How to Implement DDOS attacks

The principle of DDOS attacks and the process of DDOS attacks by hackers are short for Distributed Denial of Service, which is called "Distributed Denial of Service". DDOS attacks are commonly called flood attacks.
 
With the increase in Internet bandwidth and the continuous release of a variety of DDOS hacking tools, DDOS denial-of-service attacks are becoming more and more prone, and DDOS attacks are on the rise. Due to business competition, retaliation, network extortion, and other factors, many network service providers such as IDC hosting equipment rooms, commercial sites, game servers, and chat networks have been plagued by DDOS attacks for a long time, as a result, customer complaints, confusions with VM users, legal disputes, and business losses are a series of issues. Therefore, solving DDOS attacks becomes a top priority for network service providers.
 
How do I know the host is under DDOS attack?
 
There are two main types of DDOS attacks: Traffic attacks, which are mainly attacks against network bandwidth, that is, a large number of Attack Packets Cause network bandwidth to be blocked, legitimate network packets are flooded with false attack packets and cannot reach the host. The other is resource depletion attacks, which are mainly attacks against server hosts, that is to say, the host memory is exhausted by a large number of attack packets or the CPU is occupied by the kernel and applications, resulting in the failure to provide network services.
 
How can I determine whether a website is under Traffic attack? You can use the Ping command to test whether the Ping times out or the packet loss is serious (assuming it is normal at ordinary times), the Ping may be attacked by traffic, if you find that the server connected to the same vswitch with your host cannot be accessed, you can be sure that the server is under a traffic attack. Of course, the premise of this test is that the ICMP protocol between you and the server host is not blocked by routers, firewalls, and other devices. Otherwise, you can use the network service port of the Telnet host server to test, the results are the same. However, it is certain that, if the Ping to your host server and the host server connected to the same vswitch are normal at ordinary times, the Ping will suddenly fail or cause serious packet loss, if we can eliminate the network fault, we will certainly be under a traffic attack. Another typical phenomenon of a traffic attack is that once it is under a traffic attack, A remote connection to the website server may fail.
 
Compared with traffic attacks, resource depletion attacks are easy to judge. If you Ping the website host and access the website normally, you may find that the website access is very slow or cannot be accessed, ping can also be pinged, which is likely to suffer from resource depletion attacks. At this time, if a large number of SYN_RECEIVED, TIME_WAIT, FIN_WAIT_1, and other statuses are observed using the Netstat-na command on the server, if the number of ESTABLISHED instances is small, it can be determined that the instance has suffered a resource depletion attack. Another attack is caused by resource depletion: Ping your website host fails or packet loss is serious, while Ping the server on the same switch as your host is normal, this is because the system kernel or some applications cannot respond to the Ping command when the CPU usage reaches 100% after the website host is attacked. In fact, the bandwidth is still available, otherwise, the host on the same vswitch cannot be pinged ..
 
 
How does DDOS attack the target?
 
 
A well-developed DDOS attack system is divided into four parts. First, let's take a look at the most important parts of section 2nd and section 3rd: they are used for control and actual attacks. Note the difference between the control host and the attack host. for victims in part 1, the actual DDoS attack package is sent from the victim in Part 2, part 1 of the control machine only publishes commands and does not participate in actual attacks. Hackers have control or control over part of computers 2nd and 3rd, and upload corresponding DDoS programs to these platforms, these programs run like normal programs and wait for commands from hackers. Generally, they use various means to hide themselves from being discovered by others. In normal times, these zombie machines do not have any exceptions, but once hackers connect to them for control and issue instructions, attacking the zombie machine becomes a victim to initiate an attack.
 
Some may ask: "Why do hackers need to switch from the control slave instead of directly controlling the attack slave machine? ". This is one of the reasons that make it difficult to trace DDoS attacks. From the perspective of attackers, they certainly do not want to be caught. The more machines the attackers use, the more analysis evidence they actually provide to the victims. After occupying a machine, a high level of attackers will first do two things: 1. Consider how to keep a backdoor! 2. How to clear logs. This is to erase footprints and prevent others from learning what they do. Non-dedicated hackers will delete all the logs regardless of November 21,. However, when this happens, the Network Manager will find that all the logs are gone and someone has done something bad, at most, you can no longer find out who did it from the log. On the contrary, the real good guys will delete their own log projects, so that you can not see exceptions. In this way, the slave machine can be used for a long time.
 
