Introduction to DoS attack principles and common methods

Many Denial of Service (DoS) attacks have been introduced. Article But most people still don't know what DOS is and how it is implemented. This article mainly introduces the DOS mechanism and common implementation methods. I learned a bit about the TCP/IP protocol and RFC documentation some time ago. At the same time, some of the content in this article is translated by referring to the shaft article. To understand the implementation mechanism of DoS attacks, you must have a certain understanding of TCP. Therefore, this article is divided into two parts. The first part introduces some protocols related to DoS attacks, and the second part introduces common DOS methods.

What is DoS attack?

DoS: Short for denial of service, which cannot be considered as Microsoft's DOS operating system. As if at 5? 1. Denial-of-Service (DoS) means that pizza hut will not let people in when it's full. If you want to eat a pie, you have to wait at the door. DoS attacks can be exploited by attackers to stop the target machine from providing services or accessing resources. These resources include disk space, memory, processes, and even network bandwidth, thus blocking normal user access. For example:

* Try flood server to block valid Network Communication

* Destroys the connection between two machines and blocks access to the service.

* Preventing special users from accessing the service

* Damage server services or cause server crashes

However, only the more sinister attackers can use DoS attacks to destroy the server. Generally, DoS attacks are used as part of an intrusion. For example, when a large number of attacks are used to bypass the intrusion detection system, too many logs or slow responses are caused, in this way, intruders can bypass the intrusion detection system in a flood of attacks.

Something about TCP

TCP (Transmission Control Protocol) is used to provide reliable, end-to-end byte stream communication protocols on the unreliable Internet. It is formally defined in rfc793, some other things to solve the error are recorded in RFC 1122, RFC 1323

The TCP function is extended.

In the common TCP/IP protocol, the IP layer does not guarantee that the datagram is transmitted to the destination correctly. TCP then accepts the user's data stream from the local machine, divide it into data segments of no more than 64 KB, send each data segment as a separate IP data packet, and then combine it into a complete byte stream in the destination machine, the TCP protocol must ensure reliability.

The transmission and receiver's TCP transmission exchange data in the form of data segments. A data segment includes a fixed 20-byte header, and an optional part, followed by data, when the TCP protocol transmits a data segment from the sender, it also needs to start the timer. When the data segment arrives at the destination, the receiver also needs to send back a data segment with a confirmation serial number, it is the sequence number of the next data segment to be received. If the timer times out before the message arrives, the sender resends the data segment.
Above, we have a general understanding of the TCP protocol, and it is important to be familiar with the TCP Data header ). Because the most important thing for data stream transmission is the content in the header. As for the sent data, it is only included with the header. The service responses of the client and the server are related to the data in the header. The information exchange and exchange between the two ends are implemented according to the content in the header. Therefore, DOS must be implemented, you must be familiar with the content in the header.

The following is the format of the TCP Data Segment header.

Source Port and destination port: local port and Target Port

Sequence Number and acknowledgment number: the sequence number and confirmation number. The confirmation number is the byte number to be received. These are all 32-bit,

In a TCP stream, each Data byte is numbered.

Data offset: specifies the number of 32-bit characters in the TCP header to determine the length of the header, because the length of optional fields in the header is variable.

Reserved. The receiving and sending disconnections determine the types of information flows based on these flags. The following are some introductions:

URG :( Urgent Pointer field significant) Emergency pointer. The value 1 is used to avoid TCP Data Flow interruption.

Ack :( acknowledgment field significant) indicates that the acknowledgment number is valid when it is set to 1. If it is set to 0, the data segment does not contain the confirmation information, and the confirmation number is ignored.

Psh: (push function), the data of the push flag. When set to 1, the requested data segment can be directly sent to the application after the receiver obtains the data segment. Program Instead of waiting until the buffer is full.

RST :( reset the connection) is used to reset the wrong connection caused by some reason, and to reject illegal data and requests. If an rst bit is received, some errors usually occur.

SYN :( synchronize sequence numbers) is used to establish a connection. In a connection request, SYN = 1, ACK = 0, and SYN = 1, ACK = 1 when the connection is responding. That is, SYN and ACK are used to differentiate connection request and connection accepted.

Fin :( no more data from sender) is used to release the connection, indicating that the sender has no data to send.

After we know the important six indicator signs, let's continue.
16-bit window field: indicates the number of bytes that can be sent after confirmation. It can be 0, indicating that all data segments including the confirmation number minus 1 (that is, all data has been sent) have been received.

Next we will use the 16-bit checksum field to ensure reliability.

The 16-bit URGent pointer and the following fields are not explained here. Otherwise there will be too many. Oh, you're lazy.
The TCP handshake process is an important part. This process is simply divided into three steps.

In the absence of connection, the receiver (we target the server), the server is in the listen status, waiting for other machines to send connection requests.

