DDoS Denial of Service Attack and Security Defense Technology

1. Introduction to DDOS Denial Of Service (DDOS) attacks "a Denial Of Service (Denial-Of-Service) attack consumes resources Of the target host or network to interfere with or paralyze services provided by legitimate users ." Definitions provided by the "Security FAQ" of international authorities.
DDOS uses multiple computer machines to launch DoS attacks to one or more targets in a distributed manner. It is characterized by the goal of "paralyzing the enemy", rather than traditional destruction and password theft. It is difficult to track attacks by using computers distributed around the world on the Internet.
At present, DDOS attack methods have developed into a very serious public security issue, known as "hacker weapon ". However, unfortunately, the current technology used to deal with denial-of-service attacks has not developed at the same speed. The defects and borderlessness of TCP/IP Internet protocols, as a result, the current national mechanism and law are difficult to trace and punish DDOS attackers. DDOS attacks are also gradually integrated with worms and Botnet and developed into a network fraud tool for automated broadcast, centralized control, and distributed attacks. According to relevant experts of founder Information Security Technology Co., Ltd., DOS has many methods and theories from defense to tracing. For example, SynCookie, HIP (History-based IP filtering), ACC control, etc. In addition, many theoretical methods are proposed in tracking, for example, IP Traceback, ICMP Traceback, Hash-Based IP traceback, and Marking. However, these technologies can only mitigate attacks and protect hosts. completely eliminating DDOS attacks is a huge engineering technical problem.
Ii. Attack principles
Currently, DDOS attacks are divided into two types: bandwidth depletion and resource depletion.
The exhausted bandwidth is mainly used to block the egress of the target network, resulting in insufficient bandwidth consumption to provide normal internet services. For example, common Smurf attacks, UDP Flood attacks, and MStream Flood attacks. QoS is a common measure for such attacks. Traffic is restricted on routers or firewalls to ensure normal bandwidth usage. A pure bandwidth depletion attack is easy to recognize and discarded.
The resource depletion type is used by attackers to handle defects on the server and consume key resources of the target server, such as CPU and memory, which leads to failure to provide normal services. For example, common Syn Flood attacks and NAPTHA attacks. Resource Depletion attacks take advantage of the system's defects in normal network protocol processing, making it difficult for the system to distinguish between normal streams and attack streams, making it difficult to prevent attacks, which is currently the most important issue in the industry, for example, the Founder SynGate product specifically defends against such products.
Based on the DDOS attack principle, the defense against DDOS attacks is divided into three layers: Source-end attack Source prevention, Router-based Router prevention, and Target-end Target end Prevention. Among them, attack-side protection technologies include DDOS tool analysis and removal, and attack source-based prevention technologies; backbone network protection technologies include push technology and IP tracking technology; target protection measures include DDOS attack detection, router protection, Gateway Protection, and host settings.
According to many practical analyses by Founder Zheng's security engineers, the target end protection technology has been the most widely used. Attackers at the target end are willing to pay the appropriate cost for protection and are less difficult to implement. The prevention of backbone networks and attack terminals is difficult to implement, and the willingness and difficulty of cooperation are both limited.
Iii. Summary of comprehensive defense methods
Currently, there are three main defense methods based on the target computer system: Gateway, router, and host.
1. Gateway defense
Gateway defense is to use specialized technologies and devices to prevent DDOS attacks on the gateway, such as the founder firewall that uses transparent bridges to access the network or the founder black shark and other hardware products. The gateway mainly uses technologies such as The SynCookie method, the HIP Method Based on IP access records, and the customer's computing bottleneck method.
The SynCookie method requires the client to respond to a digital receipt to prove its authenticity when establishing a TCP connection. The SynCookie method solves the limited resources of the half-open connection queue of the target computer system, and thus becomes the most widely used anti-DDOS method, the new SCTP and DCCP protocols also adopt similar technologies. The limitations of the SynCookie method are that each handshake packet that establishes a connection must respond to a response packet, that is, the method will generate a response stream of and multiply the attack stream, bandwidth Resources are greatly wasted. In addition, when the initiator of a distributed denial-of-service attack uses a random source address, the target address of the response stream generated by the SynCookie method is very divergent, as a result, the routing buffer resources of the target computer system and its surrounding routing devices are exhausted to form a new attacked point. In actual network confrontation, a real routing avalanche event is also generated.
The HIP method uses the behavior statistics method to distinguish between attack packets and normal packets, and establishes a trust level for all access IP addresses. In the event of a DDOS attack, the IP address with a higher level of trust has a higher priority, thus solving the identification problem.
The customer's computing bottleneck method transfers the resource bottleneck during access from the server to the client, which greatly increases the cost of Distributed Denial of Service attacks, such as the resource access pricing method. The client's computing bottleneck method protocol is complex and needs to make great changes to the existing operating system and network structure, which also greatly affects the operability of the method.
To sum up, the gateway anti-DDOS technology can effectively relieve the attack pressure and is suitable for the protection of attackers.
2. Router defense
Defense methods based on Backbone Routing mainly include pushback and SIFF. However, because backbone routers are generally managed by telecom operators, it is difficult to make adjustments according to user requirements. In addition, the authentication and authorization problems on backbone routers are difficult to solve due to the heavy load of backbone routes, it is difficult to become an effective independent solution. Therefore, Methods Based on Backbone Routing are generally used as auxiliary tracing solutions, and they are used together with other methods for prevention.
Vroacl-based ACL and throttling are effective preventive measures, such as access restriction on the feature attack packets, discarding the packets of the attacker's IP addresses, or limiting abnormal traffic. You can also enable Intercept mode. The router replaces the server to respond to the Syn packet, and establishes a connection with the server on behalf of the client. Similar to SynProxy technology, when both connections are successfully implemented, the router then transparently merges the two connections.
Iv. Prevention of technological development and trends
DDOS attacks have developed rapidly. To increase the attack power, many new attack technologies have been adopted: Counterfeit data to eliminate attack packet characteristics; comprehensive use of protocol and system processing defects; multiple attack packets are used for hybrid attacks. The attack packets are pre-generated to increase the attack rate. Currently, the attack tool can launch 6 to attack packets per second at a single point, which is enough to block a large and medium-sized website with a bandwidth of MB.
Anti-DDOS technology is mainly designed for attack tracking and gateway defense. The method of tracking by using ICMP data packets or using flag data packets proposed by Burch and Cheswick is currently a hot topic. The goal of the attack Tracking Research on the backbone network is to locate the attack source at the beginning of the attack, so as to block the spread of the attack and reduce the loss of the target. The gateway anti-DDOS technology will be the focus of future product development and will become the anti-DDOS protection shield for various websites. Currently, the hot spot is the use of Behavior Statistics and other methods to distinguish attack packets, for example, the CIP technology used by Founder black shark. With the development of technology, the gateway anti-DDOS product will be widely used.