The principle and prevention of distributed denial of service attack (DDoS)

Source: Internet
Author: User
Tags ack

DDoS attack concept

There are many types of Dos attacks, the most basic Dos attack is to use reasonable service requests to consume excessive service resources, so that legitimate users can not get the response of the service.

DDoS attack is a kind of attack method based on traditional Dos attack. A single Dos attack is usually one-to-many, when the target CPU speed is low, the memory is small or the network bandwidth is small, and so on the performance index is not high its effect is obvious. With the development of computer and network technology, the computer's processing power is growing rapidly, memory is greatly increased, and there are gigabit-level networks, which makes the Dos attack more difficult-the target has enhanced the "digestion ability" of the malicious attack package, for example, your attack software can send 3,000 attack packets per second. , but my host and network bandwidth can handle 10,000 attack packets per second, so the attack will not have any effect.

At this time, distributed denial of service (DDoS) attacks have emerged. If you understand a Dos attack, the principle is simple. If the computer and network processing power increased 10 times times, with a strike attack can no longer play a role, the attackers use 10 attack attacks at the same time? With 100 units? DDoS is the use of more puppet machines to launch attacks, in order to attack victims on a larger scale than before.

The high-speed, widely connected network has brought convenience to everyone, and has created extremely favourable conditions for DDoS attacks. In the low-speed network era, hackers occupy the attack with the puppet machine, will always give priority to the distance from the target network near the machine, because the number of hops through the router, the effect is good. And now the backbone of the telecommunications between the link between the G-level, larger cities can reach a 2.5G connection, which makes the attack can be launched from a farther place or other cities, the attacker's puppet machine location can be distributed in a larger range, the choice is more flexible.

What happens when you are attacked by a DDoS
    • There is a large waiting TCP connection on the attacked host
    • The network is flooded with a lot of useless packets, the source address is false
    • Manufacturing high-traffic useless data, causing network congestion, so that the host can not properly communicate with the outside world
    • Using the service provided by the victim host or the defect on the transmission protocol, and making the specific service request repeatedly and at high speed, so that the victim host cannot handle all normal requests in time
    • System crashes when critical

How attacks work

First, a more sophisticated DDoS attack system is divided into four of the most important parts of the 2nd and 3rd: They are used to control and actually launch attacks. Please note that the difference between the controller and the attack aircraft, for the victims of Part 4, the actual DDoS attack packet is issued from the 3rd part of the attack on the puppet machine, the 2nd part of the control machine only issued commands and not participate in the actual attack. For parts 2nd and 3rd computers, hackers have control or partial control and upload the appropriate DDoS programs to these platforms, which run as normal programs and wait for instructions from hackers, often using a variety of means to hide themselves from being discovered by others. In peacetime, these puppet machines are not unusual, but once the hackers connected to their control, and issued instructions, the attack on the puppet machine will become the perpetrators to attack.

Some friends may ask, "Why do hackers not directly control the attack on the puppet machine, but to turn from the control of the puppet machine?" ”。 This is one of the reasons why DDoS attacks are difficult to track down. As an attacker's point of view, certainly do not want to be caught (when I was a child to the other family's chicken coop when throwing stones, but also know in the first time to escape, hehe), and the more the attackers use the puppet machine, he actually provides the victim with more analysis basis. After capturing a machine, a high-level attacker would do two things first: 1. Think about how to keep the back door (I'll come back later)! 2. How to clean up the log. This is to erase the footprints, do not let oneself do things by others to find out. Less dedicated hackers will be no matter 3,721 log all deleted, but so that the network administrator found that the log will know someone did bad things, at most can not be found from the log who did it. On the contrary, the real players will pick out their own log items deleted, so that people can not see the abnormal situation. This makes it possible to use the puppet machine for a long time.

But cleaning up the logs on the 3rd attack puppet machine is a huge project, and even with the help of a good log cleanup tool, hackers have a headache with this task. This led to some of the attack aircraft is not very clean, through its clues to find the control of its upper-level computer, the superior computer if it is a hacker's own machine, then he will be pulled out. But if this is the control of the puppet machine, the hacker itself is still safe. Control of the number of puppet machine is relatively small, generally one can control dozens of attack aircraft, clean up a computer log for the hacker is much easier, so the possibility of finding a hacker from the control machine is also greatly reduced.

How does a hacker organize a DDoS attack?

