DDoS attack principles and how to protect websites and games from malicious attacks
1-ddos Full name is distribution denial of service (distributed denial of service attack), many Dos attack sources together
Attacking a server constitutes a DDoS attack. In China, DDoS dates back to 1996, and in 2002 the development occurred frequently, 2003
The year has begun to take shape. At that time, the network bandwidth is generally small, the attack volume will not exceed 100M, the domestic almost no protection method
and products. And the attack source IP is bogus, unable to find the source of the attack. A very good hardware configuration of the site, a few megabytes per second attack volume
Can be completely paralyzed, the destructive force is quite astonishing. Due to the development of protection products need to take over the network underlying control, and analysis processing TCP/IP
The protocol requires a high technical threshold, at a time when many security at home did not have professional protection against DDoS attack products.
DDoS attacks have evolved over the years by hackers ' constant technological buildup to today's diverse attack landscape, the content of attacks and previous
A lot of change, new variant attacks are also almost monthly, safe pass after years of protection experience has thoroughly analyzed the attack principle
To analyze actual attacks through attack cases and try to get readers to find effective solutions to their own networks
Ii. principles of DDoS attacks
We first study the most common SYN attacks, a SYN attack that belongs to the DOS denial of Servic attack, which exploits
TCP protocol flaw that consumes CPU and memory resources by sending a large number of half-connection requests. TCP protocol when establishing a connection requires a dual
Mutually confirming information to prevent the connection from being forged and accurately controlling the entire data transfer process is complete and valid. So the TCP protocol
Create a connection with a three-time handshake.
First handshake: When a connection is established, the client sends a SYN packet to the server and enters the Syn_send state, waiting for the server
Confirm
Second handshake: The server receives the SYN packet, confirms that the customer's SYN also sends a SYN packet, which is the Syn+ack package,
The server enters the SYN_RECV state at this time;
Third handshake: The client receives the server's Syn+ack packet, sends the acknowledgement packet ack to the server,
The client and server enter the established state to complete three handshake.
SYN attack using the TCP protocol three times handshake principle, a large number of false source IP to send a SYN packet, that is, forged the first handshake number
Packet, the server allocates core memory for this connection information for each SYN packet received and puts it in a semi-connected queue if short
There are too many SYN received, the half-connection queue will overflow, the operating system will discard this connection information caused by the connection, when
When an attacking SYN packet exceeds the maximum value of a half-connection queue, a normal customer sends a SYN packet request connection that is discarded by the server.
Each operating system has a different half-connection queue size, so the ability to defend against SYN attacks is not the same. Then can you put the half-connected team
Column to be large enough to ensure that it does not overflow, the answer is no, each operating system has a method to adjust the TCP module semi-connection
The maximum number of queues, such as the Win2000 operating system in the registry Hklm\system\currentcontrolset\services\tcpip
\parameters tcpmaxhalfopen,tcpmaxhalfopenretried, Linux operating system with variable
Tcp_max_syn_backlog to define the maximum number of half-connection queues. But every time a semi-connected resource is built, it consumes the system's core
Heart memory, the core memory of the operating system is specifically provided to the system kernel, and core memory cannot be converted to virtual memory because
This is a very scarce resource. Take the Windows2000 system, for example, when the physical memory is 4g, the core memory is less than 300M,
Core memory is used for all core modules of the system, so there is very little core memory available for half-connection queues.
According to the Safe Pass laboratory test:
Test environment: Windows 2003 operating system default installation
Hardware configuration: P4 3.0 (925), 1GDDR2 memory, 160GBSATA HDD
Attack Strength: 80 ports on WEB server receive 5,000 SYN packets per second
Test results: A minute later the site was paralyzed. Web Page cannot be opened
Standard SYN packet 64 bytes, 5,000 attack packets equals 5000*64 *8 (converted to bit)/1024=2500k, i.e. 2.5M bandwidth,
From the above experimental situation, we see that very small bandwidth attacks can cause great harm, this kind of harm can paralyze a
A well-provisioned Web server with good bandwidth, and because the source IP of the attack packet is bogus, it is difficult to trace the source of the attack, causing the attack
The end result is that this SYN attack is flooding the internet and poses a huge threat to normal network operations.
