DoS attack Learning

What is DoS attack?

DOS is denial
Service. DOS refers to the defect of the intentional attack network protocol or the cruelly depletion of the resources of the attacked object through brutal means, in order to make the target computer or network unable
Provides normal service or resource access to stop or even crash the target system service system. This attack does not include intrusion into the target server or target network device. These service resources include network bandwidth and File System
System space capacity, open processes or allowed connections. This type of attack will result in a shortage of resources. No matter how fast the computer processes, how large the memory capacity is, and how fast the network bandwidth is, this attack cannot be avoided.
. You need to know that everything has a limit, so you can always find a way to make the request value greater than the limit value, so it will intentionally lead to a shortage of service resources, on the surface, it seems that service resources cannot be full.
Sufficient requirements. Therefore, do not assume that a server with sufficient bandwidth and fast enough has a high-performance website that is not afraid of DoS attacks. DoS attacks will make all resources very small.


In fact, we make an image metaphor to understand dos. Street restaurants provide catering services to the public. If a group of hooligans want to DoS restaurants, there will be a lot of means, such as occupying the dining table, not checking out, blocking meals
The door of the pavilion does not give way, and the waiters or cooks in the restaurant cannot work, or even worse ...... The corresponding computer and network system are Internet
Users provide Internet resources. If a hacker wants to launch DoS attacks, there are as many methods as possible! Today's most common DoS attacks include bandwidth attacks and connectivity attacks on computer networks. Bandwidth attack
Hitting refers to impacting the network with a great deal of traffic, so that all available network resources are exhausted, and finally legal user requests fail. A connectivity attack means that a large number of connection requests are used to impact the computer, so that all
The used operating system resources are exhausted, and the computer cannot process the requests of legal users.

What is DDoS?

Traditionally, the main problem facing attackers is network bandwidth. Due to small network scale and slow network speed restrictions, attackers cannot send too many requests. Although it is similar
Ping
The Death attack type only requires a small number of packages to destroy a UNIX system that has not been patched, but most DoS attacks still require considerable bandwidth, hackers in the unit of individuals
It is difficult to use high-bandwidth resources. To overcome this shortcoming, DOS attackers have developed distributed attacks. Attackers simply use tools to gather a lot of network bandwidth to simultaneously launch a large number of attack requests to the same target. This is a DDoS attack.

DDoS (Distributed Denial
This type of Distributed Denial of Service (DoS) attacks are exploited by hackers to intrude into and control different high-bandwidth hosts (possibly hundreds, tens of thousands of hosts)
A large number of DOS service programs are installed on them. They wait for commands from the central attack Control Center. The central attack Control Center starts the DOS service processes of all controlled hosts in a timely manner and sends them to a specific target.
As many network access requests as possible, a DOS flood hits the target system, and DoS attacks on the same website. The Attacked Target website will soon lose its response and will not
Timely handling of normal access and even system crashes. It can be seen that the biggest difference between DDoS and DOS is the large volume of human resources. DOS is a machine attack target, and DDoS is a lot of machines controlled by the central attack center.
Attackers can exploit their high-bandwidth attack targets to easily attack target websites. In addition, DDoS attacks are more automated. Attackers can install their programs on multiple machines in the network.
The attack methods are hard to be noticed by the attack object. These machines initiate attacks at the same time until the attacker sends unified attack commands. DDoS attacks are a set of DoS attacks that are centrally controlled by hackers.
Now, this method is considered to be the most effective form of attack and is very difficult to resist.

Both dos and DDoS attacks are just a hacker method that destroys network services. Although the specific implementation methods are ever-changing, they all have one thing in common, the fundamental purpose is to make the victim host or network unable to receive and process external requests in a timely manner, or to respond to external requests in a timely manner. The specific expressions are as follows:

1. creates large amounts of useless data, resulting in network congestion to the attacked host, making the attacked host unable to communicate with the outside world.

2. Use the attacked host to provide services or transport protocols to handle duplicate connection defects, repeatedly and frequently send aggressive duplicate service requests, so that the attacked host cannot process other normal requests in a timely manner.

3. using the service programs provided by the attacked host or the implementation defects of the transmission protocol itself, the attacker repeatedly sends malformed attack data, causing system errors to allocate a large number of system resources, so that the host is suspended or even crashed.

Common DoS Attacks

Denial-of-Service (DoS) attacks are a type of malicious attack that seriously harms the network. Today, representative DoS attack methods include ping of death, Teardrop, and UDP
Flood, SYN flood, Land Attack, IP spoofing dos, etc. Let's see how they are implemented.

Ping of death: ICMP (Internet Control Message
Protocol (Internet Control Information Protocol) is used for error handling and transfer control information on the Internet. One of its functions is to contact the host by sending an "echo request"
(Echo
Request) check whether the host is "alive ". The most common Ping program is this function. In the RFC documents of TCP/IP, the maximum package size is strictly limited.
The TCP/IP protocol stack of the operating system specifies ICMP.
The package size is 64 KB. After reading the title header of the package, you must generate a buffer for the payload based on the information contained in the header. "Ping of death"
This is to intentionally generate a malformed Ping (packet Internet groper) package, claiming that its size exceeds the ICMP upper limit, that is, the loaded size exceeds
The maximum size of 64kb causes memory allocation errors in the network system that has not taken protective measures. As a result, the TCP/IP protocol stack crashes and the receiver switches to the machine.

