Author: Dai Pengfei
From the Estonia DDOS Information War in 500 to the DDOS ransomware for 30 Internet cafes in Nanning, Guangxi this year, to the failure of providing external services for over minutes when xinlang was under a DDOS attack. DDOS attacks are increasing, attack events are increasing, attack traffic is also increasing, and the situation is grim. More than 1 GB of attack traffic frequently appears. The data obtained by CNCERT/CC indicates that, the maximum traffic reaches 12 GB, which cannot even be resisted by professional data centers. What's more serious: extortion by means of DDOS attacks has formed a complete industrial chain! In addition, the implementation cost of attackers is extremely low. Attackers can search for a large number of attack scripts and tools on the Internet, and their technical requirements are getting lower and lower. On the contrary, specialized anti-DDOS devices are expensive and difficult to trace attack sources. The protection cost is far greater than the attack cost.
This article analyzes the principles of DDOS attacks and provides some solutions.
I. DDOS attacks
WhatIs it DDOS? DDOS is short for the English Distributed Denial of Service, meaning "Distributed Denial of Service". The Chinese name of DDOS is Distributed Denial of Service attack, which is also known as flood attack. First, let's take a look at the definition. Bytes
Service: functions provided by the system that users will benefit from in use
Denial-of-Service (DoS): any interference with the service is called a denial-of-service if its availability is reduced or its availability is lost. Bytes
Denial-of-Service (DoS) attacks: attackers intentionally cause the computer or network to fail to run properly and thus fail to provide the required services to legal users or reduce the service quality.
Distributed Denial-of-Service (DoS) attacks: multiple attackers in different locations simultaneously initiate attacks to one or more targets, or one or more attackers control multiple machines in different locations and use these machines to simultaneously attack victims. Because the attack points are distributed in different places, such attacks are called distributed denial-of-service attacks.
DDOS attacks will result in a waste of network resources, link bandwidth congestion, server resource depletion, and service interruption. Most of these attacks are illegally controlled by hackers. ComputerImplemented. After hackers illegally control some computers, they turn these computers into underground network remote control "bots" and then use these computers to launch DDOS attacks. Hackers also rent out these computers for attack at a low price on a per-unit basis. The owners of these computers do not know that their computers have been used to attack others. Since millions of computers have now been converted into "bots" by hackers, this attack will be very violent. DDoS attack: Warning
The network is filled with a large number of useless data packets;
Creates high-traffic useless data, resulting in network congestion, making the affected host unable to communicate with the outside world.
The victim host fails to process all normal requests in a timely manner by repeatedly sending specific service requests at High Speed Based on the service or transmission protocol defects provided by the victim host;
In severe cases, the system crashes.
Some denial-of-service attacks at the network layer use the network protocol VulnerabilitiesSome of them seize the limited processing capabilities of networks or devices, making the prevention of denial-of-service attacks a headache for administrators. Problem. In particular, firewall, Server Load balancer, and other devices widely used on the backbone lines of most network environments often become the bottleneck of the entire network in the case of DDoS attacks, resulting in paralysis of the entire network.
Ii. Data Packet Structure
To understand the principles of DDOS attacks, we must first understand the structure of the data packet so that we can trace the source. First, let's review the data packet structure.
2.1 IP packet structure
2.2 TCP packet structure
The code bits field of a TCP header contains six flag bits: Signature
SYN: the flag is used to establish a connection and synchronize the serial number between the two parties. If SYN = 1 and ACK = 0, the packet is a connection request. If SYN = 1 and ACK = 1, the connection accept
FIN: indicates that the sender has no data requirements for transmission and wants to release the connection. Bytes
RST: Used to reset a connection. The RST flag is called a reset packet. Generally, if a segment received by TCP obviously does not belong to any connection on the host, a reset packet is sent to the remote end. Bytes
URG: indicates the emergency data. If it is 1, the package contains emergency data. In this case, the emergency Data Pointer is valid. Bytes
ACK: indicates the flag. If the value is 1, it indicates that the validation number in the package is valid. Otherwise, the confirmation number in the package is invalid. Bytes
PSH: if it is set to a bit, the receiving end should transmit the data to the application layer as soon as possible, without waiting for the buffer to be full before sending.
2.3 UDP packet structure
2.4 ICMP packet structure
Iii. DDOS attack methods
3.1 SYN Flood Attack
SYN-Flood attacks are the most common DDoS attacks on the current network and the most classic denial-of-service attacks. They use a defect in TCP implementation, by sending a large number of attack packets with forged source addresses to the port where the network service is located, the half-open connection queue on the target server may be fully occupied, thus blocking access by other legal users. This attack was discovered as early as 1996, but still shows powerful vitality. Many operating systems, even firewalls and routers, cannot effectively defend against such attacks, and it is very difficult to trace because it can easily forge source addresses. The packet feature is that the source sends a large number of SYN packets, and the last handshake ACK reply is missing.
3.1.1 principles
For example, an attacker first spoofs an address to initiate a SYN request to the server (Can I establish a connection ?), The server will respond to an ACK + SYN (you can + confirm ). The real IP address will think that I did not send a request and did not respond. If the server does not receive a response, it will retry 3-5 times and wait for a SYN Time (generally 30 seconds-2 minutes) to discard the connection.
If attackers send a large number of SYN requests with forged source addresses, the server will consume a lot of resources to process such semi-connections. Saving traversal will consume a lot of CPU time and memory, in addition, we need to constantly repeat the IPs in this list with SYN + ACK. The final result is that the server ignores normal connection requests-dos. Run the netstat-an command on the server to view the SYN_RECV status:
If we capture packets, we can see:
We can see that a large number of SYN packets have no ACK response.
3.1.2 SYN Flood ProtectionBytes
Some firewalls on the market have the SYN Proxy function. This method is usually set to use the specified object per second (the target address and port, only the target address or only the source