Concept:
Distributed denial of service (ddos:distributed denial of services) attack refers to the use of client/server technology to unite multiple computers as an attack platform to launch a DDoS attack on one or more targets, thereby multiplying the power of a denial of service attack. Typically, an attacker would use a theft account to install a DDoS master program on a computer, where a set time master will communicate with a large number of agents, and the agent is already installed on many computers on the network. An agent launches an attack when it receives an instruction. With client/server technology, the master program can activate hundreds of agents within seconds.
Principle:
Syn-flood attack is the most common DDoS attack on the current network, and it is also the most classic denial of service attack, it takes advantage of a flaw in TCP protocol implementation, it may cause the half-open connection queue in the target server to be full by sending a large number of attack packets of spoofed source address to the port on which the network service is located. To prevent access by other legitimate users. This attack was discovered as early as 1996, but it still shows strong vitality. Many operating systems, even firewalls and routers, are unable to effectively defend against this attack, and because it can easily forge source addresses, it is very difficult to trace them. Its packet characteristics are typically, the source sends a large number of SYN packets, and the last handshake ACK reply is missing from the three handshake.
For example, an attacker would first forge an address to initiate a SYN request to a server (can I establish a connection?). ), the server responds with a Ack+syn (can + please confirm). And the real IP will think that I did not send a request and do not respond. The server does not receive a response, retries 3-5 times and waits for a SYN time (typically 30 seconds-2 minutes) to discard the connection.
If an attacker sends a large number of SYN requests that spoof a source address, the server will consume a lot of resources to handle the semi-connection, and the save traversal consumes a lot of CPU time and memory, not to mention the Syn+ack retry of the IP in this list. The end result is that the server is ignoring the normal connection request-denial of service. You can see a large number of SYN packets without an ACK response by viewing the SYN_RECV status with the Netstat–an command on the server
This article is from the "XWB" blog, make sure to keep this source http://xiewb.blog.51cto.com/11091636/1793347
DDoS distributed denial of service attacks