DOS/DDOS Summary

DOS/DDOS Summary

(This article is based on the online materials and the author's own understanding. It is only for learning and should not be used for illegal purposes. If your rights and interests are inadvertently infringed, please contact me in time. Thank you .)

The structure of this article is as follows:
I. Common DOS/DDOS types

1. Principle

2. symptom and Feature Detection

3. Prevention

Ii. Some new types of DOS/DDOS

Iii. Summary

Appendix: Firewall anti-DOS/DDOS principles and Algorithms

I. Common DOS/DDOS types
Syn flood:

1. Principle:

To understand Syn flood attacks, we must first have a certain understanding of the three-way handshake process for establishing connections in TCP. To put it simply, the TCP three-way handshake process is shown in. The client sends a SYN packet to the server (the first handshake). After the server receives the SYN packet, it sends a SYN + ACK packet to the client (the second handshake ), the client finally sends an ACK packet to the server (the third handshake ).

The attack sends SYN packets to the target host at multiple random (forged) source host addresses, but does not respond after receiving the syn ack from the target host, the target host creates a large number of connection queues for these source hosts, and has not received the ACK to maintain these queues, resulting in a large amount of resource consumption and cannot provide services to normal requests. This is one of the most popular attacks.

2. symptom and Feature Detection:

A. The website cannot be accessed.

B. Use wireshark and other packet capture tools to find a large number of syn packets

3. Prevention:
A. shorten the SYN Timeout time. Because the effect of SYNFlood attacks depends on the number of SYN semi-connections maintained on the server, this value is equal to the frequency of SYN Attacks multiplied by SYN Timeout, therefore, by shortening the time from receiving the SYN packet to determining that the packet is invalid and discarding the modified connection, for example, if it is set to less than 20 seconds (a low SYN Timeout setting may affect normal access to the customer), the load on the server can be multiplied. (Effective only when the attack scale is small)
B. when a SYN Cookie is set, a Cookie is assigned to the IP address connected to each request. If a request is repeatedly sent to an IP address within a short period of time, the request is deemed to have been attacked, packets from this IP address will be discarded in the future. (The attacker's IP address is generally forged and valid only when the attack scale is small .)
C. the SYN Flood program has two attack methods: IP-based and domain-based. The former is used by the attacker to resolve the domain name and pass the IP address to the attack program, the latter is an attack program that automatically performs domain name resolution, but one of them is the same, that is, once the attack starts, domain name resolution will no longer be performed. Our starting point is here: assuming that a server quickly changes its IP address after being under SYN Flood attack, the attacker is still attacking an empty IP address without any host, as long as the defender changes DNS resolution to a new IP address, it can restore normal access through the domain name within a certain period of time (depending on the DNS refresh time. To confuse attackers, we can even place a "sacrifice" server to satisfy them with the "effect" of the attack (as long as the attacker's browser does not duplicate due to DNS buffering, it still accesses the original IP address ). Although the attacker can continue to carry out DNS requests to break this "concession" policy, this increases the costs of attackers, second, too many DNS requests can help us trace the real traces of attackers (DNS requests, unlike SYN attacks, need to return data, so it is difficult to disguise IP addresses ).
D. for the Win2000 system, you can also modify the Registry to reduce the harm of SYN Flood. Make the following changes in the Registry: first, Open regedit, locate HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ Tcpip \ Parameters and add a SynAttackProtect key value. The type is REG_DWORD and the value range is 0-2, this value determines the protection measures taken when the system is under SYN attacks, including reducing the number of system SYN + ACK retries. The default value is 0 (no protection measures are available ), the recommended value is 2. Add a TcpMaxHalfOpen key value of the type REG_DWORD and the value range is 100-0xFFFF. This value is the semi-join that the system allows to open at the same time, by default, WIN2K PRO and SERVER are 100, and advanced server is 500. This value is hard to determine, depending on the TCP load of the SERVER and the possible attack intensity. The value must be tested before being determined. Add a TcpMaxHalfOpenRetried key value. The type is REG_DWORD and the value range is 80-0xFFFF. By default, WIN2KPRO and SERVER are 80 and advanced server is 400, this value determines under what circumstances the system will enable SYN attack protection.

Smurf:

1. Principle:

The Smurf attack is named after the program that initially launched the attack "Smurf. In combination with IP Spoofing and ICMP reply, this attack method floods a large amount of network transmission to the target system, causing the target system to refuse to serve the normal system.

