Distributed denial of service attack (DDoS) principles

Source: Internet
Author: User
Tags ack ftp prepare

There are many kinds of Dos attacks, the most fundamental Dos attacks are using a reasonable service request to occupy too much service resources, so that legitimate users can not get the service echo.

DDoS assault is a kind of invading method which occurs on the basis of traditional Dos attacks. Single Dos attacks are usually a one-to-one approach, when the approach to the principle of low CPU speed, small memory, or small network bandwidth and so on the function is not high its role is significant. Following the development of computer and network skills, the rapid growth of the computer's disposition, memory greatly added, together with the presentation of the other gigabit network, which makes the difficulty of the DOS invasion increased-side of the malicious invasion package of "digestive talent" enhanced a lot, such as your invasion software can send 3,000 of attacks per second packet , but my host and network bandwidth can dispose of 10,000 packets per second, so that the invasion will not do anything.

At this time, the spread of denial of service to invade the method (DDoS) was born. You understand the Dos attacks, the principle of which is very brief. If the computer and network disposal ability increased 10 times times, with an assault machine to invade can no longer play a role, the attackers use 10 of the invasion machine together to invade it? 100 units? DDoS is the use of more puppet machines to recommend the attack, more than in the early years of planning to attack the victims.

The high speed and wide convergence of the network has brought us convenience, but also created a very favorable conditions for DDoS attacks. In the Low Speed network era, hackers occupy the use of the puppet machine, will always give priority to the distance from the policy network of machines, due to the number of hops routers, the effect is good. And now the communication between the backbone of the link between the main node is the G-level in addition, greater cities can reach a 2.5G convergence, which makes it possible to suggest that the attackers ' puppet machine positions can be spread on larger scale and be more flexible to choose from, perhaps from other cities farther afield.

The appearance of being attacked by DDoS

There are many waiting TCP connections on the attacked host

The network is filled with a lot of useless packets, the source address is false

Production of high flow of useless data, the formation of network congestion, so that the injured host can not normal and external communication

Using the service provided by the injured host or the shortcomings of the transport protocol, repeat the high speed of the declaration of specific service supplications, so that the injured host can not timely disposal of all normal supplications

When the severity of the system will form a panic

The principle of the operation of the invade

As shown in figure I, a perfect DDoS assault system bonus four some, first look at the most important 2nd and 3rd some: they are used as a control and practical advice to invade. Note the difference between the manipulator and the assault machine, and for some of the 4th victims, the DDoS practice packet was announced from the 3rd on some of the assault puppet machines, and 2nd some of the controllers only issued instructions and did not participate in the practice. For the 2nd and 3rd computers, hackers may have control over some of the controls, and the corresponding DDoS sequence is uploaded to these platforms, the order is the same as normal order and wait for the instructions from the hacker, usually it will also use a variety of methods to hide himself from others to find. In normal times, these puppet machines are not abnormal, only once the hackers connected to their control, and announced the instructions of the time, the invasion of the puppet machine to become the perpetrators of the proposed attack.

Some partners may ask: "Why do hackers not directly control the attack puppet machine, but from the control of the puppet machine to turn it?" This is one of the reasons why DDoS attacks are difficult to inventory. As a point of view of the intruders, must not want to be caught (I in the hour to his family hen throw stone cent also know in the first moment to escape, hehe), and the attackers use the puppet machine more, he is in practice supply to the victims of the analysis based on the more. After occupying a machine, a high level of intruders would do two things first: 1. Think about how to leave the back door (I want to come back in the future OH)!2. How to organize the log. This is to erase the footprints, do not let me do the things others feel. Compared to the less dedicated hackers will be no matter 3,721 of the log deleted, but so the webmaster found that the log will know that someone has done bad things, the most can not be found from the log who did it. On the contrary, the real expert will pick the log items about me deleted, people can not see the abnormal situation. This allows for a long time to use the puppet machine.

But in the 3rd some of the attacks on the puppet machine to organize the log is a huge project, even with a good log of the help of things, hackers also have a headache for this mission. This has caused some of the invasion machine is not very clean, the top of its head to find the control of its upper level computer, this superior computer if the hacker himself machine, then he will be pulled out. But if this is a manipulative puppet machine, the hacker itself is still safe. The number of control puppet machines is relatively small, usually one can control dozens of of attack machines, the collation of a computer log to the hacker is much easier, so from the control machine to find the hacker's ability is also greatly reduced.

How does a hacker arrange a DDoS attack?

The term "arrangement" is used here because DDoS is not as simplistic as invading a host. Typically, hackers do this at a pace when DDoS attacks occur:

1. The status of the collection of guidelines

The following situations are the information that hackers are very concerned about:

Number of hosts and address status of the attacked policy

The equipment and function of the main engine

The bandwidth of the policy

For DDoS attackers, the invasion of a site on the internet, such as http://www.mytarget.com, there is an important point is to determine how many hosts in support of this site, a large site can have many hosts using load balancing skills to provide the same Web site WWW service. For Yahoo, for example, the following addresses are usually provided for http://www.yahoo.com service:

66.218.71.87

66.218.71.88

66.218.71.89

66.218.71.80

66.218.71.81

66.218.71.83

66.218.71.84

66.218.71.86

If you want to carry out DDoS attacks, which address should be invaded? So that 66.218.71.87 this machine, but other hosts are still able to provide outside the WWW service, so want to let others visit the http://www.yahoo.com, all these IP address machines are paralyzed. In practice, an IP address is often represented by a few machines: the site Protector uses a four-tier or seven-tier switch to load balance, and a visit to an IP address is assigned to each of the subordinate's hosts with a specific algorithm. When it comes to DDoS intruders, the situation is even more cluttered, and his mission is to make dozens of of hosts dysfunctional.

