From the 07 of the Estonian DDoS information war, to this year Guangxi Nanning 30 internet cafes suffered from DDoS ransomware, and then to the Sina network suffered a DDoS attack can not provide external services for more than 500 minutes. DDoS intensified, attacks increased significantly, the attack traffic is also significantly increased, the situation is very serious, more than 1G of attack traffic occurs frequently, CNCERT/CC mastered the data show that the highest reached 12G, such traffic, even professional room can not resist. More serious: The use of DDoS attack means extortion has formed a complete industrial chain! Moreover, the attacker's implementation cost is very low, on the Internet can easily search for a large heap of attack scripts, tool tools, the technical requirements of the attackers are also increasingly low. Conversely, professional anti-DDoS devices are expensive, and the attack source is very difficult to trace, protection costs far greater than the cost of attack.
This article will analyze the principle of DDoS attack and provide some solutions.
I. DDoS attacks
What is DDoS? DDoS is an abbreviation for the English distributed denial of service, meaning "distributed denial of service", a DDoS in Chinese called a distributed denial of service attack, commonly known as flood attack. First, let's take a look at the relevant definitions.
Service: What features does the system provide that users will benefit from in their use?
Denial of service: Any interference with the service if its availability is reduced or the availability is lost is called a denial of service.
Denial of service attack: means that an attacker intentionally causes a computer or network to not function properly to provide the required services to legitimate users or to degrade the quality of service?
Distributed denial-of-service attacks: Multiple attackers at different locations attack one or more targets at the same time, or one or more attackers control multiple machines located in different locations and use them to simultaneously attack the victim, because the point of attack is spread out in different places, This type of attack is known as a distributed denial of service attack.
, DDoS attacks will cause network resource wasting, link bandwidth congestion, server resource exhaustion and business interruption. Most of these attacks are carried out by computers that are illegally controlled by hackers. After hackers illegally control some computers, they turn these computers into "bots" that are remotely controlled by underground networks, and then use these computers to implement DDoS attacks. Hackers also rent the computers for attack at a low price per unit, and the owners who really own the computers don't know that their computers have been used to attack others. Since millions of computers have now become "bots" by hackers, this attack will be very violent. What happens when you are attacked by a DDoS attack:?
The network is flooded with a lot of useless data packets;
Manufacturing high-flow useless data, causing network congestion, so that the host can not be normal and external communication;
Using the service provided by the victim host or the defect on the transmission protocol, the service request is issued repeatedly and at high speed, so that the injured host cannot handle all the normal requests in time.
Severe, it can cause system panic.
Because the network layer of denial of service attacks have exploited the network protocol, some of the network or equipment to seize the limited processing capacity, so that the prevention of denial of service attacks has become a very headache for administrators. Especially in most of the network environment backbone of the common use of firewalls, load balancing equipment, in the event of DDoS attacks often become the bottleneck of the entire network, resulting in a total network paralysis.
two. Packet Structure
To understand the principle of DDoS attack, we must first understand the structure of the packet, in order to know everything, trace. Let's start by reviewing the structure of the packet.
2.1 IP message Structure
2.2 TCP Message Structure
The identity (Code bits) field of a TCP header contains 6 flags:?
SYN: The flag bit is used to establish a connection to synchronize serial numbers between the two parties. If Syn=1 and ack=0, then the packet is a connection request, and if syn=1 and ack=1 means accept the connection?
FIN: Indicates that the sender has no data required to transmit, and wants to release the connection.
RST: Used to reset a connection. The RST flag is a packet called the Reset package. In general, if a fragment received by TCP is obviously not part of any of the connections on that host, a reset packet is sent to the far end.
URG: For emergency data signs. If it is 1, it indicates that the packet contains emergency data. The emergency data pointer is valid at this time.
ACK: To confirm the flag bit. If 1, indicates that the confirmation number in the package is valid. Otherwise, the confirmation number in the package is not valid.
PSH: If set, the receiver should send the data to the application layer as soon as possible, without waiting for the buffer to be full again.
2.3 UDP message Structure
2.4 ICMP message structure
three. DDoS attack mode
3.1 SYN Flood attack
Syn-flood attack is the most common DDoS attack on the current network, and it is also the most classic denial of service attack, it takes advantage of a flaw in TCP protocol implementation, it may cause the half-open connection queue in the target server to be full by sending a large number of attack packets of spoofed source address to the port on which the network service is located. To prevent access by other legitimate users. This attack was discovered as early as 1996, but it still shows strong vitality. Many operating systems, even firewalls and routers, are unable to effectively defend against this attack, and because it can easily forge source addresses, it is very difficult to trace them. Its packet characteristics are typically, the source sends a large number of SYN packets, and the last handshake ACK reply is missing from the three handshake.
