Dos Attack principle

In general, DOS network packets are also transmitted over the Internet using the TCP/IP protocol. These packets themselves are generally harmless, but if the packet is too excessive, it will cause network equipment or server overload, the rapid consumption of system resources, resulting in denial of service, this is the basic principle of Dos attack. Dos attacks are difficult to protect, the key is that illegal traffic and legitimate traffic is mixed with each other, the protection process can not effectively detect Dos attacks. In addition, many Dos attacks use the technology of spoofed source address IP, thus successfully evade the recognition based on statistical pattern tools.

Specific DOS attack implementations have the following several methods:
1, SYN FLOOD

With the server's connection buffer, a special TCP header is set up, and a large number of TCP connection requests with only SYN flags are sent to the server side. When a server receives a connection request that is not established, these requests establish sessions and are queued to the buffer. If a SYN request is sent that exceeds the limit that the server can hold, the buffer queue is full, and the server no longer receives new requests, so the connections of other legitimate users are rejected.

2. IP Spoofing dos attack

This attack uses the RST bit to achieve. Suppose a legitimate user (1.1.1.1) has established a normal connection with the server, the attacker constructs the TCP data for the attack, disguises its own IP as 1.1.1.1, and sends a TCP data segment with the RST bit to the server. When the server receives such data, it considers the connection sent from 1.1.1.1 to be faulty, thereby emptying the established connection in the buffer. At this point, if the legitimate user 1.1.1.1 again to send legitimate data, the server has no such connection, the user must start to establish a new connection. An attacker forges a large number of IP addresses and sends RST data to the target host, which makes the server not serve legitimate users.

3, Bandwidth Dos attack (UDP Flood, ICMP Flood)

This kind of attack makes full use of the connection bandwidth is large enough, continue to send a large number of requests to the target server, such as UDP packets, ICMP ping packets to consume the server's buffer, or only consume the server's connection bandwidth, so as to achieve network congestion, so that the server can not normally provide services.

DDoS attacks

Single Dos attacks are typically one-to-one, and "distributed Denial-of-service attacks" (Distributed denial of service, or DDoS) are a type of attack based on traditional Dos attacks. When the computer and network processing capacity increased, the use of a single attack aircraft can no longer play a role, the attackers use 10 or even 100 attack aircraft simultaneously. This is DDoS. DDoS is the use of more puppet machine "chicken" to attack at the same time, a larger scale to attack the victim, more destructive.

At present, the high-speed and widely connected network brings convenience to everyone, but also creates the extremely advantageous condition for the DDoS attack. In the Low-speed network era, hackers occupy attacks using the puppet machine, will always give priority to the distance from the target network of machines, because the number of hops through the router, the effect is good. And now the connection between the backbone of the telecom is the level of G, more than 2.5G connections can be made between big cities, allowing attacks to be launched from farther afield or other cities, where attackers can be positioned more flexibly in a larger range, more flexible and more covert attacks.

When a host server is attacked by DDoS, the following behavior usually occurs:

& #8226; There are a lot of waiting TCP connections on the attacked host
& #8226; The network is filled with a lot of useless packets, the source address is generally fake
& #8226; High flow of useless data caused network congestion, so that the injured host can not normal and external communication
& #8226; Repeated high-speed issue of specific service requests, so that the injured host can not handle all normal requests in a timely manner
& #8226; System Server CPU Utilization is extremely high, processing speed is slow, even downtime