SYN foold, IP spoofing dos, UDP floods, ping torrent, teardrop, land, Smurf, Fraggle attack principle

A denial of service attack is an attacker trying to get the target machine to stop providing service or resource access. These resources include disk space, memory, processes, and even network bandwidth, preventing access for normal users. In fact, the consumption of network bandwidth is only a small part of the denial of service attacks, as long as the target can cause trouble, so that some services are suspended or even host panic, are a denial of service attacks. The denial of service attack problem has not been properly resolved because it is due to the security flaws of the network protocol itself, thus the denial of service attack has become the ultimate tactic of attackers.

A denial of service attack by an attacker actually gives the server two effects: one is to force the server to fill the buffer, not to receive new requests, and the other is to use IP spoofing to force the server to reset the connection of legitimate users and to affect the connection of legitimate users.

Let's take a look at some of the common principles of denial of service attacks:

1. SYN Foold

SYN Flood is one of the most popular DOS (Denial-of-service attacks) and DDoS (distributed denial of service distributed Denial-of-service attacks) in a way that exploits TCP protocol flaws, sending a large number of spoofed TCP connection requests, The mode of attack that causes the exploited resource to run out of resources (CPU full load or low memory).

The process of SYN flood attack is called three handshake (Three-way handshake) in the TCP protocol, while the SYN flood denial of service attack is achieved by shaking hands three times.

(1) The attacker sends a TCP message containing a SYN flag to the attacked server, and SYN (SYNCHRONIZE) is the synchronous message. The synchronization message indicates the port used by the client and the initial ordinal number of the TCP connection. The first handshake was established with the attacked server.

(2) The victim server will return a syn+ack message after receiving the attacker's SYN message, indicating that the attacker's request is accepted, and that the TCP serial number is added, and the ACK (acknowledgement) is confirmed, thus creating a second handshake with the server being attacked.

(3) The attacker also returns a confirmation message ACK to the victim server, and the same TCP serial number is added to this TCP connection to complete, three handshake complete.

The specific principle is: TCP connection of three handshake, assuming that a user sent a SYN message to the server suddenly panic or drop line, then the server in the issue of syn+ack response message is unable to receive the client's ACK message (the third handshake can not be completed), in this case the server side will generally try again ( Send Syn+ack to the client again) and wait for a while before discarding the unfinished connection. The length of this time is known as the Syn Timeout, which is generally the order of magnitude of minutes (approximately 30 seconds ~2 minutes); A user exception that causes a server to wait 1 minutes for a thread is not a big problem, but if a malicious attacker has a large number of simulations of this situation ( spoofed IP address), the server side will consume a lot of resources to maintain a very large list of semi connections. Even a simple save and traverse will consume a lot of CPU time and memory, not to mention the constant syn+ack of the IP in this list. In fact, if the server's TCP/IP stack is not strong enough, the end result is often a stack overflow crash--even if the server-side system is strong enough, the server side will be too busy processing the attacker's spoofed TCP connection request to ignore the client's normal request (after all, the client's normal request ratio is very small) From a regular customer's point of view, the server loses its response, which is called a syn-flood attack (SYN flood attack) on the server side.

2. IP Spoofing Dos attack

This attack uses the RST bit to achieve. Suppose a legitimate user (61.61.61.61) has established a normal connection with the server, the attacker constructs the TCP data for the attack, disguises its own IP of 61.61.61.61, and sends a TCP data segment with the RST bit to the server. When the server receives such data, it thinks that the connection sent from 61.61.61.61 has an error, and it empties the established connection in the buffer. At this point, if the legitimate user 61.61.61.61 again to send legitimate data, the server has no such connection, the user must start to establish a new connection. Attack, the attacker will forge a large number of IP address, to send the RST data to the target, so that the server does not serve legitimate users, thereby achieving the victim server denial of service attacks.

3. UDP flood attack

Attackers use simple TCP/IP services, such as Chargen and Echo, to transmit useless data that is full of bandwidth. By forging a UDP connection to a host's Chargen service, the reply address points to a host with the Echo service, which generates a lot of unwanted data flow between the two hosts, which leads to a bandwidth-driven service attack.

4. Ping torrent attack

Because at an early stage, routers have restrictions on the maximum size of the package. The implementation of TCP/IP stacks by many operating systems is defined as 64KB on the ICMP packet, and after the header of the packet is read, a buffer is generated for the payload based on the information contained in the header head. When the malformed, claiming that their size exceeds the ICMP limit of the package is loaded more than 64K maximum size, there will be memory allocation errors, resulting in a TCP/IP stack crash, causing the receiver to panic.

5. Tear drops (teardrop) attack

A teardrop attack is an attack that exploits the information contained in the header of a package in the TCP/IP stack that implements the packet in a trust fragment. An IP fragment contains information that indicates which section of the original package The fragment contains, and some TCP/IP (including ServicePack 4 NT) crashes when a forged fragment with overlapping offsets is received.

6. Land attack

Land attack principle is: with a specially crafted SYN package, its original address and destination address are set to a certain server address. This will result in the receiving server sending a syn-ack message to its own address, which sends back an ACK message and creates an empty connection. The attacked server will retain each such connection until it times out, and the response to the land attack is different, and many UNIX implementations will crash and NT become extremely slow (about 5 minutes).

7. Smurf attack

A simple Smurf attack principle is to drown the victim host by using an ICMP answer request (ping) packet that sets the reply address to the broadcast address of the victim network. Ultimately, all hosts in the network respond to this ICMP reply request, causing the network to block. It is 1 or 2 orders of magnitude higher than the flow of ping of death floods. A more complex Smurf will change the source address to a third party victim and eventually cause a third party to crash.

8.Fraggle attack

Principle: The Fraggle attack is actually a simple modification of the Smurf attack, using a UDP reply message rather than ICMP.

Turn from: http://blog.csdn.net/zhangnn5/article/details/6525442