Surfing DDoS (denial of service) attack trends and defenses _ Web surfing

Interruption of services (denial of service)

Before discussing DDoS we need to know about DOS, DOS refers to hackers trying to prevent normal users to use the services on the network, such as cutting the building's telephone lines caused users can not talk. and to the network, because of bandwidth, network equipment and server host processing capacity has its limitations, so when the hacker generated excessive network packet so that the device can not be processed, so that normal users can not normally use the service. For example, hackers try to use a large number of packets to attack the general bandwidth of a relatively small number of dial-up or ADSL users, the victim will find that he is not connected to the site or the response is very slow.

DoS attacks are not an intrusion into the host nor can steal information on the machine, but the same will cause damage to the target, if the target is an E-commerce site will cause customers can not go to the site shopping.

Ii. Distributed blocking services (distributed denial of service)

DDoS is a special case of DoS, hackers use multiple machines to attack at the same time to prevent normal users to use the service. After hackers have invaded a large number of hosts beforehand, to install DDoS attack on the victim host to attack the target; some DDoS tools use a multi-level architecture, and can even control up to thousands of computers at a time to attack, using such a way to effectively generate huge network traffic to paralyse the attack target. As early as 2000, DDoS attacks against well-known websites such as Yahoo, EBay, Buy.com and CNN prevented legitimate network traffic for several hours.

The classification of DDoS attack program can be classified according to several ways, and the degree of automation can be divided into manual, semi-automatic and automatic attack. Early DDoS attacks are mostly manual attacks, hackers manually search for invasive computer intrusion and implantation of the attack program, and then instructions to attack the target; The semi-automatic attack program mostly has the agent program of the handler control attack, the hacker spreads the automatic intrusion tool to embed the agent program, Then use handler to control all agents DDoS attacks on the target; automatic attack further automates the entire attack program, the target, time and manner of the attack written in advance in the attack program, the hacker spread the attack program will automatically scan the intruder host implanted agent And to launch an attack on a specified target at a predetermined time, such as the recent W32/blaster net worm.

The classification of attack vulnerability can be divided into two types of protocol attack and violent attack. A protocol attack is the use of a network protocol design weaknesses or the implementation of the bug consumes a lot of resources, for example, a TCP SYN attack, an attack on a certified server, and so on; a brute force attack is a resource for hackers to use a large number of normal online consumption targets, as hackers prepare multiple hosts to launch DDoS attacks. As long as the attacker emits more network traffic than the target can handle, it can consume the processing power of the target and make the normal users unable to use the service.

The attack frequency can be divided into two kinds of continuous attack and frequency attack. The constant attack is when the attack command is released, attacking the host to the full continuous attack, so it will instantly generate a large number of traffic blocking the target service, it is also very easy to detect; the frequency of change attacks are more cautious, attacks may increase from slow speed or high or low frequency changes, use such a way to delay the attack detection time.

Iii. Survival from DDoS attacks

So how do you manage to survive and continue to provide normal services when you are under a DDoS attack? As you can see from previous presentations, it's hard to resist attacks if the hacker attacks are much larger than your network bandwidth, device, or host can handle, but there are still ways to mitigate the impact of the attack.

The first is to investigate the source of the attack, as the hacker attacks through the intrusion machine so you may not be able to find out where the hacker launched the attack, we have to step back from the attack target, first investigate the attack is from the jurisdiction of the network of which border routers, the previous step is the outside of the router, contact these routers managers ( Maybe an ISP or a telecoms company, and ask them to help block or identify the source of the attack, and what can be done before they deal with it?

If the target of the attack is only a single IP, then trying to change the IP and changing its DNS mapping may be able to avoid the attack, which is the fastest and most effective way; but the purpose of the attack is to make the normal user unable to use the service, although the way to change the IP is to avoid attack In another way, the hacker has achieved his goal. In addition, if the attack is relatively simple, can be generated by the flow to find its rules, then the use of the router's ACLs (Access control Lists) or firewall rules may be blocked, if you can find traffic are from the same source or core routers, It can be considered for the time being to block the flow over there, of course, it is possible that normal and abnormal traffic will be blocked, but at least other sources can get normal service, which is sometimes the last resort. If you do, you may consider increasing the machine or bandwidth as a buffer for attack, but this is only a palliative and not a cure. The most important thing is to immediately start the investigation and coordinate with the relevant units to resolve.

Iv. prevention of DDoS attacks

DDoS must be resolved through the collaboration of various groups and users on the network to develop stricter network standards. Each network device or host needs to update its system vulnerabilities, turn off unwanted services, install the necessary anti-virus and firewall software, keep an eye on system security, and avoid hacking and automated DDoS programs from being implanted into an attack program to prevent hackers from becoming an accomplice.

Some DDoS will disguise the source of the attack, fake the source IP of the packet, make it difficult to trace, this part can be set by the router's filtering function to prevent, as long as the network domain packet source is outside its domain IP, it should be directly discarded this packet should not be sent out, if the network management devices are supporting this function, Network administrators are able to properly set the filter off the fake packets, but also can substantially reduce the investigation and tracking time.

It is important to keep in touch with each other so that early warning and DDoS attacks can be effective, and some ISPs will place sensors on some network nodes to detect sudden huge traffic to warn and isolate the affected areas of the DDoS in advance, reducing customer victimization.