First, the principle of DDoS incursion
DDoS is the abbreviation of the English Distributed denial of service, that is, "scatter denial of service", the DDoS invades the principle to roughly divide into the following three kinds:
1. After sending a large packet blocking the service bandwidth to form a service line paralysis;
2. After sending a special packet to form the service TCP/IP protocol module consumes CPU memory resources end paralysis;
3. After the convergence of the specification to set up the interface to send special data packets to form the service operation of the network service software consumes the end of CPU memory paralysis (for example, Web server, FTP server, game service, etc.).
The types of DDoS attacks can be divided into the following categories:
Because the Trojan horse can be updated at any time to invade the packet and the way to invade, so the new invasion update very quickly here we introduce several common principles and classification of the invasion
1. Syn Variant invades
Send a spoofed source IP SYN packet but the packet is not 64 bytes but thousands of bytes, this kind of invasion will form some firewall disposal fault incur deadlock, consume service CPU memory together also can block bandwidth.
2, TCP disturbance packet attacks
To send spoofed source IP TCP packets, TCP Flags some of which are chaotic can be syn, ACK, Syn+ack, Syn+rst, etc., will form some firewall disposal fault incur lock, consume service CPU memory together also can block bandwidth.
3. Targeting UDP protocol
Many chat rooms, video audio software, are transmitted through the UDP packet, attackers targeted the analysis of the network software protocol to invade, send and normal data packets of the same, this kind of invasion is very difficult to protect, usually protect the wall after blocking the invasion of data packets of the signature protection, but this will form a normal packet will be blocked,
4. Multi-Link Invasion of Web server
After manipulating many chickens to join together to visit the site, the formation of the Web site can not be disposed of paralysis, such attacks and normal visits to the site is the same, only the instant call to add dozens of times times even more, some firewalls can be constrained by each link over the number of IP connections to protect, But this will form a normal user slightly more open a few back to the site will be sealed
5. A variant of the Web server to invade
After manipulating many chickens to join together to visit the site, a little cohesion set up on the open, has always sent some special get call to send a request to form a Web site database perhaps some pages consume a lot of CPU, so after the constraints of each link over the number of IP connections to protect the failure of the method, Since each broiler can only set a link that may only establish a few. This kind of invasion is very difficult to protect, behind us to introduce the firewall solution
6. A variant of the Web server to invade
After manipulating many chickens to join the site port together, but do not send get supplications but messy characters, a large number of firewalls to analyze the invasion of the first three bytes of the packet is get word Fujan later an analysis of the HTTP protocol, such an invasion, do not send the request can bypass the firewall to reach the service device, Usually the service is shared bandwidth, bandwidth will not exceed 10M, so many of the chicken assault packets will be the server's share of the bandwidth congestion to form a service device paralysis, this kind of invasion is also very difficult to protect, because if only a brief blocking client sent over the packet without get characters, will be the fault of the closed many normal data packets form a normal user can not visit, and then introduce the firewall solution
7, to the game service to invade the device
Because the game service is very many, here introduced is also the biggest influence legendary game, the legendary game is divided into the login registration port 7000, the character chooses the port 7100, as well as the game Operation Port 7200,7300,7400 and so on, because the game oneself's agreement depicts very complex, therefore invades the variety also tricks times out , there are about dozens of of them, and also continue to discover new varieties of aggression, here is the most widespread dummy attacks, dummy attacks are through the chicken Imitation Game client actively register, login, set up characters, into the game activities from the data protocol level to imitate the normal game players, It is difficult to dissect from the game packets which are the attacks and which are the normal players.
Third, the basic methods of DDoS protection:
1. Close unnecessary service
1.alerter[tells selected users and accounting machines to handle alerts]
2.clipbook[enables ClipBook Viewer storage information and is shared with long-distance accounting machines.
3.Distributed file system[Merge the slack file into a logical title, share it with, the closed long-distance accounting machine can not visit the same
4.DISTRIBUTED link Tracking server[applicable lan Scatter link]
6.Indexing service[provides index contents and features of documents on local or long-distance accounting machines, leaks information]
7.messenger[Alert]
8.NetMeeting Remote Desktop sharing[netmeeting Company left the customer information collection]
9.Network dde[for the same accounting machine or not the same accounting machine running on the order of supply Dynamic Data exchange]
10.Network DDE dsdm[for Dynamic Data exchange (DDE) network sharing]
11.Remote Desktop helps session manager[handle and control long-distance help]
12.Remote registry[enables long-distance accounting machine users to amend the local registry]
13.Routing and Remote access[services to supply routing in LAN and wide area. Hacker reason routing service Snoop Registration information]
14.server[support this accounting machine through the network of files, printing, and named pipe sharing with the
15.tcp/ipnetbios helper[for NetBIOS on TCP/IP services and for the NetBIOS title resolution of clients on the network. Users can share files, print, and log on to the network.
16.telnet[promised long-distance users to log in to this accounting machine and operation sequence]
17.Terminal services[should use the interactive method to connect to long-distance accounting machine]
18.Window S Image Acquisition (WIA) [photography service, use and digital video camera]
2, the number of connections from the default value of 128 or 512 to 2048 or greater, to increase the length of each packet of packets, to reduce and digest more data packet convergence;
3, will connect the timeout time set shorter, in order to ensure the interface of normal data packets, shielding illegal offensive package
4, timely update system, installation patches
5, with load balancing skills, that is, the use of transactions spread to several different servers
6, the flow of traction skills, large flow attacks the most ideal protection methods, but is usually a professional hardware firewall, expensive.
Four, the discrimination website is DDoS the manifestation form
1, the invasion of the host has a lot of waiting for the TCP interface, with Netstat-an instructions can be seen
2, Ping Service presents a serious loss package, or can not ping pass.
3, CPU occupancy rate is very high, and sometimes even reached 100%, grim will appear when the blue screen crash (this is the most common phenomenon of CC attacks).
4, connect 3389, the noon should be very slow or prompt accounting machine too busy, unable to withstand the new convergence.
5, the network is full of many useless packets, the source address is false.
V. Emergency disposal by DDoS attack
1, if there is sufficient IP resources, you can replace a new IP address, the site domain name point to the new IP;
2, deactivate 80 ports, use such as 81 or other ports to provide HTTP service, the site domain name point to ip:81
Vi. Protection of DDoS claims
1, choose High-performance Network Equipment
2, enough network bandwidth to ensure
3. Device professional anti-DDoS firewall
Such as: Ice shield firewall, shield firewall, black Hole Firewall, proud Shield firewall
This paper comes from http://www.mgddos.com (DDoS attack software)