Status analysis of Denial of service attack (DDOS)

The denial of service skills has been fundamentally settled, and the creation of the decade at the end of the last century has been gradually remote. However, with the growing strength of broadband access, automation and today's household accounting machines, there is some surplus to the discussion of denial of service. Especially when we find some trite methods of aggression that have been incognito in the late 90, such as land, which uses similar source and policy IP addresses and ports to send UDP packets, the findings are becoming clearer. The only advance in this direction is the suggestion of a parallel mission, which can then be significantly improved by a simplified approach to the 486 disposer.

Another important point to consider is the fact that the IP warehouse does not seem to have properly installed the patch sequence. The accounting machine is no longer seen as a result of a single packet of information, but, CPU operations to dispose of this information packet and insist on high-speed operation. Because the packets generated at the time of the patch failure are limited, it is not a simple task to complete a useful incursion. It can be that skills are progressing too fast. Whatever the reason, these outdated methods of aggression are now on the rise and are very useful.

Use of denial of service

Denial of service The beginning of the invasion can be just for "fun", the system operator in some kind of retaliation or complete a variety of disorderly attacks, such as the long-distance service of the stealth scam. Or if a person is abused on a certain channel, the IRC service is often used as an attack policy. In this case, the Internet and Internet use are "confidential", and these incursions have little impact on their formation.

With the passage of time, the Internet has gradually become a means of communication, and hacktivism (cyber activism) is becoming more and more prevalent. The political situation, the campaign, the religious problem, the ecology and so on any motive can become to the company, the political arrangement or even the country's IT infrastructure to launch the attack force motive.

More than the denial of service attacks are related to online games. Some players are dissatisfied with being killed or losing their favorite weapon in the game, thus initiating a denial of service attack, many of which are now the victims of such attacks.

But now the intent to use denial is mostly simple extortion. More and more companies are beginning to rely on their IT infrastructure. Mail, key data, and even the telephone network to dispose of. Without these primary channels of communication, most companies will struggle to survive the competition. And the Internet is still a tool of production. For example, search engines and gaming web sites are completely reliant on network convergence.

Thus, as the company relies directly or indirectly on the Internet, the original blackmail letter is gradually transformed into a digital method. The first is to launch an attack within a short time, not an important moment. The victim then had to pay a "protection fee".

Network protocol incursion

These attacks targeted the transmission channel, and thus the IP warehouse as an approach to the invasion, IP warehouse is the memory and CPU key resources such as the entry point.

SYN Flood

Syn floods are typically based on the concept of denial of service incursions, as such incursions are completely dependent on the TCP convergence method. At the beginning of the 3-point handshake, the service fills in the TCB (Transfer control block) table that maintains the session information in memory. When the service receives an initial SYN packet from the client, it sends a SYN-ACK packet back to the client and creates an import in the TCB. The interface is in time_wait condition only if the service is waiting for the end ACK packet from the client. If an ACK packet is not received at the end, another syn-ack is sent to the client. At the end, if the client does not approve any syn-ack packets after repeated retries, the session is closed and the session is overwritten from TCB. From the transmission of the first Syn-ack to the session closure this time is generally approximately 30 seconds.

During this time, hundreds of thousands of SYN packets can be sent to an open port and will never be recognized as a syn-ack packet of the service. TCB will soon go beyond the load, and the warehouse will no longer be able to withstand any new connections and disconnect existing connections. Since intruders do not have to accept syn-ack packets from the service, they can fake the source address of the initial SYN packet. This makes stalking the actual origin of the invasion increasingly difficult. In addition, because the Syn-ack packet is not sent to the attacker, this also saves the attacker bandwidth.

It is very simple to generate this kind of aggression, just enter an instruction at the command line to be satisfied.

#hping3--rand-source–s–l 0–p

There are also very few variants, typically adding some anomalies to the SYN packet in order to add CPU usage. These can be legitimate anomalies such as serial number or source port 0.

