Linux Network Programming-Flood Attack Details, linux Network Programming

Linux Network Programming-Flood Attack Details, linux Network Programming
Flood Attack Details

① Annotation: flood attack refers to the use of computer network technology to send a large number of useless data packets to the target host, network behavior that prevents the target host from providing normal services by handling useless data packets.

The main principle is to use the security mechanism in the network protocol or directly use a simple method to ping resources to affect the host.

Attack means: malformed packets are used to put the target machine in processing or waiting, and the original socket is used for programming.

Category:

ICMP echo attacks use the original socket to send a large number of echo requests or echo response data. This data protocol stack must be processed by default, which affects

UDP sends UDP packets to the UDP port of the target host. The destination host needs to process the ports.

SYN. After sending a SYN original packet, the target needs to process the sent packet and wait for timeout.

Flood attacks

ICMP flood attacks

Principle: Based on ping

Category:

Direct flood attack: the bandwidth competition between the host and the target, killing him with performance. Disadvantage: the target machine can block or even be attacked by Reverse attacks based on the source ip address.

Disguised ip attack: Replace the sender's ip address with a disguised ip address to improve direct flood attacks

Reflection attack: not self-attacks, but disguised ip addresses are used to make other hosts mistakenly believe that the target machine is sending ICMP requests to it. Result: The target host needs to send ICMP responses to all requests.

UDP flood attack UDPFlood Protection

Unlike the TCP protocol, the UDP protocol is connectionless, And the UDP application protocol varies greatly. Therefore, it is very difficult to defend against UDPFlood. The protection should be taken according to the specific situation:

Determine the packet size. If it is a large packet attack, use the UDP fragment prevention method: Set the packet fragment size according to the attack packet size, usually not less than 1500. In extreme cases, consider dropping all UDP fragments.

The attack port is the service port: set the maximum UDP packet size based on the maximum UDP packet length of the service to filter abnormal traffic.

The attack port is a non-service port. One is to discard all UDP packets, which may mistakenly hurt normal services. The other is to establish UDP connection rules and require all UDP packets destined for this port, you must first establish a TCP connection with the TCP port. However, this method requires the support of professional firewalls or other protection devices.

SYN flood attacks

Introduction: This is also called a Denial-of-Service attack. It is one of the widely known DoS (Denial-of-service attacks) and DDoS (distributed denial-of-service attacks) methods, send a large number of forged TCP connection requests, so that the attacked party's resources are exhausted (the CPU is full or the memory is insufficient.

Principle Analysis:

TCP three-way handshake:

In TCP/IP, TCP provides reliable connection services and uses three handshakes to establish a connection.
First handshake: when a connection is established, the client sends the syn Packet (syn = j) to the server and enters the SYN_SEND status. Wait for the server to confirm;
The second handshake: when the server receives the syn packet, it must confirm the customer's SYN (ack = j + 1) and send a SYN Packet (syn = k), that is, the SYN + ACK packet, the server enters the SYN_RECV status. The third handshake: the client receives the SYN + ACK packet from the server and sends the ACK (ack = k + 1) Confirmation packet to the server, the client and server enter the ESTABLISHED status and complete the three-way handshake. After three handshakes are completed, the client and the server start to transmit data.

Attack methods:

Host A sends an icmp syn request to host B. The source address of the packet sent by host A is A forged IP address. After the second handshake of host B, you need to wait for A time to accept the confirmation package of host A. During the time-out period, resources will be occupied. If the resources that B handles three handshakes cannot meet the number of requests sent by A, B will run out of resources. Host A sends the original message, and the sending speed should be high enough, which will inevitably affect B.

Protection measures:

① Shorten the SYNtimeout time. That is, the waiting time between the second handshake and the third handshake.

② Set a cookie for each request ip address. If an ip address request is received for a consecutive period of time, it is considered as an attack and thus intercepted.