For example, an attacker would first forge an address to initiate a SYN request to a server (can I establish a connection?). ), the server responds with a Ack+syn (can + please confirm). And the real IP will think that I did not send a request and do not respond. The server does not receive a response, retries 3-5 times and waits for a SYN time (typically 30 seconds-2 minutes) to discard the connection.
If an attacker sends a large number of SYN requests that spoof a source address, the server will consume a lot of resources to handle the semi-connection, and the save traversal consumes a lot of CPU time and memory, not to mention the Syn+ack retry of the IP in this list. The end result is that the server is ignoring the normal connection request-denial of service. When you view the SYN_RECV status with the Netstat–an command on the server, you can see:
If we grab the bag to see:
You can see a large number of SYN packets without an ACK response.
3.1.2 SYN Flood protection
Currently on the market some firewalls have SYN proxy function, this method is usually set per second through the specified object (destination address and port, only the destination address or only the source address) of the number of SYN fragment threshold, when from the same source address or sent to the same destination address of the number of SYN fragments reached one of these thresholds, The firewall begins to intercept the connection request and the agent replies to the Syn/ack fragment and stores the incomplete connection request in the connection queue until the connection is complete or the request times out. When the queue of proxy connections in the firewall is filled, the firewall rejects new SYN fragments from all addresses in the same security zone (zone), preventing the network host from being subjected to an incomplete three-time handshake. However, this method when the attack traffic is large, the connection has a large delay, the network load is high, in many cases become the bottleneck of the whole network;
Random drop: The way to randomly drop packets can reduce the load on the server, but the success rate of the normal connection will be reduced a lot;
Feature matching: The usual means of the IPs, the characteristics of the statistical attack message at the time of the attack, and the definition of feature library, such as filtering SYN packets without TCP Options, etc.
Early attack tools (such as synkiller,xdos,hgod, etc.) typically send a 64-byte TCP SYN message, while the host operating system sends a SYN message that is larger than 64 bytes when initiating a TCP connection request. Therefore, the policy can be set on the key node to filter 64 bytes of TCP SYN packets, some propaganda with the protection of SYN flood attack products are doing so. With the improvement of the tool, the TCP SYN message is completely simulated by the common general operating system, and the fields of IP header and TCP header are completely random, so it is impossible to filter the attack packets on the device according to certain rules. In this case, it is necessary to judge the packet of TTL value in IP packet and block it according to experience, but this kind of manual method has high cost and low efficiency. Figure is an attack tool property setting.
SYN Cookie: Is the IP address of each request connection is assigned a cookie, if a short period of time continuously received by an IP duplicate SYN message, it is assumed to be attacked, later from this IP address packets will be discarded. However, the SYN cookie relies on the other person to use the real IP address, and if the attacker uses Sock_raw to randomly overwrite the source address in the IP message, this method will not work.
3.1.3 Protection algorithm for commercial products
SYN Cookie/syn proxy class protection algorithm: This algorithm for all SYN packets are active response to detect the origin of the SYN packet source IP address is true, if the IP address is true, then the IP will respond to the protection device probe packet, thereby establishing a TCP connection Most of the domestic and foreign anti-denial service products adopt such algorithms.
Safereset algorithm: This algorithm for all SYN packets are active response, the probe packet deliberately constructs the wrong field, the real IP address will send the RST packet to the protection device, and then initiate the 2nd connection, thereby establishing a TCP connection; some foreign products adopt such protection algorithm.
SYN retransmission algorithm: The algorithm takes advantage of the retransmission characteristics of TCP/IP protocol, the first SYN packet from some source IPs is dropped and logged directly when it arrives, it is validated when the 2nd SYN packet arrives and then released.
Comprehensive protection algorithm: Combining the advantages of the above algorithms, and introducing the IP reputation mechanism. When the first SYN packet from a source IP arrives, if the IP has a higher reputation value, the Syncookie algorithm is used, and for a source IP with a lower reputation value, based on the protocol stack behavior pattern, if the SYN packet is validated, the connection enters the Syncookie checksum. Increase its reputation value once the connection to the IP is verified. Some devices also use a table structure to hold the protocol stack behavior pattern eigenvalues, greatly reducing the amount of storage.
3.2 ACK Flood attack
Ack flood attack is after the TCP connection is established, all data transmission TCP messages are with an ACK flag, when the host receives a packet with an ACK flag bit, it is necessary to check if the packet represents the existence of the connection four-tuple, If present, checks whether the state represented by the packet is legitimate, and then passes the packet to the application tier. If the packet is found to be illegal in the check, for example, the destination port that the packet points to is not open on this computer, then the host operating system protocol stack responds to the RST packet telling the other that the port does not exist.