Syn-ack floods

The effect of the Syn-ack flood is to dry up the CPU resources. In theory, this packet is the second step in TCP 3 to handshake, and should have a corresponding import in the TCB. Reading TCB will use CPU resources, especially TCB will consume more CPU resources when it is large. Therefore, when the load is heavier, the utilization of the resources will affect the system function.

This is also the weapon that syn-ack invades. Sending a huge Syn-ack packet to the system will obviously add the system CPU utilization rate. Thus, the hashing algorithm used to schedule TCB and the selection of hash table sizes can affect the power of the attacks (see Concepts and logical weaknesses). And since these syn-ack packets do not belong to the existing interface, the policy machine has to send the RST packet to the source machine, and then adds the bandwidth occupancy rate on the link. With regard to SYN floods, the attackers can, of course, fake the IP address of the source machine in order to prevent the admission of RST, thus improving the available bandwidth of the attacker.

It would require only a brief instruction to carry out such an incursion.

An important factor is the ability of third-party service generators to generate Syn-ack packets based on reflection mechanisms. When a SYN packet is sent to the open port of the service, the service sends the SYN-ACK packet back to the source machine. Any service at the moment can be used as a relay for this type of incursion. A brief SYN packet sent to the service has a bogus source that is sent to the policy when it is generated syn-ack back policy. This skill makes stalking more difficult. Also, in some cases, some anti-counterfeiting mechanisms can be bypassed. Especially when the policy and the attackers attributed to the same trunk road and the layout of the URPF (see "anti-counterfeiting") interval between the policy machine and the attackers to meet far, more can avoid the anti-counterfeiting mechanism.

Combined with SYN Floods, the intensity of such incursions can also be improved. Syn floods created imports in TCB, and TCB thus became larger and bigger. As the time needed to read TCB is longer, the effects of the syn-ack floods have been greatly added.

UDP floods

A natural generation of UDP is a communication medium that refuses to serve. As specified, the service that accepts the UDP packets on the shutdown port sends the packets that cannot reach the ICMP port back to the source machine. Some of the ICMP packet's data is populated with at least the first 64 bytes in the original UDP packet. Because there is no specification limit or limit, it is possible to send a huge packet of packets on a closed port. In order to generate ICMP for the load of the necessary operation, the fault of the packet cost a lot of CPU resources, the end of the CPU resources dried up.

, you can also generate this aggression from the command line. Also, the ICMP packet will not degrade the attacker's bandwidth by making a fake.

Abnormal

Anomalous attribution of special circumstances, it can make the IP Warehouse rendering action fault to form a variety of different results, such as collapsibility, freezing and so on. Anomalies can be divided into two main categories: illegal data and barrier anomalies.

Illegal data is a value or content that is not considered by the norm or explicitly denied. Packets that are larger than the specified length, a stack of TCP symbols, a SYN packet with a Non-empty authenticated serial number, or even a fault option type are attributed to an anomalous incursion based on illegal data.

The barrier anomaly is based on anomalies that are not normally disposed of by warehouses (even if they are completely legal from a normative point of view). The famous "Ping of Death" is about the massive (but still legitimate) ICMP Echo solicitation packet. If the packet has the same source address, policy address and port, it is still legal, but it is harmful to the IP protocol stack. Stale land incursions have revitalized become imland and are damaging the IP protocol stack. A single information packet can be used to knock down a system as long as a small number of anomalous attacks. Most warehouses have been patched in order, and most anomalies are now tested and developed. However, the disposal of this information packet will still occupy a lot of CPU resources. The ability to invade can also be constrained by CPU and bandwidth when anomalous attacks are presented and patched in the order of patches 5 years ago. It is not important to take account of the nominal accounting when dealing with anomalies. Today, the distance between workstations and service is diminishing, and anyone can use broadband. This condition can initiate the anomaly of mega-load, which dries up the CPU resources of the policy machine.

, it can be done from a single command line.

#hping3--rand-source–safru–l 0–m 0–p--flood

, it is still possible to choose a forgery to carry out useful and useful incursions.

This article comes from http://www.mgddos.com (DDoS attack software)