What is a DDoS attack? How to defend against DDoS attacks?

What is a DDoS attack? How to defend against DDoS attacks?

Pure potatoes, 2016-05-23

Security reports show that 2015 years of DDoS attacks have hit a new record, so what is DDoS? Learn some of the benefits of communicating with product managers and colleagues in the background.

Distributed denial of service (ddos:distributed denial of services) attack refers to the use of client/server technology to unite multiple computers as an attack platform to launch a DDoS attack on one or more targets, thereby multiplying the power of a denial of service attack.

How to understand DDoS attacks

What will they do if a bunch of bullies try to keep a rival shop in the opposite direction from operating normally? (Just for example, never imitate)

Bullies pretend to be ordinary customers have been crowded in the opponent's shop, relying on not to go, the real shopper is unable to enter, or always and the salesperson desultorily, so that staff can not normal customer service, but also for the shop operators to provide false information, shops up and down the busy into a group after the discovery is an empty, Finally ran the real big customer, the loss is heavy.

In addition, bullies sometimes do things that are hard to accomplish by themselves and need to be called together. Well, the DOS and DDoS attacks in the cyber security world follow these ideas.

Attack mode

DDoS attacks consume large amounts of network resources through a large number of legitimate requests to achieve the purpose of paralyzing the network.

This attack method can be divided into the following types:

• By overloading the network to interfere with or even interrupt the normal network communication;

• Overloading the server by submitting a large number of requests to the server;

• Blocking a user from accessing the server;

• Block the communication of a service to a particular system or individual.

IP Spoofing

An IP spoofing attack is a DDoS attack that hackers use to spoof servers by sending bogus packets to the service side.

Specifically, the source IP address in the package is set to a value that does not exist or is not valid. Once the server accepts the package, it returns the Accept request package, but in fact the package will never return to the computer at the source.

This approach makes it necessary for the server to open its own listening port, and it wastes resources from all aspects of the system.

Land attack

This attack is similar to SYN floods, but the original address and destination address in the Land Attack attack packet are the IP of the attacking object.

This attack can cause the machine to die and eventually run out of resources and crash.

ICMP floods

Icmpfloods is the practice of consuming system resources by sending broadcast information to a router that is not well provisioned.

Application

Unlike the previous attack approach, the application level floods is primarily targeted at application software layers, which are higher than OSI.

It also seeks to persecute normal network services by applying an uncontrolled resource request to a network service program such as IIS for the purpose of consuming system resources.

Attack principle

A denial of service attack is a way for an attacker to stop a target machine from providing service or resource access. These resources include disk space, memory, processes, and even network bandwidth to prevent access by normal users.

In fact, the consumption of network bandwidth attacks is only a small part of the denial of service attacks, as long as the target can cause trouble, so that some services are suspended or even the host panic, is a denial of service attacks.

Denial-of-service attacks have not been properly addressed because of the security flaws in the network protocol itself, and thus denial of service attacks has become the ultimate tactic for attackers.

An attacker who makes a denial of service attack actually lets the server achieve two effects:

• One is to force the server's buffer to full, not to receive new requests;

• The second is to use IP spoofing, forcing the server to reset the connection of legitimate users, affecting the connection of legitimate users.

Although the same denial of service attacks, DDoS and DOS are still different

The DDOS attack strategy focuses on sending a large number of seemingly legitimate network packets to the victim host through many "zombie hosts" (hosts that have been hacked or indirectly exploited by the attacker), resulting in a denial of service caused by network congestion or server resource exhaustion.

Once a distributed denial of service attack is implemented, the attack network packet floods the victim host, flooding the legitimate user's network packet, causing the legitimate user to not access the server's network resources properly, so the denial of service attack is called a "flood attack".

Common DDOS attack means are SYN Flood, ACK Flood, UDP Flood, ICMP Flood, TCP Flood, Connections Flood, Script Flood, Proxy Flood, etc.

DOS is focused on the use of host-specific vulnerabilities caused by the network stack failure, system crashes, host crashes and unable to provide normal network service functions, resulting in denial of service.

