Server may be subject to attack summary

Possible attacks from the server

1. SMS Consumption

Platform registration when you do not enter the verification code can click Free to obtain a verification code, hackers if the dynamic IP repeatedly enter a large number of mobile phone number Click to obtain a verification code. will result in a large consumption of short messages.

2. Query role when user name is entered

When the system log in, enter the user name, the system will automatically query the database to confirm the role information, when the hacker through a large number of user name input will cause the database resources are full resulting in normal access is not possible.

3.ddos

In recent years, because of the popularity of broadband, many Web sites began to profit, many of the illegal website profits, resulting in peer attacks, and some people use cyber attacks to extort money. At the same time, the vulnerability of Windows platform is widely publicized, rogue software, virus, Trojan is flooded with the network, some technology people can easily illegally invade control a large number of personal computers to launch a DDoS attack from the profit. Attacks have become the most direct form of competition on the Internet, and the revenue is very high, driven by the interests of the attack has evolved into a very complete industrial chain. By injecting a virus trojan in the Web page of a large traffic website, a trojan can infect a person browsing the website through the vulnerability of Windows platform, once the Trojan horse, this computer will be the background operation of the people control, this computer has become the so-called Broiler, Every day, people collect broilers and sell them at a price of a few cents to a few pieces, because the people who need them will buy them and then remotely control the chickens to attack the servers.

Generally in the hard defense on the straight down, it is impossible to give him the room to attack. Although there are many ways to hack attacks, most of the techniques and tools used by the primary hackers today still have a lot in common.

The discovery of DDoS attacks:

If the hacker is attacking the Web80 port, look at the client IP and port connected to port 80, the command is as follows:

netstat-an-t | grep ": |sort-k 5 |awk ' {print $5,$6} '

Output:

161.2.8.9:123 Fin_wait2

161.2.8.9:124 Fin_wait2

61.233.85.253:23656 Fin_wait2

The first column is the client IP and port, the second column is the connection status

If there are a lot of connections (more than 50) from the same IP, and all are contiguous ports, it is most likely an attack.

We can enable iptables to block access to this IP

Shielded IP with iptables

Iptables-i rh-lokkit-0-50-input 1-p tcp-m tcp-s 213.8.166.227--dport---syn-j REJECT

4.synflood

Understand the SYN attack before we understand the TCP handshake protocol, in the TCP/IP protocol, the TCP protocol provides a reliable connection service, the use of three handshake to establish a connection.

First handshake: When a connection is established, the client sends a SYN packet (SYN=J) to the server and enters the Syn_send state, waiting for the server to confirm;

Second handshake: The server receives the SYN packet, it must confirm the customer's SYN (ACK=J+1), and also send itself a SYN packet (syn=k), that is, the Syn+ack packet, when the server enters the SYN_RECV state;

Third handshake: The client receives the server's Syn+ack packet, sends the acknowledgment packet ack (ACK=K+1) to the server, the packet is sent, the client and the server enter the established state, and the handshake is completed three times.

After three handshakes, the client and server begin transmitting data, and in the above process there are some important concepts:

Not connected queue: In the three-time handshake protocol, the server maintains an disconnected queue, which is listed as a SYN package (SYN=J) for each client, which indicates that the server has received a SYN packet and has issued a confirmation to the customer that it is waiting for the customer's confirmation package. The connections identified by these entries are in the SYN_RECV state of the server, and when the server receives the customer's confirmation package, the entry is deleted and the server enters the established state.

Backlog parameter: Represents the maximum number of seats that are not connected to a queue.

Syn-ack the number of times the server sends the Syn-ack package, if not received the customer confirmation package, the server for the first retransmission, waiting for a period of time still not received the customer confirmation package, the second retransmission, if the retransmission times than the system specified maximum retransmission times, the system will remove the connection information from the semi-connection queue. Note that the time to wait for each retransmission is not necessarily the same.

Half-Connection survival time: Refers to the maximum time that the entry of a semi-connected queue survives, that is, the maximum time that the service receives a SYN packet to confirm that the message is invalid, which is the maximum waiting time sum of all retransmission request packets. Sometimes we also call the half-connection survival time timeout time, syn_recv survival time.