The word "organization" is used here because DDoS is not as simple as invading a host. In general, hackers take a DDoS attack by following these steps:

1. Collection of information about the objectives
The following are information that hackers are very concerned about:

    • Number of target hosts attacked, address condition
    • Configuration, performance of the target host
    • Bandwidth of the target

For DDoS attackers, attacking a site on the internet, such as, has a focus on determining how many hosts are supporting the site, and a large site may have many hosts that use load balancing technology to provide WWW services on the same site. In the case of Yahoo, the following addresses are generally provided for services:


If a DDoS attack is to be carried out, which address should be attacked? this machine paralyzed, but other hosts can also provide the WWW service, so want to let others access to words, all these IP address of the machine is paralyzed. In real-world applications, an IP address often represents many machines: the site maintainer uses a four-layer or seven-layer switch to load balance, assigning access to an IP address to each of its subordinate hosts with a specific algorithm. The situation is more complex for DDoS attackers, and the task he faces may be to make the services of dozens of hosts unhealthy.

So it is important for DDoS attackers to gather information beforehand, which is related to how many dummy machines are used to achieve the effect. Simply consider that, under the same conditions, 2 hosts attacking the same site require 2 dummy machines, and attacking 5 hosts may require more than 5 dummy machines. Some people say that the more you do the puppet machine, the better, no matter how many hosts I use as much as possible to attack the puppet machine, anyway, the puppet machine more than the time effect better.

2. Seize the puppet machine
Hackers are most interested in hosts with the following conditions:

    • A host with a good link status
    • Host with good performance
    • Host with poor level of security management

This part actually uses another big class of attack means: exploit the form attack. This is a parallel attack with DDoS. To put it simply, it is capturing and controlling the host being attacked. Get the highest administrative privileges, or at least one account that has the authority to complete a DDoS attack task. For a DDoS attacker, it is a necessary condition to have a certain number of dummy machines, and here's how he attacks and seizes them.

First of all, the work of hackers is generally scanning, randomly or targeted use of scanners to discover the internet on those vulnerable machines, such as program Overflow vulnerability, CGI, Unicode, FTP, database vulnerabilities ... (Almost endless AH), are the scan results that hackers want to see. Then is the attempt to invade, the specific means is not here to say more, interested in the words on the internet there are many articles about these content.

In short, hackers now occupy a puppet machine! And then what does he do? In addition to the basic work of leaving the back door wiping footprints, he would upload a DDoS attack program to the past, usually using FTP. On the attack aircraft, there will be a DDoS program, which is used by hackers to send malicious attack packets to the victim target.

3. Actual attacks
After careful preparation of the first 2 stages, the hacker began to aim for the launch. Before the preparation is done well, the actual attack process is rather simple. As shown in the illustration, the hacker logs into the puppet machine as the console, issuing commands to all the attackers: "Prepare ~, Aim ~, Fire!". In this case, the DDoS attack program in the attacker responds to commands from the console, sending a large number of packets to the victim host at high speed, causing it to panic or not responding to a normal request. Hackers generally attack at a rate far beyond the processing power of the victim, and they do not "Lianxiangxiyu".

An old attacker can also use various means to monitor the effect of an attack and make some adjustments when needed. Simple is to open a window to constantly ping the target host, when you can receive a response to increase some traffic or command more puppet machine to join the attack.

DDoS attack instance –syn flood attack

Syn-flood is one of the most popular DDoS attacks, and the previous DOS approach has gone through the waves while developing to the distributed phase. Syn-flood attack effect is the best, it should be the majority of hackers choose it is the reason it. So let's take a look at the details of Syn-flood.

Syn Flood principle – three-time handshake
Syn flood exploits the inherent vulnerability of the TCP/IP protocol. The connection-oriented TCP three-time handshake is the basis for the existence of the SYN flood.

Three-time handshake for TCP connections

Figure two TCP three-time handshake

Second, in the first step, the client presents a connection request to the server. This is where the TCP SYN flag is placed. The client tells the server that the serial number area is legal and needs to be checked. The client inserts its own isn in the serial number area of the TCP header. After the server receives the TCP segment, in the second step with its own isn response (The SYN flag is set), the first TCP segment (ACK flag set) that receives the client is acknowledged. In the third step, the client confirms receipt of the service side's isn (ACK flag set). This is the time to establish a full TCP connection and start the data transfer process in full duplex mode.

Syn flood attackers will not complete three handshake

Figure three Syn flood maliciously do not complete the three-time handshake

Assuming a user sends a SYN message to the server and suddenly freezes or falls off, the server will not be able to receive an ACK message from the client after sending the Syn+ack response message (The third handshake cannot be completed), in which case the server typically retries (sending syn+ again ACK to the client) and wait for a period of time to discard the unfinished connection, the length of the time we call the Syn Timeout, in general this time is the order of minutes (about 30 seconds-2 minutes); A user exception causes a server thread to wait 1 minutes is not a big problem , but if there is a large number of malicious attackers simulating this situation, the server will consume a lot of resources to maintain a very large semi-connected list-tens of thousands of semi-connections, even simple save and traverse will consume very much CPU time and memory, not to mention the IP in this list is constantly syn +ack the retry. In fact, if the server's TCP/IP stack is not strong enough, the end result is a stack overflow crash--even if the server-side system is strong enough, the server side will be busy processing the client's bogus TCP connection request to the customer's normal request (after all, the client's normal request rate is very small), At this point, from a normal customer's point of view, the server loses its response, which we call: The server side received a SYN flood attack (SYN flood attack).

