recently took a little time to "the King of Destruction-ddos attack and the depth of the prevention of the analysis" to read it, frankly, this book is relatively simple, can be said to be an introductory book, of course, for me this kind of DDoS smattering people, is also a good book, at least I learned something. DDoS is a shorthand for distributed denial-of-service (Distributed denial of service, DDOS), and the name shows that its attack is distributed, that is, multiple (possibly tens, even more) computers simultaneously attacking the target to make the target unavailable Service. Fundamentally, there are many ways to target a service, such as hacking into a target server, removing critical services or programs, or other physical methods, which are really effective, but are far from DDoS in terms of concealment and the difficulty of restoring services to the target. DDoS is essentially a way to consume the resources of the target server, a server to provide normal external services, it must have enough hardware equipment, such as CPU, memory, fast enough hard disk, and system software, such as stable operating system, stable application server and database, but also need stable application services, For example, Java EE and PHP-based programs also require sufficient bandwidth for the user to access. These are the basis of providing services, but also the key to DDoS attacks, from this point of view, DDoS attacks are generally divided into bandwidth attacks, system resource attacks and application resources supply. A brief description is as follows:1) Bandwidth attack: This is easy to understand, is to send a large number of packets to the target server, so that other normal users can not connect to the server, the best understanding, and the most easy to implement, a lot of stress testing tools can achieve this effect. But this stress test tool can easily be blocked by the IP blacklist method. Common attack methods are ICMP/IGMP flood attack and UDP flood attack, this kind of attack way is old, easy to filter, and be subject to attack the performance of the computer, often can't achieve the desired effect. The better way is to reflect the attack technology, so-called reflection attack, is to attack the computer disguised as a target host, to some servers (such as DNS, NTP, ACK, SNMP) to send requests, these servers return more than the requested content, and the data returned to the target host, which is convenient for the attack to hide, It also avoids the performance limitations of the attack host, because in some cases it can be scaled up to 700 times times. 2) Attack system resources: Mainly refers to attack TCP link and attack CPU, memory and other resources, TCP connection is designed to be a reliable three-time handshake mode, yes. In the last two times, whenever there is a problem, it will cause the wait and retransmission, the incomplete connection is called the half-open connection, the semi-open connection will quickly exhaust the server's connection resources, this is a common SYN flood attack; In addition, after the client sends the data, the PSH flag is set, and after the server receives this information, The buffer is emptied, the data is submitted to the service process, and if a large number of PSH bits of data are sent, the server resource is consumed. There are also RST attacks and socketstress attacks, which are relatively difficult, the latter being a slow attack, which is a feature of the transport window in a TCP connection. In addition, the use of SSL features, so that the server side consumes a large amount of resources for encryption and decryption, and then run out of resources so that they can not service. 3) Attack application resources: Common attacks DNS and attack HTTP service, attack DNS is actually a non-purpose, for the entire network of attacks, the equivalent of destroying the city's bus stop and road signs, naturally impassable. Attack HTTP service is to take advantage of some design flaws of the HTTP service, such as HTTP flood attack, in fact, similar to attack TCP connection, after the attacker connects to the server, immediately cut off the connection and reconnect, so that the server's connection before time-out needs to be saved, will run out of server resources , such as Slowloris attack, is to take advantage of the HTTP header end flag bit "\r\n\r\n", the attacker sends the other head field, that is, do not send "\r\n\r\n" flag, will cause the server to run out of connection, IIS, nginx to modify, However, Apache does not seem to have modified it; As with the slow post attack, the content-length specifies the transmission length of the body, specifying a large content-length value, and then slowly sending the body information, thus occupying an HTTP connection, The server resources are then exhausted. Others are data processing attacks, such as regular expressions and hash conflict denial of service attacks, which also reduce the processing speed of the server, occupy a critical resource, so as to achieve the purpose of denial of service. DDoS Governance:1 The most feasible way, in fact, is to eliminate the IP address forgery, in fact, this is not difficult to deal with, as long as the router to determine whether this packet is sent from the domain, if not, then refused, but because of the cost and lack of incentive mechanism, has not been achieved. There are similar scenarios where DDoS attacks should be reduced by a large percentage if they can be uniquely spoofed with IP addresses. 2) The mitigation of the attack traffic is mainly to the network traffic to clean, before cleaning needs dilution, the method of dilution mainly has CDN, AnyCast, the former is through the intelligent DNS, the user's access to different machines, but this method on the specified IP attack is invalid, Anycast can solve the problem of IP attack. 3) Data cleaning methods are many, but not very effective, the common approach has IP reputation check, attack feature matching, speed limit and check, TCP proxy and authentication, protocol integrity verification, client Authenticity verification method
DDoS Learning Notes ("The King of Destruction-ddos attack and prevention in depth analysis")
