Distributed denial of service attack and precautionary means

One, from DOS to DDoS

Denial of service (denial of Service,dos) is a long-standing tradition. Since the Internet, there is a denial of service attack approach. As no major websites or institutions have been subjected to such attacks in the past, their inferior nature is not prominent. It was not until the early 2000 that Yahoo!, ebay and Amazon were stabbed in the face.

In a typical Internet connection, when a user accesses a Web site, the client sends a message to the Web server requesting a connection, and the user can access the server only if the server confirms that the request is legitimate and returns the access permission to the user. A Dos attack means that a malicious user sends multiple connection requests to the server, makes them full load, and forges all the requested return addresses. In this way, when the server attempts to return the authentication structure to the user, it will not be able to find those users. At this point, the server waits, and sometimes it can wait 1 minutes for the connection to close. The scary thing is that after the server shuts down the connection, the attacker sends a new batch of false requests, repeating the last process until the server refuses to provide the service because of overload. These attacks did not invade the site, and did not tamper with or damage the data, but the use of the program in an instant to generate a large number of network packets, so that the other's network and host paralysis, so that normal users can not get the host timely service.

However, the early attack on the Yahoo! of the culprit is not a simple DOS, although, like a Dos attack, but also to the target of the attack to send a large number of fake IP packets, so that the server can not provide normal services for legitimate users (such as the Yahoo! site router issued an invalid request up to 1gb/s) But what distinguishes it from DOS is that it mobilizes a large number of "innocent" computers to attack the target, using a distributed denial of service (distributed denial of Service,ddos) attack.

DDoS is a step forward in the DOS, DDoS behavior more automated, it can easily coordinate the start of the process from multiple computers, so that a stream of DOS hit the network, and the network due to overload and crash. Specifically, DDoS attacks are the installation of a large number of DOS services on different high-bandwidth hosts, waiting for commands from the central client, which then notifies the entire managed service program and tells them to send as many network access requests as possible to a specific target. As an attacker, you must connect to each remote host he wants to use by Telnet and log in as a user, then manually enter a command to launch each host to send a mass flow of information to the target.

The biggest difference between DDoS and DOS is that people have more power. The original DOS is a machine attack target, now DDoS is many machines use their high bandwidth target, it is easier to attack the target site. In addition, the DDoS attack is more automated, the attacker can install his program on multiple machines in the network, the use of the attack tool to make the target is difficult to detect, as long as the attackers sent an attack command, these machines will attack.

Second, Dos attack method

For DOS, its attack way is many, the main use of attack has 3 kinds, is Tcp-syn flood, UDP Flood and ICMP flood respectively.

When a user makes a standard TCP connection, there is a 3 handshake process. The first is to request the service side to send a SYN message, the server received SYN, will send a syn-ack to the requesting party to confirm, when the requester received Syn-ack, again send an ACK message to the service side, so that a TCP connection was established successfully. However, Tcp-syn flood only the first 2 steps in the implementation process: When the service party receives the Syn-ack confirmation message of the requesting party, the requesting party can not receive an ACK response by means of the source address spoofing, so the service party will be at a certain time waiting for the status of the requesting party ACK message. For a single server, available TCP connections are limited, and if a malicious attacker sends such connection requests quickly and continuously, the TCP connection queues available to that server will soon be blocked, the system's available resources drastically reduced, and the network's available bandwidth rapidly shrinking, and the network will not be able to provide normal services to users.

UDP (User Packet protocol) is widely used in the network, and there are many kinds of attacks based on UDP. Today, services such as www and mail are often used on the Internet as a server using UNIX, which defaults to a number of maliciously exploited UDP services, such as the Echo and Chargen services, that display every packet received. The Chargen service, which was originally used as a test function, would randomly feedback some characters when it received each packet, and if a malicious attacker were to refer the 2 UDP services to each other, the network's available bandwidth would soon be depleted.

Three, DDoS attack method

Currently, the tools we know to use for DDoS attacks on the network are: Trinoo, tribe Flood Network (TFN), Tfn2k, and Stacheldraht. Their attack mentality is basically similar.

1. Trinoo: It is based on the UDP flood attack software, it sends to the target host's random port The Zero 4 byte UDP packet, in processing these to exceed its processing ability garbage packet the process, the attack host's network performance continuously drops, until cannot provide the normal service, even crashes. It does not fake IP addresses, and this method of attack is not used very much.

2. TFN: It is the use of ICMP to the proxy server under the command, the source can be done fake. It can launch SYN Flood, UDP Flood, ICMP Flood and Smurf (using multiple servers to emit massive packets, Dos attacks) and other attacks. TFN's upgraded version of Tfn2k is characterized by encryption of command packets, more difficult to query command content, false command sources, and a backdoor control proxy server.

3. Stacheldraht: Make false to command source, and can prevent some routers to filter with RFC2267. If the filter is detected, it will only do the last 8 bits of the fake IP address, so that users can not understand which network segment of which machine was attacked. In addition, it has an automatic Update feature that can be updated automatically with the software update.

It is worth mentioning that attack software such as Trinoo and TFN are open software that can be found freely on the internet, so any one surfer can pose a potential threat to network security. In the face of the dangerous DDoS Shoals, how do we deal with the occurrence of hacker attacks at any time? Mr. Yang Ning said that depends on the user in what state, is in the trapped surrounded by the attack, or prepare to prevent beforehand.