Here is the actual process of a SYN flood attack I simulated in the lab

This LAN environment, with only one attack aircraft (Piii667/128/mandrake), was attacked by a Solaris 8.0 (spark) host and the network device was a Cisco Gigabit switch. This is a Snoop record on Solaris before the attack is done, and Snoop is a good tool for network capture and analysis as well as network monitoring tools such as tcpdump. Before you can see the attack, the target host is basically receiving some common network packets.

123456789101112131415161718192021 ……           ? -> (broadcast)  ETHER Type=886F (Unknown), size = 1510 bytes           ? -> (broadcast)  ETHER Type=886F (Unknown), size = 1510 bytes           ? -> (multicast)  ETHER Type=0000 (LLC/802.3), size = 52 bytes           ? -> (broadcast)  ETHER Type=886F (Unknown), size = 1510 bytes192.168.0.66 -> NBT Datagram Service Type=17 Source=GU[0] -> NBT Datagram Service Type=17 Source=ROOTDC[20] -> NBT Datagram Service Type=17 Source=TSC[0]           ? -> (broadcast)  ETHER Type=886F (Unknown), size = 1510 bytes192.168.0.200 -> (broadcast)  ARP C Who is, ?           ? -> (broadcast)  ETHER Type=886F (Unknown), size = 1510 bytes           ? -> (broadcast)  ETHER Type=886F (Unknown), size = 1510 bytes192.168.0.66 -> NBT Datagram Service Type=17 Source=GU[0] -> NBT Datagram Service Type=17 Source=GU[0] -> NBT Datagram Service Type=17 Source=ROOTDC[20]           ? -> (multicast)  ETHER Type=0000 (LLC/802.3), size = 52 bytes           ? -> (broadcast)  ETHER Type=886F (Unknown), size = 1510 bytes           ? -> (broadcast)  ETHER Type=886F (Unknown), size = 1510 bytes……

Then the attack started, and the DDoS started ... suddenly, the Snoop window on the Sun host began to flip through the screen quickly, showing a huge number of SYN requests. The screen is like a window on a 300-kilometer-per-hour train. This is the result of the Snoop output when the SYN flood attack:

1234567891011121314151617181920 …… -> AUTH C port=1352 -> TCP D=114 S=1352 Syn Seq=674711609 Len=0 Win=65535 -> TCP D=115 S=1352 Syn Seq=674711609 Len=0 Win=65535 -> UUCP-PATH C port=1352 -> TCP D=118 S=1352 Syn Seq=674711609 Len=0 Win=65535 -> NNTP C port=1352 -> TCP D=121 S=1352 Syn Seq=674711609 Len=0 Win=65535 -> TCP D=122 S=1352 Syn Seq=674711609 Len=0 Win=65535 -> TCP D=124 S=1352 Syn Seq=674711609 Len=0 Win=65535 -> TCP D=125 S=1352 Syn Seq=674711609 Len=0 Win=65535 -> TCP D=126 S=1352 Syn Seq=674711609 Len=0 Win=65535 -> TCP D=128 S=1352 Syn Seq=674711609 Len=0 Win=65535 -> TCP D=130 S=1352 Syn Seq=674711609 Len=0 Win=65535 -> TCP D=131 S=1352 Syn Seq=674711609 Len=0 Win=65535 -> TCP D=133 S=1352 Syn Seq=674711609 Len=0 Win=65535 -> TCP D=135 S=1352 Syn Seq=674711609 Len=0 Win=65535……

This time the content is completely different, and no longer receive those normal network packets, only DDoS packets. Note that all of the SYN flood attack packets here are spoofed, causing great difficulty in the tracing process. How many syn-half connections have been accumulated on the attacked host? Let's take a look at Netstat:

1 # netstat -an | grep SYN
12345678910111213 ……          0      0 24656      0 SYN_RCVD192.          0      0 24656      0 SYN_RCVD192.          0      0 24656      0 SYN_RCVD192.          0      0 24656      0 SYN_RCVD192.          0      0 24656      0 SYN_RCVD192.          0      0 24656      0 SYN_RCVD192.          0      0 24656      0 SYN_RCVD192.          0      0 24656      0 SYN_RCVD192.          0      0 24656      0 SYN_RCVD……


The SYN_RCVD represents the currently incomplete TCP SYN queue, which counts:

1234567 # netstat -an | grep SYN | wc -l5273# netstat -an | grep SYN | wc -l5154# netstat -an | grep SYN | wc -l5267…..


