DDoS principle:
First, attackers can use system service vulnerabilities or administrator configuration errors to access small websites with poor security measures and servers in the Organization. Then, the attacker installs the attack software on the compromised server. The objective is to isolate network connections and protect attackers from being tracked by the monitoring system during attacks, and to better coordinate attacks. Then, attackers can issue attack commands to specific targets to each attack server from the attack console. After receiving the attack command, the attacker sends a large number of service request packets to the target host. These packets are disguised and cannot identify their source. In addition, the services requested by these packages often consume a large amount of system resources, such as CPU or network bandwidth, which will lead to the depletion of the target host's network and system resources and thus stop the service, it may even cause a system crash.
Because the protocols used by attackers are common protocols and services, it is difficult for the system administrator to distinguish between malicious requests and normal connection requests, and thus cannot effectively separate attack packets. Because the attacker's location is very concealed, and when the attack command is sent to the server, the attacker can shut down his computer, so it is difficult to track it.
DDoS architecture:
Distributed Denial-of-Service (DoS) attacks adopt a special architecture. Many distributed hosts attack a target at the same time, leading to paralysis of the target. The intrusion monitoring and filtering methods currently used do not work for this type of intrusion. Therefore, in order to identify the vulnerabilities of such attacks and effectively monitor and capture such intrusions, the tools used must be analyzed in detail.
DDoS uses a layer-3 client server structure.
The bottom layer is the operator of the attack. This layer consists of many network hosts, including Unix, Linux, Mac, and other operating systems. Attackers can log on to the host in various ways and install the attacker program on the host. These attacker programs generally have the address of one or more attack servers built in the above layer, and their attack behavior is directly controlled by the attack server.
Attack the server. The main task of the attack server is to publish the console commands to the attack executor.
These servers, like attack actuators, are installed on intrusion-independent hosts.
Attack console. The attack console can be any host on the network, or even an active host. It is used to issue attack commands to the second-level attack server.