How to prevent several distributed attacks

Source: www.hackbase.com
Denial-of-Service (DoS) attacks are a type of system vulnerability distributed all over the world. hackers are obsessed with its research, and countless network users will be victims of such attacks. Tribe Flood Network, tfn2k, smurf, targa... Many other programs are constantly being developed. These programs spread across networks like plague, making our village weaker and we have to find a simple and easy-to-use security solution to cope with dark attacks.

As our defense methods have been strengthened, denial-of-service (DoS) attacks are constantly evolving. Tribe Flood Network (tfn) and tfn2k introduce a new concept: distributed. These programs allow machines scattered across the Internet to perform attacks on a single host, making the host seem to have been attacked by many hosts in different locations. These scattered machines are operated by several master machines for various types of attacks, such as UDP flood and SYN flood.

Operating system and network device defects are constantly discovered and exploited by hackers to conduct malicious attacks. If we are aware of this, we should use the following two steps to prevent network attacks to protect our network:

Fix detected problems and system vulnerabilities as much as possible.

Identify, track, or deny access to us from these annoying machines or networks.

First, let's take a look at the second point. The main problem we face is how to identify hosts that are maliciously attacked, especially those that use denial-of-service attacks. Because these machines have hidden their own addresses, attackers may exploit these addresses. Attackers use the malicious counterfeit packet of the hacker to attack our host. The principle of "tfn2k" is as simple as described above, but it only provides an image interface. If you are under a distributed denial-of-service attack, it is really difficult to handle it.

There are some simple methods to prevent denial-of-service attacks. Of course, the most common method is to always pay attention to security information to look forward to the best method. Administrators should subscribe to security information reports to focus on the development of all security issues in real time. :) Step 2 is the application package filtering technology, mainly used to filter open ports. These methods are mainly used to prevent the attack of fake addresses, so that external machines cannot impersonate the addresses of internal machines to launch attacks on internal machines.

There is always a debate about whether to use inner packet filtering or external packet filtering. RFC 2267 recommends that you use the internal filter mechanism on global Internet connections, but this will cause a lot of trouble. Using the access control list on a router of the medium level will not cause too much trouble, however, a fully loaded backbone router may be significantly threatened. On the other hand, if the ISP uses an external packet filtering measure, it will transfer the overloaded traffic to some less busy devices. ISP does not care whether consumers use this technology on their vbrs. Of course, this filtering technology is not foolproof, which relies on the filtering mechanism adopted by managers.

1. ICMP protection measures

ICMP was initially developed to "help" networks and is often used as a diagnostic tool by Wan administrators. However, today, a variety of inadequate ICMP attacks are abused and fail to comply with RFC 792's original standards. Therefore, certain policies should be implemented to make it safer.

The ICMP time mark (Timestamp) and Information Request data packets of the inbound site will receive a response. Forged data packets with invalid or bad parameters can also generate ICMP parameter problematic data packets, this allows another form of host search. This still prevents the site from being properly protected.

A common method for secretly publishing commands from the primary to the customer is to use ICMP Echo response packets as the carrier. The echo response itself cannot answer, and is generally not blocked by the firewall.

First, we must handle the entire "ICMP limit" problem based on the outbound and inbound traffic. Icmp echo is easy to verify remote machines, but Outbound icmp echo should be limited to support only individual or single server/ICMP proxy (preferred ).

If we restrict ICMP echo to an external IP address (via proxy), then our ICMP echo response can only enter the pre-defined host in our network.

Redirection can usually be found between routers, rather than between hosts. The firewall rules should be adjusted so that these types of ICMP can only be performed between routers involved in the Internet connection that requires information.

It is recommended that all external transmissions go through the proxy. When the internal ICMP transmission returns to the proxy address, it goes through the firewall. This at least limits ICMP timeout packets to an internal address, but it may block timeout packets.

When an ICMP packet is sent with an incorrect parameter, the packet is discarded, and an ICMP parameter error packet is sent. The host or router discards the sent data packet and sends the parameter ICMP error data packet back to the sender, indicating the bad parameter.

In general, only public IP servers (such as Web, email, and FTP servers), firewalls, and routers connected to the internet have real reasons to use ICMP to communicate with the outside world. If the adjustment is appropriate, all the encrypted communication channels that use Inbound and Outbound ICMP will be suspended.

2. SYN Flood Prevention

SYN Flood is one of the most popular DoS (Denial of Service Attack) and DdoS (Distributed Denial of Service Attack) methods, send a large number of forged TCP connection requests, so that the attacked party's resources are exhausted (the CPU is full or the memory is insufficient. No good monitoring and defense methods are available for SYN Flood attacks. However, if the system administrator is familiar with the attack methods and system architecture, it can also reduce the load on the attacked system to a certain extent and reduce the negative impact.