A total of more than 5,000 SYN semi-connections are stored in memory. At this time the attack aircraft has not been able to respond to the new service request, the system is running very slow, and can not ping through.

This is only about 70 seconds after the attack was initiated.

The protection against DDoS

So far, the defense of DDoS attacks has been difficult. First, this attack is characterized by its exploitation of the TCP/IP protocol vulnerability, which can be completely protected against DDoS attacks unless you do not use TCP/IP. A senior security expert gave an image of the metaphor: DDoS as if there are 1,000 of people at the same time to call your home, when your friends can still play in it?

But even if it is difficult to prevent, it is not that we should be resigned to it, in fact, to prevent DDoS is not absolutely impossible things. The users of the Internet are various, fighting against DDoS, different roles have different tasks. Let's take a few of the following roles:

    • Enterprise network administrator
    • ISP, ICP Administrator
    • Backbone network operators

Enterprise network administrator

Network administrator as an enterprise Intranet manager, is often a security guard, guardian God. In the network he maintains, there are servers that need to provide WWW services out of the box, and thus inevitably become the target of DDoS attacks, what should he do? It can be considered from two angles of host and network equipment.

Settings on the host
Almost all of the host platforms have a DOS-resistant setting, summarizing, there are several basic:

    • To turn off unnecessary services
    • Limit the number of Simultaneous SYN half connections open
    • Shorten time out of SYN half-connection
    • Update system patches in a timely manner

Settings on the network device
Network devices on the enterprise network can be considered from firewalls and routers. These two devices are interface devices to the outside world, while anti-DDoS settings, pay attention to how much efficiency at the expense of the cost, whether it is worthwhile for you.

1. Firewalls

    • Disable access to non-open services for hosts
    • Limit the number of Simultaneous SYN maximum connections open
    • Restricting access to specific IP addresses
    • Enable anti-DDoS properties for firewalls
    • Access to external servers is strictly restricted

The fifth key is to prevent your server from being used as a tool to harm.

2. Routers
Take Cisco routers as an example

    • Cisco Express Forwarding (CEF)
    • Using unicast Reverse-path
    • Access Control List (ACL) filtering
    • Set the SYN packet traffic rate
    • ISO with an upgrade version that is too low
    • Establish a log server for the router

When using CEF and unicast settings, it is important to note that improper use can cause router productivity to degrade significantly, and iOS should be upgraded with caution. Router is the core of the network equipment, and everyone to share a little bit of experience in setting up changes, is not to save the first. Cisco routers have two configuration of the startup config and running config, modified when the change is running config, you can let this configuration run for a period of time (35 days at random), feel feasible to save the configuration to startup Config, and if you are not satisfied with the original configuration, copy start Run is OK.

ISP/ICP Administrator

ISP/ICP for many small and medium-sized enterprises to provide a variety of mainframe hosting business, so in anti-DDoS, in addition to the same means as enterprise network administrators, but also to pay special attention to their own management within the scope of the customer managed host not to become a puppet machine. Objectively speaking, the security of these hosts is generally very poor, and some even the basic patches are not hit on the shirtless, become the hacker's favorite "broiler", because no matter how the machine hackers can not be found in the danger, its security management is too poor; not to mention that managed hosts are high-performance, High-bandwidth-is simply for DDoS customization. As an ISP administrator, the managed host is not directly managed by the authority, can only notify customers to deal with. In the actual situation, there are a lot of customers with their hosting service provider is not very good, resulting in the ISP administrators know that they are responsible for a managed host became a puppet machine, but there is no way of the situation. And the hosting business is the buyer's market, ISP also dare not offend customers, how to do? We the Administrator and the customer good relations, no way, who let people are God? Hehe, customers more cooperation with some, the ISP's host more secure some, the possibility of being sued by others is also smaller.

Backbone network operators

They provide the physical basis for the existence of the Internet. If the backbone network operators can cooperate well, DDoS attacks can be well prevented. After the attack on a well-known website such as Yahoo in 2000, the U.S. Cyber Security Research Institute proposed a solution to the DDoS attack by the backbone operators. In fact, the method is very simple, that is, each operator in their own export router to authenticate the source IP address, if in their own routing table does not have to the packet source IP routing, the package is discarded. This approach can prevent hackers from using bogus source IPs for DDoS attacks. But again, this will reduce the efficiency of the router, which is the backbone operators are very concerned about the problem, so this practice is really difficult to adopt.

The research on the principle and coping method of DDoS has been in progress, and finding an effective and feasible solution is not overnight. But at the moment we can at least do their own network and host maintenance, first let their host not for others to use the object to attack others; second, in the event of attack, to try to preserve the evidence, in order to trace afterwards, a good network and log system is necessary. No matter where the DDoS defense goes, it will be a social project that requires it peers to work together.

The principle and prevention of distributed denial of service attack (DDoS)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.