However, clearing logs on Part 1 of the attacker's machine is a huge project. Even with the help of a good log cleaning tool, hackers are also a headache for this task. As a result, some attack machines are not very clean. Through the clues above, they find the upper-level computer that controls the attacker. If the upper-level computer is a hacker's own machine, then he will be pulled out. However, if this is a controlled machine, hackers are still safe. The number of slave machines is relatively small. Generally, one machine can control dozens of attack machines. Clearing the logs of one computer is much easier for hackers, in this way, the possibility of discovering hackers from the control machine is also greatly reduced.
 
Organize a DDoS attack
 
The term "Organization" is used here because DDOS is not as simple as intruding a host. Generally, a hacker performs a DDOS attack following these steps:
 
1. Collect information about the target
 
The following information is of great interest to hackers:
 
Number and address of target hosts attacked
 
Configuration and performance of the target host
 
Target bandwidth
 
For DDOS attackers, to attack a site on the Internet, such as http://www.skyh.cn, there is a key is to determine how many hosts are supporting this site, A large website may have many hosts that use Server Load balancer technology to provide www services for the same website. Take yahoo for example, there are generally the following addresses are providing http://www.yahoo.com services:
 
66.218.71.87
 
66.218.71.88
 
66.218.71.89
 
66.218.71.80
 
66.218.71.81
 
66.218.71.83
 
66.218.71.84
 
66.218.71.86
 
Which address should I attack if I want to launch a DDOS attack? To make 66.218.71.87 this machine crash, but other hosts can still provide www Service, so if you want to let others access the http://www.bkjia.com, all these IP addresses of the machine crash. In actual applications, an IP address usually represents several machines: the website maintainers use layer-4 or layer-7 switches for load balancing, the access to an IP address is allocated to each host of the subordinate using a specific algorithm. At this time, the situation is more complicated for DDOS attackers. The task they face may be to make the services of dozens of hosts abnormal.
 
Therefore, it is very important for DDOS attackers to collect intelligence in advance. This is related to the number of machines used to achieve the effect. Simply put, if two hosts on the same site need two slave hosts under the same conditions, more than five slave hosts may be required to attack five hosts. Some people say that the more hosts you attack, the better. No matter how many hosts you have, I will use as many hosts as possible to attack the machine. It will be better if the number of hosts exceeds the limit.
 
However, in the actual process, many hackers directly launch DDOS attacks without collecting intelligence. At this time, the blindness of the attacks is very high, and luck is also required for the effect. In fact, hackers, like network administrators, cannot be lazy. One thing is good or bad, attitude is the most important, and level is still the second ..
2. occupy a zombie
 
Hackers are most interested in hosts in the following situations:
 
Host with good link status
 
Host with good performance
 
Hosts with poor security management
 
This part actually uses another type of attack means: Form attacks. This is a combination of DDOS attacks. Simply put, it is to occupy and control the attacked host. Obtain the highest administrative permission or at least one account with the permission to complete DDOS attack tasks. For a DDOS attacker, preparing a certain number of bots is a necessary condition. The following describes how the attacker attacks and occupies them.
 
First, hackers generally scan, randomly or specifically use scanners to discover vulnerable machines on the Internet, vulnerabilities such as program overflow, cgi, Unicode, ftp, and database... They are all scanning results that hackers want to see. The next step is to try intrusion. I will not talk about the specific methods here. If you are interested, there are a lot of articles on this content on the Internet.
 
In short, hackers have occupied a zombie now! Then what does he do? In addition to the basic work of leaving backdoors to clean footprints, he will upload the programs used for DDOS attacks, usually using ftp. On the attacker, a ddos packet sending program is used by hackers to send malicious attack packets to the target.
 
3. Actual attacks
 
After the first two stages of careful preparation, hackers began to target the target and prepare for the launch. If the preceding preparations are well performed, the actual attack process is relatively simple. As shown in the figure, a hacker logs on to the slave server on the console and sends a command to all the attack servers: "Preparation ~ , Target ~, Fire! ". At this time, the DDoS attack program in the attack host will respond to the console command and send a large number of data packets to the affected host at a high speed, causing it to crash or fail to respond to normal requests. Hackers generally launch attacks at a speed far beyond the processing capability of the hacker ".
 
Attackers can also use various means to monitor the effects of attacks and make some adjustments as needed. Simply put, you can open a window to continuously ping the target host, increase the traffic when you receive a response, or run more computers to attach the attack .. (Long Minhong)