First, the attacker sends a large number of ICMP packets to the broadcast address of a network (bounce network) to drown the victim host. At the same time, the performance of the rebound network may also be affected.

2. symptom and Feature Detection:
A. monitoring and statistics on the network show that if Smurf attacks occur, a large number of echo packets are generated. because of the echo Response Storm, the proportion of echo messages in all packets is greatly increased. Most of the original addresses of these packets come from some CIDR blocks. Therefore, in this case, Smurf attacks may occur.

B. As the packet loss rate and retransmission rate increase, a large amount of packet loss and retransmission may occur due to the heavy network load caused by the echo storm. Therefore, Smurf attacks may occur if the packet loss rate and retransmission rate increase significantly.

C. Unexpected connection resetting often occurs. In the case of Smurf attacks, network overloading may cause unexpected interruptions or resetting of other network connections. In case of repeated unexpected interruptions or resetting, Smurf attacks may also occur.

3. Prevention:
A. Prevent the host on the site from becoming an attacker. The attacker's network should filter the spoofed IP packets on one side connected to the subnet. For example, you can add a function on the vro to send a confirmation packet to the source IP address of an ICMP packet to determine whether the packet is a spoofed IP packet, ensure that all transmitted information sent from the internal network has a valid source address.
B. Avoid being an intermediate medium for Smurf attacks. To avoid being a "bounce Network", you have two options to block Smurf attacks. The first method is to configure it on the vro to reject ICMP response request packets with broadcast addresses and prevent these groups from reaching their networks. If you cannot block all inbound echo requests, you must disable the router from ing the network broadcast address into a LAN broadcast address. After the ing process is stopped, your system will no longer receive these echo requests. If you use a Cisco router, you can run the following command in the configuration mode of the LAN interface: no ip directed-broadcast, for example:

C. Tracking Smurf attacks

It is difficult to track Smurf attacks. However, if ISP cooperation occurs, tracking is also possible. In the previous Smurf attack principle, we have introduced that the source IP address of the ICMP Response Request packet is a disguised Host IP address to be attacked, therefore, the source IP address of ICMP cannot trace the initiator of the Smurf attack. You can record the MAC address of an ICMP packet in the ACL (Access control layer) and use the MAC address to track Smurf attacks.

Land Attack:

1. Principle:
With a specially crafted SYN packet, both its original address and target address are set to a server address. This will cause the receiving server to send a SYN-ACK message to its own address, and the address returns an ACK message and creates an empty connection. Each time the attacked server receives such a connection, it will be retained until it times out. The response to the Land Attack is different, and many UNIX implementations will crash, NT changes extremely slowly (about 5 minutes ).

2. symptom and Feature Detection:
A. Check whether the source address and destination address of the received data packet are the same.

3. Prevention:
A. you can properly configure firewall devices or filter router filtering rules to prevent such attacks (generally discard the packet) and audit such attacks (record the time when the event occurred, MAC address and IP address of the source host and target host ).

Pingof Death:

1. Principle:
Sends an ICMP packet larger than 65507 bytes to the victim host (the packet is sliced during network transmission and the data segment is larger than 65507 bytes after the destination is reached, after restructuring, the malicious package may cause unpatched system crashes.

2. Prevention:
Patch and prohibit ICMP packets from passing through network security devices.

Teardrop:

1. Principle:
Teardrop Attack is an attack method of UDP-based pathological fragmented data packets, the working principle is to send multiple fragmented IP packets to the attacker (the IP Fragmented Packet includes the packet that the fragmented packet belongs to and its location in the packet ), some operating systems may crash or restart the system when they receive counterfeit part data packets with overlapping offsets. Overlapping offset when UDP packets are restructured (assuming that the offset of the second IP packet in the Data packet is smaller than the offset of the first packet, and the Data of the second IP packet does not exceed the end of the first packet, this is an overlap.) The system host will launch a Denial-of-Service attack, which will eventually cause the host to crash. For Windows, the blue screen will crash and the STOP 0x0000000A error will be displayed.

2. Prevention:
A. Analyze the received multipart data packet to check whether the Offset of the data packet is correct.
B. Add a system patch, discard the packet sent from the diseased part, and audit the attack. Use the latest operating system as much as possible, or set the segment reorganization function on the firewall. The firewall first receives all the split data packets in the same original package, and then completes the reorganization, instead of directly forwarding. Because the firewall can set the rules used when overlapping fields appear.