Common DOS attack methods include T Eardrop, Land, Jolt, IGMP Nuker, Boink, Smurf, Bonk, OOB, etc.

In terms of these two denial of service attacks, the major harm is the DDOS attack, because it is difficult to prevent, as for DOS attacks, by patching the host server or install firewall software can be very good to prevent.

There are two main forms of DDOS representation:

• a traffic attack , mainly for network bandwidth attack, that is, a large number of attack packets causing network bandwidth is blocked, the legitimate network packet is overwhelmed by the false attack packet can not reach the host;

• The other is the resource exhaustion attack , which is mainly targeted at the server host, that is, the host's memory is exhausted by a large number of attack packets or CPU is occupied by the kernel and the application, resulting in the inability to provide network services.

How can I tell if a website has suffered a traffic attack?

How to determine whether the site has suffered a traffic attack can be tested by pinging, if you find ping timeout or packet loss (assuming normal), you may suffer a traffic attack, if you find and your host on the same switch server is not access, basically can be determined to be a traffic attack.

Of course, the premise of this test is that your ICMP protocol to the server host is not blocked by routers and firewalls and other devices, otherwise you can take the T-elnet host Server network Service port to test, the effect is the same.

However, one thing is certain, if the usual ping your host server and the host server on the same switch is normal, suddenly ping does not pass or is a serious loss of packets, then if you can rule out the network failure factors, it is certainly suffered a traffic attack, and then a traffic attack typical phenomenon is, Once a traffic attack occurs, it is found that connecting to the Web server with a remote terminal fails.

How can I tell if a website has suffered a resource exhaustion attack?

Relative to the traffic attack, the resource exhaustion attack is easy to judge some, if the usual ping site host and access to the site is normal, found that suddenly the site access is very slow or inaccessible, and ping can ping, it is likely to suffer a resource exhaustion attack.

At this time if the server with the Nistat-na command to observe a large number of syn_received, Time_w AIT, Fin_w ait_1 and other states exist, and est blished very few, you can be judged to have suffered a resource exhaustion attack.

There is also a resource exhaustion attack is that ping own site host ping or packet loss is serious, and ping with its own host on the same switch server is normal, caused by the site host after the attack caused by the system kernel or some applications CPU utilization reached 100% Unable to respond to the ping command, in fact, the bandwidth is still there, otherwise Ping does not connect to the host on the same switch.

There are currently three popular DDOS

1. Syn/ack Flood attack:

This attack method is the most effective DDOS method, can kill various systems of network services, mainly by sending a large number of false source IP and source port to the victim's SYN or ACK packets, causing the host's cache resources are exhausted or busy sending response packets resulting in a denial of service.

Because the source is forged, it is difficult to track, and the disadvantage is that it is difficult to implement and requires high-bandwidth zombie host support.

A small amount of this attack will cause the host server to be inaccessible, but can ping the pass, on the server with the Netstat-na command will observe the existence of a large number of syn_received state, a large number of such attacks will cause Ping failure, TCP/IP stack failure, and will appear system solidification phenomenon , which does not respond to the keyboard and mouse. Most common firewalls cannot withstand this type of attack.

2. TCP Full Connection attack:

This attack is designed to bypass regular firewall checks, and generally, conventional firewalls have the ability to filter DOS attacks such as T-eardrop, land, and so on.

But for the normal TCP connection is spared, but many network services programs (such as IIS, Apache and other W EB server) can accept the number of TCP connections is limited, once there is a large number of TCP connections, even if it is normal, will cause the site access is very slow or even inaccessible.

TCP Full-connection attack is through many zombie hosts continue to establish a large number of TCP connections to the victim server, until the server's memory and other resources are exhausted and dragged across, resulting in a denial of service, the attack is characterized by bypassing the protection of the general firewall to achieve the purpose of attack, The disadvantage is that many zombie hosts need to be found, and because the IP of the zombie host is exposed, it is easy to be traced.

