DOS and DDoS attacks and Prevention

DOS means that attackers send a large number of service requests to the network within a certain period of time, consuming system resources or network bandwidth, occupying and surpassing the processing capabilities of the attacked host, resulting in excessive network or system load, stop providing normal network services to legal users. DDoS introduces the Client/Server mechanism on the basis of DOS, which makes the attack more powerful and more concealed.

DDoS attack Principle

DDoS uses a multi-layer customer/Server mode. A complete DDoS attack system consists of four parts: the attack console, the attack server, the attack slave machine, and the attack target.

◆ Attack console. Attackers exploit this vulnerability to manipulate the entire attack process and issue attack commands to the attack server.

Webpage tutorial Network

◆ The attack server is also called the master, which is an illegal intrusion by attackers and is installed with a specificProgramSome hosts. It receives various commands from the attack console. At the same time, it also controls a large number of attack bots and forwards attack commands on the attack console to them. 

◆ An attack on a zombie is also called a proxy. It is also a host that attackers illegally intrude into and install specific programs. They run attack programs to launch attacks against the target. It is controlled by the master and receives attack commands from the master. It is the performer of the attack.

DDoS attack features

As a special DoS attack method, DDoS attacks have many characteristics compared with traditional denial-of-service attacks: first, distributed denial-of-service attacks are more effective. Using distributed denial of service, you can send attack data to the target from multiple slave hosts at the same time, and send a large number of data packets in a short time, make the target system unable to provide normal services. In addition, the multi-layer Client/Server mode reduces the congestion that may occur when attackers issue attack commands, and increases the closeness of attacks. Even if the target detects an attack, it may be too late to take effective measures to cope with the attack. Second, Distributed Denial of Service attacks are even more difficult to prevent. Because the Distributed Denial-of-Service attack data streams come from many sources and attack tools use the random IP technology, the similarity with valid access data streams is increased, making it more difficult to judge and prevent attacks.

Attack policy and Prevention

At present, with the wide spread of various DDoS attack tools such as TFN, TFN2k, Stacheldraht, and Trinoo, the risk of DDoS attacks is increasing sharply [2]. Therefore, how to effectively defend against DDoS attacks becomes an urgent problem. Next, this article provides specific preventive measures for these commonly used attack tools.

Webpage tutorial Network

3.1 TFN (Tribe Flood Network) attacks and Prevention

Webpage tutorial Network

TFN is written by German famous hacker Mixter. Similar to Trinoo, It is developed and tested in a large number of UNIX systems on the Internet. It consists of a client program and a daemon. It is controlled by the root shell bound to the TCP port to implement ICMP flood, SYN flood, UDP flood, and other distributed denial-of-service network attacks.

IC-MP echo and icmp echoreply packets are used when TFN clients, master and proxy hosts communicate with each other. The following methods can be used to defend against TFN Attacks:Webjx. com

◆ When starting TFN, attackers need to access the master program and send one or more target IP addresses to it. Then, the master program communicates with all agents to instruct them to launch attacks. The communication between the master program and the proxy program uses the ICMP echo/response information package. The actual instructions to be executed are included in the 16-bit ID domain in binary form. ICMP enables information packet protocol filtering. By configuring a vro or intrusion detection system, all icmp echo or ECHO/response packets are not allowed to enter the network to defeat the TFN proxy, however, this will affect all Internet programs that use these features, such as ping. The master program reads an IP address list, which contains the location of the agent. This list may be encrypted using an encryption program such as blowfish. If there is no encryption, you can easily identify the proxy information from this list.

 

◆ It is used to find that the TFN agent on the system is the program TD, and the master program on the system is the program TFN. The proxy does not check where the ICMP echo/response packet comes from. Therefore, it is possible to use the disguised ICMP packet to fl these processes [9].

Webpage tutorial Network

3.2 TFN2k attack and Prevention

TFN2k stands for TFN 2000 and is a later version of TFN compiled by Mixter. This new DDoS tool has taken a big step forward on the original basis. It is also composed of two parts: the client program and the daemon process on the proxy host. The client sends a list of specified target hosts to the daemon. The proxy daemon then performs a Denial of Service (DoS) attack on the target. Multiple proxy hosts controlled by a client program can collaborate in the attack process to ensure attack continuity. The network communication between the client and the proxy is encrypted, and many fake packets may be mixed. The entire TFN2k network may use different TCP, UDP, or ICMP packets for communication, and the client can forge its IP address. All these features make it very difficult or inefficient to develop strategies and technologies to defend against TFN2k attacks.

Webjx. com

TFN2k is very concealed, which makes it difficult to detect. Because there is no port number, it is difficult to detect. Even if you use a port scanner on a normal basis, you cannot detect that your system is being used as a TFN2k server [10]. Currently, there is no effective method to defend against TFN2k Denial of Service attacks. The most effective policy is to prevent network resources from being used as clients or proxies.

Webjx. com

Based on the basic features of TFN2k, the following preventive measures are available:

◆ Only use the application proxy firewall, which can effectively prevent all TFN2k communication. However, it is impractical to use only the application proxy server. Therefore, you can only use the least non-proxy service as much as possible.Webpage tutorial Network

◆ Prohibit unnecessary ICMP, TCP, and UDP communications. In particular, for ICMP data, only data of the ICMP Type 3 (Destination Unreachable, the destination cannot be reached) can pass through. If the ICMP protocol cannot be disabled, it is prohibited to provide or all icmp echoreply packets.Webpage tutorial Network

◆ Prohibit all UDP and TCP packets that are not in the permitted port list.

Webjx. com

◆ Configure the firewall to filter all possible forged data packets.

Webjx. com

◆ Install patches and security configurations on the system to prevent intrusion and install TFN2k.