Iii. the development of DDoS attacks and their trends
In recent years, because of the popularity of broadband, many Web sites began to profit, many of the illegal website profits, resulting in mutual
Attack. At the same time, a number of Windows platform vulnerabilities were announced, Rogue software, viruses, Trojans flooded with networks, some networks
Knowledgeable people can easily invade and control a large number of personal computers to launch DDoS attacks to profit from it. More frightening situation
is the high-interest drive has been a DDoS attack evolved into a very complete industrial chain, the sale of DDoS attacks has become an internet
Quasi-public business practices. The attacker first injects a virus Trojan on the Web page of the big Traffic website, which can be used by Windows flat
Taiwan's vulnerability to infect people browsing the site, the browser once in a Trojan, this computer will be controlled by the background operator, this one
Computers have become the so-called "broiler", and every day someone collects "broiler" and then a few cents to a few pieces of the price
For sale, the purchaser remotely controls these chickens to attack the server. According to the authorities ' incomplete speculation, this kind of underground chain brings about illegal
Income of up to billions of yuan. Some people use DDoS attacks to extort money and get up early, according to Beijing's Haidian police.
Bad for all the vicious cases of extortion using DDoS attacks, the attacker is a regular company operating a firewall in Shanghai.
Iv. types of DDoS attacks
The DDoS attack principle is broadly divided into the following three types:
1. The server line is paralyzed by sending large packets to jam the server bandwidth;
2. The server TCP/IP protocol module consumes CPU memory resources and eventually crashes by sending special packets;
3. Sending a special packet after a connection is established by a standard connection causes the server to run a network service software that consumes CPU
Memory eventually crashes (such as Web server, FTP server, game server, and so on).
The types of DDoS attacks can be categorized as follows:
Since the broiler Trojan can be updated at any time to attack the packet and attack way, so the new attack update very fast here we
Introduce the principles and methods of several common attacks
1.SYN Variant attack
Sending a SYN packet of spoofed source IP but the packet is not 64 bytes but thousands of bytes, this attack will cause some firewall processing
The error causes the lock to die, consuming the server's CPU memory while blocking the bandwidth.
2.TCP Chaotic Packet attack
TCP packets that send a spoofed source IP, TCP header TCP Flags part is chaotic may be syn, ACK, syn+ack, SYN
+rst, and so on, can cause some firewall processing errors to cause the lock to die, consuming the server CPU memory while also blocking the bandwidth.
3. Attack against UDP protocol
Many chat rooms, video and audio software, are transmitted through UDP packets, attackers for the analysis of the network software protocol to attack
, sending the same data packets as normal data, which is very difficult to protect against, and the general barrier is blocked by intercepting the characteristics of the attack packet
will cause normal packets to be intercepted,
4. Multi-Connection attacks against Web server
By controlling a large number of chickens at the same time connected to the site, resulting in the site can not handle paralysis, this attack and normal access to the site is the same
, but the amount of instantaneous traffic increases by dozens of times or even hundreds of times, some firewalls can limit the number of IP connections that come over each connection
To protect, but this can cause normal users to open a few more times the site will also be blocked
5. Variant attacks against Web server
By controlling a large number of broilers at the same time to connect to the site, a little connection is established on the go, always sending some special get access
Requests cause the site database or some pages to consume a large amount of CPU, so by limiting the number of IP connections per connection to prevent
Because each broiler may establish only one or only a small number of connections. This attack is very difficult to protect.
, we will introduce the firewall solution
6. Variant attacks against Web server
By controlling a large number of chickens at the same time connecting the site port, but not sending a GET request but messy characters, most of the firewall
Analysis of the first three bytes of the attack packet is the get word Fujan later parsing of the HTTP protocol, such an attack, without sending a GET request can be
To bypass the firewall to reach the server, the general server is shared bandwidth, bandwidth will not exceed 10M, so a large number of broiler attacks
The packet will cause the server to become paralyzed by blocking the shared bandwidth of the server, which is also very difficult to protect, because if only
A simple intercept client sends a packet without a get character, which can cause a normal user to block a lot of normal data packets.
Unable to access, behind the firewall for you to introduce solutions
7. Attack against the game server
Because there are a lot of game servers, here is the first and most influential legendary game, legendary game is divided into the login register port
7000, character select Port 7100, and game run port 7200,7300,7400 etc, because the game own protocol design is very
Complex, so the type of attack is also more than dozens of kinds of patterns, but also constantly discovering new types of attacks, which
The most common dummy attacks are introduced, and dummy attacks are automatically registered, logged in, and built through a chicken simulation game client.
People, enter the game activity from the data protocol level to simulate the normal gamers, it is difficult to analyze from the game data packet which is the attack
which are normal players.
DDoS attack principles and how to protect websites and games from malicious attacks