Here, the server will do two actions: tabular, response ack/rst. This attack pattern obviously does not have SYN flood to the server to bring the big impact, therefore the attacker must use the large traffic ACK packet impact to the server impact. According to our understanding of the TCP protocol, the ACK packets for random source IPs should be discarded by the server very quickly because there is no status information for these ACK packages in the server's TCP stack. But actually through the test, it is found that some TCP services are more sensitive to ACK flood, such as JSP server, the JSP server is difficult to handle the normal connection request under the attack of a small number of ACK packets. For Apache or IIS, 10kpps ack flood does not pose a threat, but a higher number of ACK flood will cause the server network card interrupt frequency too high, overload and stop responding. To be sure, the ACK flood not only can harm the routers and other network equipment, but also the application on the server has a small impact. Grab Bag:
If there is no open port, the server is discarded directly, which consumes the CPU resources of the server. If the port is open, the server responds to RST.
3.2.2 ACK Flood protection
The symmetry judgment is used to analyze the existence of an attack. The so-called symmetric judgment, is that the packet exception is greater than the contract, because the attackers usually use a large number of ACK packets, and in order to improve the attack speed, generally with the content of the basic consistent packet sent. This can be used as a basis for determining whether an ACK flood occurs, but there are few known cases in which the use of only ACK flood attacks is mixed with other attack methods, so it is easy to generate a miscarriage of judgment.
Some firewalls should be built with a hash table to hold the TCP connection "state", and the process of stateful inspection is relatively simplified relative to the TCP stack implementation of the host. For example, do not check the sequence number, do not make packet chaos processing, only a certain period of time whether there is an ACK packet in the "Connection" (that is, four tuples) passed, thus "roughly" determine whether the "connection" is "active".
3.3 UDP Flood attack
UDP Flood is an increasingly hanzi traffic-type Dos attack, the principle is very simple. A common scenario is the use of a large number of UDP packets to impact DNS servers or RADIUS authentication servers, streaming video servers. 100k pps UDP Flood often paralyze the backbone devices on the line such as firewalls, causing the entire network segment to collapse. Because the UDP protocol is a non-connected service, in a UDP flood attack, an attacker could send a large number of small UDP packets that forged a source IP address. However, because the UDP protocol is non-connectivity, so long as a UDP port to provide related services, then the relevant services can be attacked.
Under normal application, the UDP packet bidirectional traffic will be basically equal, and the size and content are random and vary greatly. In the case of UDP flood, UDP packets for the same destination IP appear in large quantities on one side, and the content and size are relatively fixed. Attack Tools:
53-Port UDP flood attack capture:
UDP Flood large packet attack (bandwidth, shard):
3.3.2 UDP Flood protection
The UDP protocol differs from the TCP protocol, which is a non-connected protocol, and the UDP application protocol is very different, so the protection against UDP flood is very difficult. The protection should be treated according to the specific situation:?
To determine the packet size, if it is a large packet attack, use the Prevent UDP fragmentation method: Set the packet fragment reassembly size according to the attack packet size, usually not less than 1500. In extreme cases, you can consider discarding all UDP fragments.
The attack port is the business port: Set the UDP maximum packet size based on the service UDP maximum packet length to filter for abnormal traffic.?
The attack port is a non-business port: One is to discard all UDP packets, it may hurt the normal business; one is to establish a UDP connection rule that requires all UDP packets going to that port, you must first establish a TCP connection with the TCP port. However, this approach requires a professional firewall or other protection device support.
3.4 ICMP Flood attack
ICMP Flood attacks the principle and the ACK Flood principle similar, belongs to the traffic type attack way, also uses the big traffic to bring the large load to the server, affects the server the normal service. Because many firewalls currently filter ICMP packets directly, ICMP flood appear less frequently. Comparing the two images below, it should be possible to see if there is an ICMP flood attack.
Normal ICMP packets:
When the packet attacks:
3.4.2 ICMP Flood protection
Its defenses are also simple to filter ICMP packets directly. There is no detailed explanation here.
3.5 Connection Flood attack
Connection Flood is a typical and highly effective way of attacking large bandwidth network services using small traffic, which is now becoming more and more rampant. The principle of this attack is to use a real IP address to the server to initiate a large number of connections, and the establishment of a connection for a long time not to release, occupy the server's resources, resulting in a residual connection on the server server (wait state) too much, inefficient, and even resources exhausted, unable to respond to other customers to initiate the connection.
One of the attacks is to make a large number of connection requests to the server every second, similar to a SYN flood attack on a fixed source IP, but with a real source IP address. Typically this can limit the number of connections per second for each source IP address on the firewall for protection purposes. But now there are tools in a slow connection, that is, a few seconds to establish a connection with the server, the connection is established after the success does not release and periodically send garbage packets to the server so that the connection can be maintained for a long time. Such an IP address can establish hundreds of connections to the server, and the number of connections the server can tolerate is limited, which achieves the effect of denial of service.
In addition, when the worm outbreak, because the worm code is relatively simple, the propagation process will have a large number of packets with the same source IP address, for the TCP worm is a wide range of scanning behavior. This is to be aware of when judging connection flood.
