DDoS attack principles and defense methods

I believe you have heard of DoS attacks, DDoS attacks, and DRDoS attacks! DoS is short for Denial of Service and DDoS is short for Distributed Denial of Service and Distributed Denial of Service. DRDoS is short for Distributed Reflection Denial of Service, this is the meaning of Distributed Denial-of-Service.

However, the most severe attack method in these three cases is DDoS. Although the DRDoS attack is a new attack method, it is only a deformation of DDoS attacks, the only difference is that there is no need to occupy a large number of "bots ". All these three methods use the TCP three-way handshake vulnerability for attacks, so their defense methods are similar.

DoS attacks were the first to appear. In other words, their attack methods are simply one-on-one. They provide better performance and faster speed than their machines. However, today's technology is developing rapidly. Generally, website hosts have more than a dozen hosts, and the processing capability, memory size, and network speed of each host are all developing rapidly, some network bandwidth even exceeds 1 Gigabit. In this way, our one-to-one, one-on-one, one-on-one attack will have no effect, and our machines will die if they do not work well. For example, if your machine can send 10 attack packets per second, and the machine you attack (the performance and network bandwidth are top-notch) it can accept and process 100 attack packets per second. In this case, your attack will be useless and very likely to crash. You know, if you send such an 1Vs1 attack, your machine's CPU usage is more than 90%. If your machine's configuration is not high enough, you will die.

Figure-01

However, technology is developing and hacking technology is also developing. The so-called high level, high magic battle. After countless attacks, hackers finally found a new DoS attack method, which is a DDoS attack. The principle is to put it bluntly. Many machines are used to launch DoS attacks against the target machine, but not many hackers are involved. This attack is only operated by one hacker. The hacker does not own many machines. He uses his machines to occupy many "bots" on the network and controls these "bots" to launch DDoS attacks. How else is distributed. In the example above, your machine can send 10 attack packets per second, and the attacked machine can accept 100 packets per second, so that your attack will certainly not work, if you use 10 or more machines to attack the target machine, hey! I won't talk about the results.

Figure-02

DRDoS distributed denial of service (DoS) attacks are a form of DDoS attacks. The difference between DrDoS and DDoS is that DRDoS does not need to occupy a large number of "bots" before the attack ". Its attack principles are similar to those of Smurf attacks, but DRDoS can be carried out on the wide area network, while Smurf attacks are carried out on the LAN. Its function is based on the broadcast address and Response Request. When a computer sends some special packets to another computer, such as ping requests, it will receive a response. If a request packet is sent to the broadcast address of the network, in fact, it will reach all the computers on the network, and then it will get a response from all the computers. These responses are processed by the computer to be received. Each Processing Task occupies one system resource. If the system receives a response from all the computers on the network at the same time, the recipient's system may not be enough, just as it was under DDoS attacks. However, no one is stupid enough to attack themselves, but the improvement of this method by hackers is very powerful. A hacker sends a request packet to a broadcast address. After receiving the request, all computers do not send the response to the hacker, but to the attacked host. This is because the hacker impersonates the host to be attacked. The software used by hackers to send request packets can forge the source address. The host receiving the forged data packet will send a response based on the source address, which is of course the address of the attacked host. At the same time, hackers will reduce the time interval between sending request packets, so that a large number of request packets can be sent in a short time, so that the attacked host can receive a flood response from the spoofed computer, it is like a system crash caused by a DDoS attack. Hackers use all computers in the network to attack victims, instead of occupying these spoofed hosts in advance. This is a Smurf attack. DRDoS attacks are based on this principle. Hackers also use a special packet sending tool to first send SYN connection request packets that have forged the source address to spoofed computers. According to the three-way handshake rule of TCP, these computers send SYN + ACK or RST packets to the source IP address to respond to this request. Like Smurf attacks, the source IP address of the Request Packet sent by the hacker is the address of the attacked host, so that the spoofed host will send the response to the attacked host, as a result, the attacked host is busy processing these responses.