3. Swipe script to attack:

This attack is mainly for the existence of ASP, JSP, PHP, CGI and other scripts, and call MSSQLServer, MySQLServer, Oracle and other databases of the Web site system design, characterized by the server established a normal TCP connection, and Constantly submitting queries, lists, and so on to the script to a large number of calls that consume database resources.

In general, the cost of submitting a GET or POST instruction to the client and the consumption of bandwidth is almost negligible, and the server to process this request may be from tens of thousands of records to find out a record, this process of resources is very expensive, A common database server rarely supports simultaneous execution of hundreds of query commands.

While this is easy for the client, the attacker simply submits a large number of query instructions to the host server through proxy proxies, consuming the server resources in minutes and causing a denial of service.

The common phenomenon is that the website is slow as snail, ASP program failure, PHP connection database failure, database main program occupies high CPU.

This attack is characterized by the ability to completely bypass the normal firewall protection, easy to find some proxy agent can implement the attack, the disadvantage is that only static pages of the site effect will be greatly compromised, and some proxies will expose the attacker's IP address.

How to defend against DDOS

It is unrealistic to rely solely on a system or product to protect against DDoS, and it is certain that it is impossible to completely eliminate DDoS, but it is possible to defend against 90% of DDoS attacks with appropriate measures.

Because of the cost of both attack and defense, if the ability to defend against DDoS is enhanced by the appropriate means, the attack cost of the attacker is increased, and the vast majority of attackers will not be able to continue to give up, which is tantamount to successfully defending against a DDoS attack.

1, the use of high-performance network equipment cited

First of all to ensure that network equipment can not become a bottleneck, so choose routers, switches, hardware firewalls and other equipment should try to choose high-profile, good reputation products.

And then, if there is a special relationship or agreement with the network provider, it is better, when a large number of attacks occur, it is very effective to ask them to make a traffic limit at the network point to fight against certain kinds of DDoS attacks.

2, try to avoid the use of NAT

The use of network address translation NAT should be avoided as far as the router or hardware protection wall device is, as this technology will greatly reduce the network communication capability.

In fact, the reason is very simple, because NAT needs to convert the address back and forth, the conversion process needs to calculate the network packet checksum, so a lot of wasted CPU time , but sometimes must use NA T, there is no good way.

3. Sufficient network bandwidth Guarantee

Network bandwidth directly determines the ability to resist attack, if only 10M bandwidth, no matter what measures are difficult to fight against today's synflood attacks, at least to choose 100M of shared bandwidth, the best of course is hung on the 1000M trunk.

However, it is important to note that the network card on the host is 1000M does not mean that its bandwidth is gigabit, if it is connected to the 100M switch, its actual bandwidth will not exceed 100M, and then the bandwidth on the 100M also does not mean that there is a hundred trillion bandwidth, Because network service providers are likely to limit the actual bandwidth to 10M on the switch, this must be clear.

4. Upgrading the host server hardware

In the premise of network bandwidth guarantee, please try to improve the hardware configuration, to effectively counter 100,000 SYN attack packets per second, the server should be configured at least: P4 2.4G/DDR512M/SCSI-HD.

Play a key role in the main CPU and memory, if you want to strong dual CPU, then use it, memory must choose the high-speed DDR memory, hard disk to choose SCSI, do not just greedy IDE price is not expensive enough, otherwise it will pay high performance cost, and then the network card must choose 3COM or in Tel and other famous brand, if Realtek or use on their own PC it.

5, the site into a static page

A large number of facts have proved that the site as far as possible to make static pages, not only can greatly improve the anti-attack ability, but also to bring a lot of trouble to hackers, at least until the overflow of HTML has not appeared, Sina, Sohu, NetEase and other portals are mainly static pages.

If you need a dynamic script call, then get it to another separate host to avoid the attack when the main server, of course, appropriate to put some do not make the database call script is still possible.

In addition, it is a good idea to deny access to the proxy in scripts that need to invoke the database, because experience shows that using proxies to access 80% of your site is malicious.

What is a DDoS attack? How to defend against DDoS attacks?