DDoS distributed denial of service

DDOS (Distributed denial of service) concepts

DDoS is called distributed denial of service, and DDoS is the use of reasonable requests to forge resources overload, resulting in service unavailability. For example, a parking lot has 100 parking spaces, and when 100 parking spaces are full, there is a car that wants to come in. You have to wait for an existing car to come out first. If the existing car does not go out, then the entrance to the parking lot will be lined with long teams. The load on the parking lot is overloaded. Not working properly, this is a "denial of service". Our system is like the parking lot, the resources in the system are the parking spaces, the resources are limited, and the service must always be provided. If the resource is already occupied, the service is overloaded, causing the system to stop the new response.

A distributed denial of service attack that amplifies normal requests by several times and initiates attacks at the same time through several network nodes to achieve scale effects. These network nodes are often the hackers control the "broiler", the number reached a certain scale, the formation of a "botnet." Large botnets reach tens of thousands of, hundreds of thousands of. DDoS attacks launched by such a large botnet are almost unstoppable.

DDoS attacks

Common DDoS Attacks

Syn/ack Flood attack:

This attack method is the classic most effective DDoS attack method, can kill various system network services, mainly by sending to the victim host a large number of false source IP and source port of the SYN or ACK packet, causing the host's cache resources are exhausted or busy sending response packets resulting in a denial of service, Because the source is forged, it is difficult to track, and the disadvantage is that it is difficult to implement and requires high-bandwidth zombie host support. A small amount of this attack will cause the host server to be inaccessible, but can ping the pass, on the server with the Netstat-na command will observe the existence of a large number of syn_received state, a large number of such attacks will cause ping failure, TCP/IP stack failure, and will appear system solidification phenomenon , which does not respond to the keyboard and mouse. Most common firewalls cannot withstand this type of attack.

TCP Full Connection attack:

This attack is designed to bypass the regular firewall inspection, generally, the conventional firewall mostly has the ability to filter teardrop, land and other Dos attacks, but for the normal TCP connection is spared, but many network services programs (such as: IIS, Apache and other Web servers can accept the number of TCP connections is limited, once there is a large number of TCP connections, even if it is normal, will cause the site access is very slow or even inaccessible, TCP full-connection attack is through many zombie hosts constantly with the victim server to establish a large number of TCP connections, Until resources such as server memory are exhausted and dragged across, resulting in denial of service, this attack is characterized by bypassing the protection of the general firewall for attack purposes, with the disadvantage that many zombie hosts are needed, and because the IP of the zombie host is exposed, this type of DDoS attack can be easily traced.

To swipe script scripts to attack:

This attack is mainly for the existence of ASP, JSP, PHP, CGI and other scripts, and call MSSQLServer, MySQLServer, Oracle and other databases of the Web site system design, characterized by a normal TCP connection with the server, and constantly submit queries to the script program , lists and so on a large number of database resource calls, typical of small broad attack method. In general, the cost of submitting a GET or post instruction to the client and the consumption of bandwidth is almost negligible, and the server to process this request may be from tens of thousands of records to find out a record, this process of resources is very expensive, A common database server rarely supports simultaneous execution of hundreds of query commands, which is a breeze for the client, so the attacker simply submits a large number of query instructions to the host server through proxy proxies, consuming server resources in minutes and causing a denial of service. The common phenomenon is that the website is slow as snail, ASP program failure, PHP connection database failure, database main program occupies high CPU. This attack is characterized by the ability to completely bypass the normal firewall protection, easy to find some proxy agent can implement the attack, the disadvantage is that only static pages of the site effect will be greatly compromised, and some proxies will expose the DDoS attacker's IP address.

Defense strategies for DDoS attacks

Because of the concealment of DDoS attacks, we have not yet found an effective solution to DDoS attacks. Therefore, we should strengthen the security awareness, improve the security of the network system.

1, early detection of system vulnerabilities, timely installation of system patches. Establish and refine backup mechanisms for important information, such as system configuration information. Be cautious about password settings for some privileged accounts (such as Administrator accounts). Through such a series of measures can reduce the attacker's opportunity to a minimum.

2, in the network management, to constantly check the physical environment of the system, prohibit those unnecessary network services. Establish boundary security boundaries to ensure that the output packets are properly limited. Check the system configuration information frequently and look at the security log daily.

3, the use of network security equipment (such as firewall) to strengthen the security of the network, configure their security rules, filter out all possible forged packets.

4. A better defense is to work with your network service provider to help you achieve routing access control and limit the total bandwidth.

Wake up, dream scattered, love songs of the word Why rhyme. --Elimination

DDoS distributed denial of service