ConnectionFlood:

1. Principle:
Connection Flood is a typical and effective attack method that uses small traffic to attack large bandwidth network services. This attack method is becoming increasingly rampant. The principle of this attack is to use a real IP address to initiate a large number of connections to the server, and do not release the connection for a long time after the connection is established, occupying server resources, resulting in residual connections on the server (WAIT Status) too much, low efficiency, or even resource depletion, unable to respond to connections initiated by other customers.

One of the attack methods is to initiate a large number of connection requests to the server every second. This is similar to the SYN Flood attack of a fixed source IP address. The difference is that the actual source IP address is used. In general, this can limit the number of connections per second for each source IP address on the firewall for protection purposes. However, existing tools now use a slow connection, that is, a connection with the server is established in a few seconds, after the connection is established successfully, the system does not release and periodically sends junk data packets to the server to maintain the connection for a long time. In this way, an IP address can establish hundreds of thousands of connections with the server, and the number of connections that the server can withstand is limited, which achieves the DoS effect.

2. symptom and Feature Detection:
A. Run the netstat-an command to check the network connection status and find a large number of connections from the same IP address.

3. Prevention:
A. Actively clear the residual connections .?
B. Block IP addresses that are maliciously connected .?
C. Limit the number of connections of each source IP address .?
D. You can protect a specific URL .?
E. Reverse query the source that initiates HTTP Get Flood after the Proxy.

CC Attack (Challenge Collapsar Attack ):

1. Principle:

CC is mainly used to attack pages. Everyone has this experience: when visiting a Forum, if the forum is large and there are many visitors, the page opening speed will be slow, and more people will access it, the more pages the Forum has, the larger the database, the higher the frequency of access, and the considerable amount of system resources occupied.
A static page does not need many resources on the server. You can even read it from the memory and send it to you, but the Forum is different. I will read a post, the system needs to go to the database to determine whether I have the permission to read the Post. If so, read the content in the post and display it. The database is accessed at least twice, if the data size of the database is MB, the system may need to search for the data space of MB. How many CPU resources and time is required? If I search for a keyword, the time is more impressive, because the previous search can be limited to a very small range. For example, the user permission can only query the user table, and the post content can only query the post table, in addition, you can immediately stop the query, and the search will certainly make a judgment on all the data, which consumes a considerable amount of time.
Currently, CC attacks mainly come in two modes: proxy mode and botnet mode. The proxy mode is used to operate the proxy server for attacks. In botnet mode, attackers can obtain a large number of zombie nodes (through various means such as black market purchases) to launch attacks.

2. symptom and Feature Detection:
A. The website cannot be accessed.

B. A large number of requests (such as queries) for a time-consuming page are found)

3. Prevention:
A. Generally, CC attacks target domain names (IP addresses ). After the domain name is unbound, the attack on the domain name becomes invalid. But at the same time, the website can only be accessed through the IP address, causing great inconvenience to normal users, so it is not practical.

B. Block IP addresses. IP addresses in CC attacks are true and will not change in most cases. By analyzing website logs, it is easy to tell which IP address is under CC attack, because CC attack crawls web pages through programs after all, which is quite different from common viewers in terms of features, for example, when a common viewer accesses a webpage, it will capture a series of related files, such as HTML files, CSS files, JS files, and images of the webpage continuously, CC attackers only capture files with one URL address, but not other types of files. Most of the User agents are different from those of common viewers, in this way, it is easy to tell which visitors are CC attacks on the server. Since the attacker's IP address can be determined, the prevention measures are very simple. You only need to block these IP addresses in batches, to prevent CC attacks. Of course, if the attack IP address range is very wide, it is best to automatically judge and block it through the script.

C. restrict the number of connections of each IP Address

D. Restrict access from the proxy. Generally, the proxy will include the X_FORWARDED_FOR field in the HTTP header. You can determine whether an access comes from the proxy.

E. the validity of a CC attack is that the attacker does not accept the server response data. After sending the request, the attacker proactively disconnects the connection. Therefore, check whether the connection is CC. The server does not immediately execute the URL request command, instead, it simply returns a page redirection response containing the new URL request address. If the request is accessed normally, the client will connect to the redirection page again, which is transparent to the user; as CC attackers do not receive response data, they will not reconnect and the server does not need to perform query operations. (