Therefore, it is very important for DDoS attackers to collect information beforehand, which is related to the use of many puppet machines to reach the role of talent. Briefly think about, under the same conditions, the same site to invade the 2 host Demand 2 puppet machine, the invasion of 5 host can demand more than 5 puppet machine. Some people say that the more the puppet machine to invade the better, no matter how many hosts I have to use as many as possible puppet machine to attack is, anyway, the puppet machine more than the role of time better.

But in the process of practice, there are many hackers do not carry out the collection of information and direct DDoS attacks, then the blindness of the invasion is very large, the role of how to rely on fate. In fact, as a hacker is the same as network administrator, can not be a part of the. One thing is good and bad, emotion is the most important, and the level is second.

2. Occupy the Puppet machine

Hackers are most interested in hosts with the following conditions:

Link in good condition host

A host that functions well

Host with poor level of security management

In some of these practices, another major type of assault is used: the use of the form of aggression. This is the same way as DDoS. In short, it is to occupy and manipulate the host being invaded. Obtain the highest administrative authority, or at least one account with permission to terminate the DDoS assault mission. As for a DDoS attacker, it is a necessary condition to prepare a certain number of puppet machines, and below is how he invades and occupies them.

First of all, the hacker does the homework is usually scanning, randomly perhaps is to use the scanner to discover the Internet those have the gap machine, like the order overflow slot, CGI, Unicode, FTP, database crevice ... (almost too numerous), are the scan results that hackers expect to see. Then is the test aggression, detailed methods are not here to say more, interested in the Internet there are many articles on these content.

Anyway, hackers now occupy a puppet machine! And what does he do? In addition to the above basic work, he would upload the sequence of DDoS attacks in an empty purse, usually using FTP. On the attack machine, there will be a DDoS order, the hacker is to use it to the victim policy to send malicious attack packets.

3. The practice of the incursion

After the first 2 months of careful preparation, hackers began to aim at the launch of the policy. Before the preparation is good, the practice of the process of invasion is rather brief. As shown in the illustration, hackers log on as the console of the puppet machine, to all the attack machine announced instructions: "Prepare ~, Aim ~, War!". At this time the ambush in the invasion of the DDoS attacks sequence will echo the command console, together with the victim to send a high speed of data packets, causing it to crash or can not echo the normal supplications. Hackers usually attack at speeds far beyond the victim's disposal, and they do not "Shang".

The old attackers, while invading, will also use various methods to monitor the role of the invasion, in the demand for some adjustments. The brief is to open a window constantly ping policy host, in can receive the answer of the time to increase some traffic or more instructions to participate in the puppet machine to invade.

DDoS attacks instance-SYN flood invade

Syn-flood is currently the most prevalent DDoS attacks, the latest DOS in the dissemination of this period of time also experienced the process of the waves scouring the sand. Syn-flood's invasion of the best, it should be a lot of hackers to choose its reason for it. So let's take a look at the details of Syn-flood.

Syn Flood principle-handshake three times

Syn flood uses the inherent gaps of the TCP/IP protocol. TCP three-time handshake oriented to cohesion is the basis of the existence of SYN flood.

Three handshake of TCP connection

Figure two TCP three times handshake

As shown in figure two, in the first step, the client presents a Lau Duan to the effect. This is where the TCP syn tag is placed. The client notifies the server that the serial number area is legitimate and needs to be viewed. The client stabs the isn in the serial number area of the TCP header. Effect Lau Duan received the TCP segment, in the second step with my isn answer (SYN mark set), together to acknowledge the receipt of the client's first TCP segment (ACK mark set). In the third step, the client acknowledges receiving the ISN (ACK Mark bit) at the service end. So far to establish a good TCP interface, beginning full duplex form of data transfer process.

Syn flood intruders don't end up shaking hands three times.

Figure three Syn flood malicious not end three times shaking hands

Assuming that a user sends a SYN message to the server and then freezes or drops the line, the server will not be able to receive the client's ACK message after announcing the Syn+ack response message (The third handshake cannot be completed), in which case the service end is usually retried (sending Syn+ack to the client again) And wait for a moment to lose this unfinished connection, the length of this moment is called the Syn Timeout, which is usually the order of magnitude of the minute (about 30 seconds-2 minutes); it's not a big problem for a user to have a thread waiting for 1 minutes for an anomaly to incur a service. But if there is a malicious of intruders who mimic this situation, the Laure will consume a lot of resources to protect a very large semi-cohesive list----tens of thousands of connections, even if the simple custody and traversal will consume a lot of CPU time and memory, In addition, the IP in this list will continue to be syn+ack and retried. In practice, if the TCP/IP stack of the service is not strong enough, the end result is often a warehouse overflow---even if the server end of the system to meet the strong, server end will be busy dealing with the attackers forged TCP connection supplications and no reason to answer the customer's normal supplications (the client's normal request rate is very small), At this moment from the normal customer's point of view, the server lost echoes, this situation we call it: Server end by SYN flood Invasion (SYN flood Invasion). This paper comes from http://www.zkddos.com (DDoS attack)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.