Principles and prevention of network overload attacks

Source: E-generation time

In network overload attacks, a shared resource or service cannot meet the requests from other users because it needs to process a large number of requests. For example, if a user generates a large number of processes, other users cannot run their own processes. If a user uses a large amount of disk space, other users cannot generate new files. The effective way to protect the system from overload attacks is to divide resources in the computer and limit the usage of each user to its own. In addition, the system can automatically check for overload or restart the system.
1. process overload

Process attacks are the simplest type of denial-of-service attacks. In process attacks, one user can prevent another user from using the computer at the same time. Process attacks usually occur on shared computers. If no one is competing with themselves to use computers, there is no need to use such attacks. This attack has little effect on the current UNIX system, because the current UNIX system limits the number of processes used by any UID (except o. This restriction is called MAXUPROC. When the system is built, it is set in the kernel. Some systems allow this value to be set at startup.

For example, soIarts allows you to set this value in the/etc/system file. Set NAXUP helps C; 100 the number of processes consumed by the user for such attacks is not the number of others. A super user can use the ps command to view the child numbers of a process, and use the kill command to kill useless processes. Sometimes the processes cannot be killed one by one, because the remaining processes generate new processes. A good solution is to stop these processes with the kill command and then kill them. In addition, a group of processes can be killed at the same time. In many cases, a user generates many processes in the same group. To locate the process group, you can use the ps command option and then kill the processes at one time.

In the current UNIX system, a user with Super User Permissions can still use the process attack method to stop the system. This is because there is no limit on the number of processes that a Super User can make, but as a Super User, he can still shut down the system or execute other commands, so this is not a very important issue. Unless the superuser is running a program with an extreme value, no one can get a process, even if it is just a login. In other cases, the system may be overloaded. Although a user does not reach his/her own maximum number of processes, because too many users are using computers, the system still reaches the maximum number of processes allowed. Another possibility is that the system configuration is incorrect. The process tree that a user allows is equal to or greater than the maximum number of processes allowed by the system. When there are too many processes in the system, there is no better way to correct them, only to restart the system. This is because you cannot run the ps command to determine how many processes need to be killed, because the ps command also needs to generate processes. If the network administrator is not logged on as a Super User, the su or 10gin command cannot be used because the two commands also need to generate a new process. In this case, you can use exec % exec/B 2n/su Pass word: # note that you do not need to enter the wrong password because the program will be executed, but after the execution is completed, will automatically exit the system.

If the user encounters system saturation caused by too many processes, restart the system. The simplest method is to press the RESET key on the chassis. However, this will damage the file block on the disk because the system has not had time to refresh the disk. Not many systems have been designed to perform the work normally when they are suddenly closed. A better way is to kill some processes and then enter the single-user mode.

In modern unix systems, superusers can send a SIGTEBM signal to all processes except system processes and their own processes: # KILL-TERM-1 #

If the current UNIX does not, run the following command: # The KILL-TERM1 sends a SIGTERM signal to the INIT process. UNIX automatically kills all processes and enters the single-user mode. Then, you can run the sync command and restart the system.

2. System overload attacks

Another popular process-based attack is that a user generates many processes and consumes a lot of cpu time. This attack reduces the CPU processing time available to other users. For example, if a user uses ten find commands and searches for files in some directories, the system can run as slowly as crawling.

A better way is to educate users to share the system reasonably and encourage users to use nice commands to reduce the priority of processes running in the background. In addition, you can use the at and batch commands to schedule long tasks to be executed when the system is not very busy. Users who intentionally or repeatedly perform such actions can take some measures.

If the system is overloaded, use root to log on and set your priority to a higher value. Then use the ps command to observe the running process and use the kill command.

3. Disk attacks

The attack is to fill the disk space. Users fill the disk with a large number of files. Other users cannot generate files to do other useful tasks.

Disk Full attack

The du command can be used to find the disk partition space in the system. The du command recursively queries the directory tree to list the number of blocks used each time. You can also use the flnd command to list the names of those large files. You can use the-size Option of the find command to list the files whose size exceeds a certain degree of caution.

The quot command summarizes the usage of the file system based on each user. Use the "f" option to print the number of files and the number of blocks used by each user.

UNIX file systems use inode to store file information. One way to make the disk unusable is to consume the free inode on all disks so that it cannot generate new files. A user may generate thousands of Empty files. This is a very confusing problem, because the df command prompts that there is a lot of available space, but when a file is generated, an error is returned. This is because every new file, directory, and MPs file must be described in an inode structure. If the available inode is exhausted, the system cannot generate new files. However, the system still has available disk space.

You can use the "I" option of the df command to check the number of idle inodes. Generally, a disk can be divided into small partitions to protect the disk from full attacks. Put the home directories of different users into different partitions. In this way, if a partition is full, other users will not be affected.

Another effective method is to use the quota system in many modern unix systems to protect the system from such attacks. Through the disk quota system, each user can determine how many inode is available and how many disk blocks are available.

Prevent DoS Attacks

Many modern UNIX systems allow administrators to set some limits, such as the maximum memory available, CPU time, and maximum files that can be generated. These restrictions are useful if you are developing a new program that doesn't accidentally slow the system or make it unavailable to other users who share the host. The Korn Shell ulimit command and Shell Iimit command can list future resource limits.