triggered when the number of tcp syn requests exceeds 1000 and lasts for 5 seconds. If the number of tcp syn requests per second is less than 500, the alarm will be cleared after 5 seconds.
Import the previous DDOS attack data packets for analysis.
First, in the endpoint view, we will find that the receiving and sending data packets of the attacked endpoint are out of proportion. Accept a large number of packets, but send less. In addition, the traffic is large and there are many TCP sessions.

We can intuitively see the TCP synchronization and TCP synchronization validation data packets in the chart.

We can see that there are nearly 20000 SYN requests per second for the attacked host, but the TCP synchronization confirmation is almost 0.
The tcp syn alarm has also generated an alarm.

Through other traditional functions, we can also clearly understand SYN flood attacks in the network. We can view TCP sessions,

We can see that a large number of Internet hosts use different ports for Synchronous requests to port 135 of 192.168.10.104, and the number of TCP sessions reaches tens of thousands within several seconds.
The enhanced matrix view also intuitively shows the Communication Connection situation for the attacked HOST: the remote host exceeds 10000, only accepts the receipt package, not sends.

The data packet view uses the "decoding field" option to intuitively see that packets with a tcp syn value of 1 account for the majority of network packets.

 

Through the rich charts and display of different interfaces, we can quickly understand which DDOS attack is used, so as to take measures to reduce losses.

The following measures can be taken to prevent SYN flood attacks:

The border routing filters out some private IP address segments specified by RFC1918 that cannot be transmitted over the public network.

Shorten the SYN timeout time on the vrosyn or FW and use the SYN proxy technology.

Reinforce the protocol stack of the server TCP/IP. Increase the maximum number of semi-connections, shorten the SYN timeout time, and use SYN cookies.

Use a hardware device or module that prevents DDOS attacks.

 

UDP flood

UDP Flood is a hybrid attack that can quickly consume network bandwidth or system resources.
Before Analysis of UDP flood attacks, we can use the chart function to set monitoring of UDP sessions,

After setting, we import and analyze UDP flood data packets.
First, we can see the UDP session in the chart view.
 
The number of UDP sessions per second exceeds 300, and the peak value can reach 480. The server does not provide the UDP Service. In the statistics view, we can also see that the number of UDP sessions has generated 24328 UDP sessions in 40 seconds,

Looking at UDP sessions, we found that a large number of random Internet IP addresses are accessing different UDP ports of 192.168.10.104.

In the data packet view, we can see that a large number of UDP data packets are sent within a short time interval.

To defend against UDP flood attacks, you can do the following:

Increase network bandwidth and server performance

Set UDP session limits for routers and firewalls.

Some source address filtering methods similar to SP are used to discard UDP requests without returning routes.

ICMP flood

The ICMP flood attack host initiates a large number of ICMP echo attacks to block the network and flood normal service requests. This attack mainly targets network bandwidth attacks.

This type of DDOS has obvious characteristics. By capturing attack packets, You can intuitively understand the attack phenomenon. First, we can see that there are many IP sessions in the overview view, far exceeding the number of TCP and UDP sessions.

In the Protocol view, we can see that the ICMP echo protocol traffic is too large, while echo replay is very small, and the proportion is unbalanced.

In the matrix view, we can see that the attacked IP address communicates with tens of thousands of IP addresses (up to 10000 of the target host in the matrix by default. Only the attacked host is accepted and not sent.

In the data packet view, we can see a large number of ICMP data packets, and there are obvious forgery and forgery phenomena ,:


Through these simple attempts, we can quickly learn about icmp ddos attacks on the network.

Icmp ddos defense is relatively simple. You can disable the use of ICMP protocol on the border router, firewall, and server. Smurf attack

Smurf attack is a well-designed DOS attack. by exploiting the configuration of some network devices or some vulnerabilities in its own system, one initiator can generate several times of traffic, it is equivalent to a traffic amplifier. The attack principles are as follows:
 
This attack sends a packet with a specific request (such as an ICMP Response Request) to the broadcast address of a subnet, and disguise the source address as the host address to be attacked. All hosts on the subnet respond to the broadcast packet request and send packets to the attacked host, which causes the host to be attacked. The number of hosts in the subnet is increased several times.

The most obvious Smurf attack is that the ICMP protocol accounts for a large proportion of network traffic, and most of the source addresses are subnet IP addresses. It is easy to prevent Smurf attacks. Disable ICMP forwarding to the broadcast address on the subnet router.