Generally, if a system (or host) Suddenly increases load or even loses response, you can use the Netstat command to see a large number of SYN_RCVD semi-connections (quantity> 500 or more than 10% of the total connections ), it can be determined that the system (or host) is under SYN Flood attack. After being attacked by SYN Flood, the first thing to do is to collect evidence. It is necessary to use Netstat-n-p tcp> resault.txt to record all current TCP connection statuses. If there is a sniffer, or TcpDump and other tools. recording all the details of tcp syn packets will also facilitate future tracing and defense. The fields to be recorded include: although the source address, the ID in the IP header, the serial number in the TCP Header, And the TTL value may be forged by the attacker, it is helpful to analyze the psychological status and program of the attacker. In particular, the TTL value. If a large number of attack packets appear to come from different IP addresses but the TTL value is the same, we can often deduce the distance between the attacker and our router, at least the load of the attacked system can be reduced by filtering packets with specific TTL values (in this case, users with different TTL values than attack packets can resume normal access ). From the perspective of defense, there are several simple solutions:

2.1 shorten SYN Timeout time: because the effect of SYN Flood attacks depends on the number of SYN semi-connections maintained on the server, this value = SYN attack frequency x SYN Timeout, therefore, by shortening the time from receiving the SYN packet to determining that the packet is invalid and discarding the modified connection, for example, if it is set to less than 20 seconds (a low SYN Timeout setting may affect normal access to the customer), the load on the server can be multiplied.

2.2 set SYN Cookie: a Cookie is allocated to the IP address connected to each request. If a request is repeatedly sent to an IP address within a short period of time, the request is deemed to have been attacked, packets from this IP address will be discarded later. However, the above two methods can only deal with relatively primitive SYN Flood attacks, and shorten the SYN Timeout time only takes effect when the attack frequency of the other party is not high, SYN cookies are more dependent on the actual IP address used by the other party. If an attacker sends a SYN packet at a speed of tens of thousands/second and uses SOCK_RAW to randomly rewrite the source address in the IP packet, the above method will be useless.

2.3 negative feedback policy: refer to some popular operating systems, such as the SYN Attack Protection Mechanism of Windows2000: Normally, the OS has a general setting for some important parameters of TCP connections: SYN Timeout time, SYN-ACK retries, SYN packets from the router to the system to the Winsock delay and so on. This general setting is optimized for the system and can provide users with convenient and fast services. Once the server is attacked, the number of SYN Half links exceeds the maximum number of connections of the TCP active Half Connction in the system, the system will think that it is under SYN Flood attack and will respond according to the attack judgment: reduce the short SYN Timeout time, reduce the number of retries of the SYN-ACK, automatic delay of packets in the buffer and so on, to minimize the attack hazard. If the attack continues and exceeds the maximum Half Connection value allowed by the system, the system cannot provide normal services. To ensure that the system does not crash, any SYN packet that exceeds the maximum Half Connection value can be randomly discarded to ensure system stability.

Therefore, you can test or predict the maximum number of Half Connction activities of the host during the peak period in advance, and use it as a reference to set the maximum number of connections of the TCP active Half Connction, then, the maximum Half Connection value of TCP is set to a multiple of this value (not greater than 2). In this way, the SYN attack can be blocked to a certain extent by means of negative feedback.

2.4 concession policy: the concession policy is a flaw in the SYN Flood attack code. Let's analyze the SYN Flood attack process again: the SYN Flood program has two attack methods, IP-based and domain name-based. The former is used by the attacker to resolve the domain name and pass the IP address to the attack program. The latter is an attack program that automatically performs domain name resolution, but they are the same, that is, once the attack starts, no domain name resolution will be performed. Our starting point is here: Assume that a server quickly changes its IP address after being attacked by SYN Flood, the attacker is still attacking an empty IP address without any host, as long as the defender changes the DNS resolution to a new IP address, the user can resume normal access through the domain name within a short period of time (depending on the DNS refresh time. To confuse attackers, we can even place a "sacrifice" server to satisfy them with the "effect" of the attack (as long as the attacker's browser does not duplicate due to DNS buffering, it still accesses the original IP address ).

2.5 distributed DNS Server Load balancer: In many Server Load balancer architectures, Server Load balancer Based on DNS resolution itself has immunity against SYN Flood, server Load balancer Based on DNS resolution can distribute users' requests to server hosts with different IP addresses. attackers attack only one server, which increases the costs of attackers, second, too many DNS requests can help us trace the real traces of attackers (DNS requests, unlike SYN attacks, need to return data, so it is difficult to disguise IP addresses ).

2.6 firewall Qos: For a firewall, the method to defend against SYN Flood attacks depends on the basic principle of the firewall. Generally, the firewall can work on the TCP layer or under the IP layer, A firewall working on the TCP layer is called a gateway-based firewall. In the gateway-based firewall layout, there is no real TCP connection between the client and the server, all data exchange between the client and the server is performed through the firewall proxy, and external DNS resolution also points to the firewall. Therefore, if the website is attacked, the firewall is the one that actually suffers the attack.