Teardrop
The information contained in the title header of the package in the fragment is used to attack itself. The IP segment contains information indicating the segment of the original package. Some TCP/IP protocol stacks (such as NT
Before Service Pack 4), the system crashes when it receives forged segments with overlapping offsets.

UDP flood (UDP flood)
: UDP (user data packet Protocol) is widely used on the Internet. Many service devices that provide services such as WWW and mail usually use Unix servers.
Malicious exploitation of the UDP Service by hackers. For example, the echo service displays each received packet, while the chargen service originally used as a test function randomly reports some characters when receiving each packet. UDP flood counterfeit attack is to use these two simple TCP/IP service vulnerabilities for malicious attacks by forging chargen with a host
A udp connection between services. The reply address points to a host with the echo service enabled.
The echo service transmits useless and full-bandwidth junk data back and forth, and generates enough useless data streams between the two hosts, this denial-of-service attack quickly consumes the available bandwidth of the network.

SYN Flood (SYN flood): We know that when a user performs a standard TCP (Transmission Control)
Protocol) a three-way handshake is performed during the connection. First, request the service provider to send a SYN (synchronize Sequence
Number) message, the Service side receives the SYN, will send a SYN-ACK to the request side to confirm, when the request side receives the SYN-ACK, again to the Service side to send an ACK message,
The TCP connection is successfully established. "Syn
Flooding is a DoS attack on the TCP protocol stack during the initialization of the handshake between the two hosts. in the implementation process, only the first two steps are performed: when the service provider receives
After the SYN-ACK confirms the message, the requester uses Source Address Spoofing and other means to make the service side unable to receive the ACK response, so the Service side will wait for a certain period of time to receive the request ACK message. While
For a server, the available TCP connections are limited because they only have limited memory buffers used to create connections. If the buffer zone is filled with initial information of a false connection, the server will be connected
The connection stops responding until the connection attempt in the buffer zone times out. If a malicious attacker rapidly sends such connection requests consecutively, the available TCP connection queue of the server will soon be blocked and the system will have available resources.
A sharp decrease in network bandwidth and a rapid reduction in available bandwidth. In the long run, the server will not be able to provide normal and legal services to users except for the requests of a few lucky users that can be responded to between a large number of fake requests.

Land Attack: In a land attack, hackers use a specially crafted SYN
Package -- both its original address and target address are set as a server address for attack. This will cause the receiving server to send a SYN-ACK message to its own address, and the address is returned again
ACK message and create an empty connection. Every such connection will be retained until timeout. In the Land Attack, many UNIX will crash, NT
Very slow (lasting about five minutes ).

IP spoofing DoS Attacks: these attacks are implemented using the RST bit of the TCP protocol stack. IP spoofing forces the server to reset the connection of Valid users and affect the connection of Valid users. Assume that a valid user (100.100.100.100) has established a normal connection with the server. Attackers construct the TCP data of the attack and disguise their IP address
100.100.100.100, and sends a TCP Data Segment with RST bits to the server. After receiving such data, the server considers that the data is sent from 100.100.100.100
If there is an error in the connection, the established connections in the buffer will be cleared. At this time, the legitimate user 100.100.100.100 and then send valid data, the server has no such connection, the user is denied service and can only start a new connection.

Common DDoS attacks

Smurf, Fraggle attack, Trinoo, Tribe Flood
Network (TFN), TFN2k, and Stacheldraht are common DDoS attack programs. Let's look at their principles and their attack ideas are similar.

Smurf attack: Smurf is a simple but effective DDoS attack.
In terms of attack technology, smurf still uses the Ping program to launch attacks by directly broadcasting fake source IP addresses. Information can be broadcast on the Internet through certain means (through broadcast addresses or other machines
To the machine in the network. When a machine uses a broadcast address to send an ICMP Echo Request Packet (for example, Ping), some systems will respond to an ICMP
Echo response package, so that a packet will receive many response packages. Smurf attacks are carried out using this principle, and it also requires a fake source address. That is to say, the source address sent by Smurf in the network is the host address to be attacked, and the destination address is the ICMP address of the broadcast address.
The echo request packet allows many systems to respond and send a large amount of information to the attacked host at the same time (because the address is spoofed by attackers ). Smurf uses a forged source address to continuously ping one or more computer networks, which leads to the host address responded by all computers not the attack computer that actually sent the information package. This spoofed source address is actually the target of the attack. It will be overwhelmed by a large amount of response information. The computer network responding to the counterfeit information package becomes an uninformed accomplice to the attack. A simple Smurf
The attack will eventually cause network congestion and third-party crash. This attack is more effective than ping of death.
The flood traffic is one or two orders of magnitude higher. This method of sending a packet using the network and receiving a large number of responses is also called smurf "amplification ".

Fraggle attack: the Fraggle attack makes a simple modification to the Smurf attack, using UDP to respond to messages rather than ICMP.