Step 1: the client sends a request with a SYN bit, indicating that a connection is required to the server. For example, if the request number of the sending package is 10, the request is SYN = 10, ACK = 0,

Then wait for the response from the server.

Step 2: After the server receives such a request, check whether the specified port is in listen. Otherwise, the server sends the RST = 1 response and rejects the connection. If you receive

Connection, then the server sends the confirmation. SYN is an internal code of the server. For example, if it is 100, the ACK bit is the request serial number of the client plus 1. The data sent in this example is:

SYN = 100, ACK = 11, send such data to the client. Indicates to the client that the server connection is ready, waiting for confirmation from the client

After receiving the message, the client analyzes the information and prepares to send a confirmation signal to the server.

Step 3: the client sends a message to the server confirming the connection. The SYN bit of the confirmation message is the ACK bit sent by the server, and the ACK bit is the SYN bit sent by the server plus 1.

That is, SYN = 11, ACK = 101.

The connection is established. Then, send the data ,. This is a basic request and connection process. Note the relationship between these flag locations, such as SYN and ack.

Backlog queue)

The server does not establish a connection with the client immediately after receiving the SYN request. Instead, it allocates memory space for the connection request, establishes a session, and puts it in a waiting queue. If the waiting queue is full, the server will not allocate anything for the new connection and directly discard the new request. To this point, the server is a denial of service.

If the server receives an rst bit, it considers this as a wrong data segment and clears the connection in the Buffer Queue Based on the Client IP address. This has an impact on IP Spoofing and can also be exploited for DoS attacks.
As described above, we understand the TCP protocol and the connection process. To launch a Denial-of-Service attack on the server, there are two methods:

1. force the server's buffer to be full and do not receive new requests.

2. Use IP spoofing to force the server to reset the connection of Valid users, affecting the connection of Valid users

This is the basic idea of implementing DoS attacks. The specific implementation method is as follows:

1. SYN Flood

Use the server's connection buffer (backlog Queue) and special programs to set TCP headers and send TCP connection requests with only SYN signs to the server side repeatedly. When the server receives a connection request that is not established, it creates a session for the request and routes it to the buffer queue.

If your SYN request exceeds the server's capacity and the Buffer Queue is full, the server will no longer receive new requests. Connections of other legal users are rejected. It can continue sending your SYN requests until the buffer zone contains your syn-only requests.

There are many tools for implementing SYN flood.

2. IP spoofing DoS Attacks

This attack is implemented using the RST bit. Assume that a valid user (1.1.1.1) has established a normal connection with the server. Attackers construct the attack TCP data and disguise their IP address as 1.1.1.1, and sends a TCP Data Segment with RST bits to the server. After receiving such data, the server considers that there is an error in the connection sent from 1.1.1.1, and the established connection is cleared in the buffer zone. At this time, if the valid user 1.1.1.1 sends valid data again, the server will no longer have such a connection, and the user must establish a new connection.

During the attack, a large number of IP addresses are forged and RST data is sent to the target, so that the server does not serve legitimate users.

3. bandwidth DoS Attacks

If your connection bandwidth is large enough and the server is not large, you can send requests to consume the server's buffer and consume the server's bandwidth. This type of attack is a massive volume of human resources. It is very powerful to implement DOS together with syn. It is a primary DoS attack. Haha. Ping White House ?? You are crazy!

4. self-consumption DoS Attacks

This is an old-fashioned attack method. Old-fashioned systems have such bugs. For example, Win95 (Winsock V1), Cisco IOS v.10.x, and other outdated systems.

This DoS attack is to make the request Client IP address and port the same as the host IP port and send it to the host. Allows the host to send TCP requests and connections to itself. This host vulnerability will soon consume all resources. This directly causes the server to crash. In this situation, disguise poses a huge threat to some identity authentication systems.

The most important means of implementing DoS attacks above is to construct the required TCP data and make full use of the TCP protocol. These attack methods are based on TCP. There are other DoS attacks.
5. Fill in server hard disks

Generally, if the server can perform write operations without restrictions, it can become a channel for DoS attacks caused by hard disk stuffing. For example:

Send spam. Generally, company servers may put the email server and web server together. Attackers can send a large number of spam mails, which may be in a single mail queue or a bad mail queue until the mailbox is broken or the hard disk is full.

Fill in logs. Intruders can construct a large number of error messages and send them. The server records these errors, which may cause huge log files and even fill hard disks. At the same time, the Administrator may face a lot of logs, and cannot even find the real intrusion path of intruders.

Add junk files to anonymous FTP. This can also fill up hard disk space.

6. Rational Use of strategies

Generally, the server has security policies for account locking. For example, if an account fails to log on three times in a row, the account will be locked. This can also be used by attackers. they pretend to be an account to log on incorrectly, so that this account is locked, and normal legal users cannot use this account to log on to the system.