Then we understand the principle of the SYN attack, a SYN attack is a Dos attack, it exploits the TCP protocol flaw, by sending a large number of semi-connection requests, consuming CPU and memory resources. In addition to affecting the host, SYN attacks can also harm routers, firewalls and other network systems, in fact, SYN attacks and regardless of the target system, as long as these systems open the TCP service can be implemented. As you can see, the server receives a connection request (SYN=J), joins this information into the disconnected queue, and sends the request package to the customer (syn=k,ack=j+1), at which point it enters the SYN_RECV state. When the server does not receive a confirmation package from the client, the request packet is re-sent until the timeout is removed before the entry is never connected to the queue. With IP spoofing, SYN attacks can achieve good results, usually, the client in a short period of time to forge a large number of non-existent IP address, to the server constantly send SYN packets, the server reply to confirm the package, and wait for the customer confirmation, because the source address is not present, the server needs to continue to resend until time-out, These bogus SYN packets will take a long time to occupy the disconnected queue, the normal SYN request is discarded, the target system is running slowly, the serious person causes the network jam and even the system is paralyzed.

Protect Against SYN

SYN attack is the principle of using TCP/IP Protocol 3-time handshake, sending a large number of network packets to establish the connection, but not actual

Establish a connection that eventually causes the network queue of the attacked server to be full and inaccessible to normal users.

The Linux kernel provides several SYN-related configurations, with commands:

sysctl-a | grep syn

See:

Net.ipv4.tcp_max_syn_backlog = 1024

net.ipv4.tcp_syncookies = 0

Net.ipv4.tcp_synack_retries = 5

Net.ipv4.tcp_syn_retries = 5

Tcp_max_syn_backlog is the length of the SYN queue, tcp_syncookies is a switch, whether to open the Syn Cookie

feature that prevents partial SYN attacks. Tcp_synack_retries and tcp_syn_retries define SYN

Number of retries.

Increasing the SYN queue length can accommodate more network connections waiting to be connected, and opening the SYN cookie feature can block the portion of the SYN cookie that is used to mitigate server resource pressure

SYN Attacks, reducing the number of retries also have a certain effect.

Here's how to adjust the settings above:

Increase the SYN queue length to 2048:

Sysctl-w net.ipv4.tcp_max_syn_backlog=2048

To open the SYN cookie feature:

Sysctl-w Net.ipv4.tcp_syncookies=1

To reduce the number of retries:

Sysctl-w net.ipv4.tcp_synack_retries=3

Sysctl-w net.ipv4.tcp_syn_retries=3

To maintain the above configuration for system restart, add the above command to the/etc/rc.d/rc.local file.

5. Land attack

Land attack is a means of attacking the target host by sending a large number of packets with the same source address and destination address, causing the target host to consume a lot of system resources when resolving the land packet, and thus make the network function completely paralyzed. The method is to set the source address and destination address of a specially designed SYN package to the address of an attacking server, so that the server receives the packet and sends itself a SYN-ACK response packet, and syn-ack causes an ACK packet to be sent to itself and creates an empty connection. Each such null connection to the server will be staged, and when the queue is long enough, the normal connection request will be discarded, causing the server to reject the service.

6.Smurf attack

An smurf attack is an amplified ICMP attack that is disguised as an attacker sending a request to a broadcast device on a network that forwards the request to another broadcast device on that network, causing the device to respond to the attacker. So as to achieve a large number of attacks at a small cost. For example, an attacker posing as an attacker's IP uses ping to send an ICMP packet to a broadcast address of a Class C network, and 254 hosts on the network send an ICMP response packet to the attacker's IP, so that the attacker's attack is magnified 254 times times.

7.UDP attack

A UDP attack is a way of launching an attack by sending a UDP packet. In a udpflood attack, an attacker sends a large number of spoofed UDP packets or malformed UDP packets to the source IP so that the attacker is unable to provide a normal service and even causes the system to run out of resources and system crashes. Because the UDP protocol is a non-connected service, an attacker can launch an attack against the service as long as the attacker opens a UDP service port.

8.arp LAN attack

Arp attack is to realize ARP spoofing by fake IP address and MAC address, can generate a large amount of ARP traffic in the network to block the network, the attacker can change the IP-MAC entry in the target host ARP cache as long as the persistent ARP response packet is issued, causing network interruption or man-in-the-middle attack.