"Trinoo" attack: Trinoo is a complex DDoS attack program based on UDP
Flood attack software. It uses the "master" program to automatically control any number of "proxies" that actually launch attacks. Of course, before the attack, the attacker has been controlled to install software.
Computers with master programs and all computers with proxies. The attacker connects to the computer where the master program is installed, starts the master program, and then
The master program is responsible for starting all the proxies. Next, the proxy program uses UDP
An information packet impacts the network and sends a zero-byte 4-byte UDP packet to the random port of the target host. When these packets exceed the processing capability, the network performance of the attacked host is constantly decreasing.
It cannot provide normal services or even crash. It does not fake IP addresses, so this attack method is not used much.

"Tribal Flood Network" and "TFN2k" attack: Tribe Flood
Like Trinoo, the network uses a master program to communicate with attack agents on multiple networks, and uses ICMP to run commands on the proxy server. The source can be fake.
TFN can launch countless DoS attacks in parallel in a variety of types. It can also create information packages with disguised source IP addresses. Attacks that can be initiated by TFN include SYN
Flood, UDP
Flood, ICMP echo request flood, smurf (using multiple servers to send massive data packets, DoS attacks) and other attacks. TFN2k
Data Packet Encryption makes it harder to query command content. The command source can be fake, and a backdoor is used to control the proxy server.

"Stacheldraht" attack: Stacheldraht is also based on the same Client/Server mode as TFN and Trinoo, in which the master program and potential thousands
Agent programs. When an attack is initiated, the attacker connects to the master program. Stacheldraht adds a new feature: the communication between attackers and the master program is
Encrypted, the command source is fake, and some routers can use rfc2267 to filter out. If a filter is detected, it only performs the last eight digits of the false IP address, this makes it hard for users to know what it is.
Which machine of the CIDR block is under attack. At the same time, RCP (Remote copy) technology is used to automatically update the agent. Stacheldraht
Similar to TFN, You can launch countless DoS attacks in parallel in a variety of types. You can also create information packages with disguised source IP addresses. Attacks initiated by Stacheldraht include
UDP, tcp syn, and ICMP echo.

How to Prevent DoS/DDoS attacks

Since the birth of the Internet, DoS attacks have been constantly developing and upgrading along with the development of the Internet. It is worth mentioning that it is not difficult to find dos tools. The network communities in which hackers reside share the tradition of hacking software and share their experiences in attacks, you can easily obtain these tools from the Internet. As mentioned above, these DoS attack software can be freely found on the Internet. Therefore, any netman may pose a potential threat to network security. DoS attacks pose a major threat to the rapidly developing security of interconnected networks. However, to some extent
That is, DoS attacks will never disappear and there is no fundamental technical solution at present.

In the face of the fierce DoS attack, how should we deal with hacker attacks at any time? Let's first summarize the technical issues that cause DoS attack threats. DoS attacks are caused by the following reasons:

1. software vulnerabilities are security-related system defects contained in operating systems or applications. These defects are mostly caused by incorrect programming and careless source code reviews, unintentional secondary effect or some inappropriate binding
. Because the software used is almost completely dependent on the developer, the vulnerability caused by the software can only be patched to install hot fixes and services.
Packs. When an application is found to have a vulnerability, the developers immediately release an updated version to fix the vulnerability. DoS attacks caused by defects inherent in the development protocol can be compensated by simple patches.

2. misconfiguration will also become a security risk for the system. These misconfigurations usually occur on hardware devices, systems, or applications, most of which are caused by inexperienced, unaccountable employees, or incorrect theories. If you correctly configure the routers, firewalls, switches, and other network connection devices in the network, the possibility of these errors will be reduced. If this vulnerability is discovered, consult a professional technician.
To fix these problems.

3. Overload Denial of Service attacks caused by repeated requests. A denial of service (DoS) attack is triggered when repeated requests to resources greatly exceed the payment capability of resources (for example, excessive requests to fully loaded web servers overload them ).

To prevent the system from DoS attacks, from the past two points, the network administrator should actively and cautiously maintain the system to ensure no security risks and vulnerabilities; for the third-point malicious attack method, you need to install firewall and other security devices to filter out DoS attacks. At the same time, it is strongly recommended that the network administrator check the logs of security devices on a regular basis to detect security threats to the system in a timely manner.

3Com is a comprehensive provider of Enterprise Network Solutions, designed to provide enterprise users with "Rich, simple, flexible, * high performance and price ratio" network solutions. Internet support engineer
Is one of the main solutions, including SuperStack 3 firewall, Web Cache and server load
Balancer. Not only is it 3Com SuperStack 3 of the security gateway device
The firewall can detect and prevent Dos and distributed denial of service (DDoS) attacks by default under pre-configuration, and effectively protect your network, protect you from unauthorized access and
Other external threats and attacks from the Internet, and 3Com SuperStack 3 server load
While providing layer-4-7 load balancing with multi-server hardware line speeds, balancer can also protect all servers from DoS attacks. Similarly, 3Com
SuperStack 3 Web Cache provides efficient local cache for enterprises, while protecting itself from DoS Attacks