Figure-03

Explanation:

SYN :( Synchronize sequence numbers) is used to establish a connection. In a connection request, SYN = 1, ACK = 0, and SYN = 1, ACK = 1 when the connection is responding. That is, SYN and ACK are used to differentiate Connection Request and Connection Accepted.

RST :( Reset the connection) is used to Reset the wrong connection caused by some reason, and to reject illegal data and requests. If an RST bit is received, some errors usually occur.

ACK :( Acknowledgment field significant) indicates that the Acknowledgment Number is valid when it is set to 1. If it is set to 0, the data segment does not contain the confirmation information, and the confirmation Number is ignored.

TCP three-way handshake:

Figure-04

Suppose we want to establish a connection, and the server is in the normal answer status.

Step 1: the client sends a request with SYN bit, indicating that the connection is required to the server. If the request packet serial number is 10, ACK = 0, and then wait for the response from the server.

Step 2: After the server receives such a request packet, check whether the specified port is being received. If not, the server sends the RST = 1 response and rejects the connection. If a request packet is received, the server sends a confirmation response. SYN is an internal code of the server. For example, if it is 100, the ACK bit is the request serial number of the client plus 1, in this example, the sent data is SYN = 100, ACK = 11, and the data is returned to us. It indicates that the server connection is ready and we are waiting for confirmation. After receiving the response, we will analyze the information and prepare to send a confirmation connection signal to the server.

Step 3: Send the confirmation message to the server. The SYN bit of the confirmation message is the ACK bit sent by the server, and the ACK bit is the SYN bit sent by the server plus 1. That is, SYN = 11, ACK = 101.

In this way, our connection is established.

How exactly does DDoS attack? Currently, the most popular and best attack method is SYN-Flood attack, which is also called SYN Flood attack. SYN-Flood does not complete the third step of TCP three-way handshake, that is, it does not send the Connection Confirmation information to the server. In this way, the server cannot complete the third handshake, but the server will not give up immediately. The server will keep retrying and wait for a certain amount of time before giving up the Unfinished Connection. This time is called SYN timeout, this time is about 30 seconds-2 minutes. If a user encounters a connection problem and a thread on the server waits for one minute, it is not a big deal. However, if someone uses special software to simulate this situation, the consequences can be imagined. If a server processes a large amount of semi-connection information and consumes a lot of system resources and network bandwidth, in this way, the server will not be free to process normal requests of common users (because the normal Request Rate of the customer is very small ). In this way, the server cannot work. This attack is called SYN-Flood attack.

So far, it is still difficult to defend against DDoS attacks. First, this attack is characterized by the exploitation of TCP/IP protocol vulnerabilities. Unless you do not need TCP/IP, you can fully defend against DDoS attacks. However, this does not mean we have no way to block DDoS attacks. We can try our best to reduce DDoS attacks. The following are some defense methods:

1. Make sure that the system file of the server is the latest version, and promptly update the system patch.

2. Disable unnecessary services.

3. Limit the number of SYN semi-connections opened at the same time.

4. Shorten the time out time of SYN semi-join.

5. Set firewall correctly

Prohibit Access to non-open services on the host

Restrict access from a specific IP Address

Enable the anti-DDoS attribute of the firewall

Strictly restrict external access to external servers

To run the port ing program, you must carefully check the privileged port and the non-privileged port.

6. Carefully check the logs of network devices and host/server systems. As long as a vulnerability or time change occurs in the log, the machine can be attacked.

7. Restrict sharing of network files outside the firewall. This will give hackers the opportunity to intercept system files. The host information is exposed to hackers, which undoubtedly gives the other party the opportunity to intrude.

8. Vro

Take Cisco router as an Example

Cisco Express Forwarding (CEF)

Use unicast reverse-path

Access Control List (ACL) Filtering

Set SYN packet traffic rate

Upgrade ISO version is too low

Create a log server for the vro

We can understand the principles of DDoS attacks and improve our defense measures so that we can block some DDoS attacks.

Html "target = _ self>