ARP attack mainly exists in LAN network, if there is a computer infected with ARP Trojan in LAN, the system that infects the ARP Trojan will attempt to intercept the communication information of other computers in the network through "ARP spoofing", and thus cause communication failure of other computers in the network.

General server is black or in the virus, always easy to send some ARP packets out, so that other machines in the same network segment access is very abnormal, and hard anti-on generally can not be seen, always need to run to the switch to check the ARP table, fortunately now has the ARP firewall, directly can find the source of the attack.

9.cc attack

The principle of the CC attack is that the attacker controls that some hosts keep sending large packets of data to the other server, causing the server to run out of resources until the outage crashes. CC is mainly used to attack the page, everyone has the experience: when a page access to a particularly large number of times, the opening of the Web page is slow, CC is to simulate multiple users (how many threads is how many users) constantly access to those who need a lot of data operations (that is, the need for a lot of CPU time) page, resulting in a waste of server resources, the CPU for a long time at 100%, always have to handle the connection until the network congestion, normal access is aborted.

The CC attack is also known as Httpflood

Httpflood attackers do not need to control a large number of puppet machines, instead of using a port scanner to find an anonymous HTTP proxy or socks proxy on the internet, an attacker who initiates an HTTP request to an attack target through an anonymous proxy. Anonymous proxy is a rich resource, it is not difficult to take a few days to obtain the agent, so the attack is easy to initiate and can be sustained for a long time.

On the other hand, Httpflood attacks are initiated at the HTTP layer, trying to mimic the behavior of Web requests of normal users, which is closely related to the website business, and it is difficult for security vendors to provide a common set of scenarios that do not affect the user experience. Rules that work well in one place, a change of scene can lead to a lot of manslaughter.

HTTP flood attack defenses are primarily cached, and the backend services are protected as far as possible by the device's cache directly returning results. Large Internet enterprises, there will be a large CDN node cache content.

When advanced attackers penetrate the cache, the cleaning device intercepts HTTP requests for special processing. The simplest way is to count the HTTP request frequency of the source IP, and the IP address above a certain frequency to blacklist. This method is too simple, easy to bring manslaughter, and can not block the attack from the proxy server, so gradually abolished, replaced by JavaScript Jump man-machine recognition scheme.

Httpflood is a program to simulate HTTP requests, generally do not parse the server to return data, but also do not parse code such as JS. Therefore, when the cleaning device intercepts an HTTP request, a special JavaScript code is returned, and the normal user's browser handles the normal jump without affecting the use, and the attacker attacks the gouges.

10.sql Injection

A SQL injection attack is a query string that an attacker inserts a SQL command into a Web form's input domain or a page request, tricking the server into executing a malicious SQL command. In some forms, user-entered content is used directly to construct (or influence) a dynamic SQL command, or as a stored procedure

Input parameters, such forms are particularly susceptible to SQL injection attacks.

Example: logged-in SQL statement

SELECT COUNT (*) from Login WHERE username= ' {0} ' and password= ' {1} '

When entering a normal account password admin 123456

SELECT COUNT (*) from login WHERE username= ' admin ' andpassword= ' 123456 ' normal login

If you enter admin '--Enter the password randomly

SELECT COUNT (*) from login WHERE username= ' admin '--password= ' 123 ' because--the subsequent statement is ignored by the comment and the login succeeds

11. Upload file Limit

Upload the Trojan by uploading a picture. An attacker could rename the Trojan to a **.jsp file upload.

Some websites, whose background management can restore/back up the database, this will be used by hackers to carry out a picture Trojan invasion.

Picture Trojan Invasion process is as follows: First, the local Trojan (for example, F:\labxw\xiaomm.asp) extension to. gif, and then open the upload page, upload this trojan (such as F:\labxw\xiaomm.gif), and then through the injection method to get the background administrator's account password, Sneak into the site admin, use the backup Database feature to back up the. gif trojan into an. asp Trojan (for example, xiaomm.asp), that is, "back up the database path (relative)" Enter the path that was obtained just after the image was uploaded, in the "Target database path" Input: xiaomm.asp, prompt to restore the database success; now open IE, enter the ASP path just recovered database, Trojan can run.

Server may be subject to attack summary