Using Netstat–an on the compromised server:
There are a large number of connection states, from a few sources. If you count, you can see that the number of connections in the comparison usually occurs. and starts to fluctuate after a certain value, indicating that the performance limit may have been approached at this point. Therefore, the judgment of this attack: the flow is not very small, or even a little, a lot of establish state; The total number of new establish states fluctuates.
3.5.2 Connection Flood protection
Active removal of residual connections.?
Block the IP of a malicious connection.
Limit the number of connections per source IP.
You can protect a specific URL.
The source of the HTTP Get flood is behind the anti-search proxy.
3.6 HTTP Get attack
This attack is mainly for the existence of ASP, JSP, PHP, CGI and other scripts, and call MSSQLServer, MySQLServer, Oracle and other databases of the Web site system design, characterized by a normal TCP connection with the server, and constantly submit queries to the script program , lists and so on a large number of database resource calls, typical of small broad attack method. In general, the cost of submitting a GET or post instruction to the client and the consumption of bandwidth is almost negligible, and the server to process this request may be from tens of thousands of records to find out a record, this process of resources is very expensive, A common database server rarely supports simultaneous execution of hundreds of query commands, which is a breeze for the client, so the attacker simply submits a large number of query instructions to the host server through proxy proxies, consuming server resources in minutes and causing a denial of service. The common phenomenon is that the website is slow as snail, ASP program failure, PHP connection database failure, database main program occupies high CPU. This attack is characterized by the ability to completely bypass the normal firewall protection, easy to find some proxy agent can implement the attack, the disadvantage is that only static pages of the site effect will be greatly compromised, and some proxies will expose the attacker's IP address. Attack Tools:
Grab packets on the attacked server, a large number of different IPs are requesting resources. In practice, it is also possible to use proxy addresses to connect.
3.6.2 HTTP Get protection
To determine whether or not HTTP GET, to count the number of GET requests per second to reach each server, if far more than normal, it is necessary to decode the HTTP protocol, find HTTP GET and its parameters (such as URLs, etc.).
It then determines whether a GET request is from a proxy server or a malicious request. and responds to a response with a key that requests the initiator to make corresponding feedback. If the initiator does not respond, the request is based on the tool, so that the HTTP GET request cannot reach the server, which can achieve the protection effect.
3.7 UDP DNS Query flood attack
UDP DNS Query Flood attack is essentially a UDP flood, but due to the irreplaceable key role of DNS server, once the server is paralyzed, the impact is generally very large.
The UDP DNS Query flood attack uses a method that sends a large number of domain name resolution requests to the server being attacked, usually the domain name that is requested to be resolved is randomly generated or is a domain name that does not exist in the network world, the DNS being attacked When the server receives the domain name resolution request, it first looks for the corresponding cache on the server, if it is not found and the domain name cannot be resolved directly by the server, the DNS server will recursively query the domain name information to its upper level DNS server. The process of domain name resolution brings a great load to the server, and the DNS server resolves the domain name timeout by exceeding a certain number of domain name resolution requests per second.
According to Microsoft statistics, a DNS server can withstand a maximum of 9,000 requests per second for dynamic domain name queries. And we know that on a P3 pc can easily construct tens of thousands of domain name resolution requests per second, enough to make a hardware configuration of a very high DNS server paralysis, this shows the vulnerability of DNS server. It is also important to note that the spread of worms can lead to a large number of domain name resolution requests.
3.7.2 UDP DNS Query flood protection
The UDP DNS Query Flood attack is protected on the basis of UDP Flood?
Reduce server load (using DNS Cache) by proactively responding to domain name IP self-learning results
Bandwidth throttling for source IP addresses that suddenly initiate a large number of low-frequency domain name resolution requests? Reduce the priority of source IP addresses that rarely initiate domain name resolution requests When an attack occurs?
Limit the number of domain name resolution requests per second for each source IP address
After reading this article, you've learned about the 7 main ways of DDoS attack, and you've learned the appropriate solution. Although however persuasive, outsmart, new attack methods are also emerging. However, as long as you master the corresponding principle, to crack the DDoS attack is not difficult, but the premise is that you master the principle of the basis, but also need to have the corresponding software, hardware to fight. At the end of this article, a few small questions are given to help you remember what you said earlier.
1. Summary of the above methods.
2. If your primary business is UDP audio applications, in order to maintain the benefits and minimize the impact of the attack on their business, how should you usually pay attention?
3. Is the botnet an invincible spear? How can I mitigate the impact of an attack from a botnet? If a ack-flood attack traffic is sent over a botnet, what characteristics will it usually carry?
Transferred from Http://netsecurity.51cto.com/art/200903/114969.htm, Dai Pengfei
The principle of DDoS attack and its protection methodology