DDoS attacks can be divided into three types according to the traffic volume:
The first one is to win by force. Massive data packets come from all corners of the Internet, blocking the IDC entrance, making all kinds of powerful hardware defense systems and rapid and efficient emergency processes useless. Typical examples of this type of attack are ICMP flood and UDP flood, which are no longer common.
The second is to win by cleverness, which is flexible and hard to detect. It sends a package every few minutes or even only needs a package, which can make the server of luxury configuration no longer respond. This kind of attack is mainly launched by exploiting the vulnerability of protocol or software, such as slowloris attack, hash conflict attack and so on, which can only appear under the coincidence of specific environment.
The third type is a mixture of the above two, which is both light and vigorous. It not only takes advantage of the defects of the protocol and system, but also has a large amount of traffic, such as SYN Flood attack and DNS query flood attack, which are the current mainstream attack methods.
The latter two belong to small traffic attack
The small and fast
DDoS attack is called pulse attack in the industry. It can run after the attack without any delay.
Small and slow DDoS is mainly launched for imperfect business logic or protocol loopholes, which is light, fast and gentle.
For small traffic attacks, within the bandwidth of the server (important premise 1), if someone in the company knows how to conduct technical confrontation (important premise 2), they can also try to solve them by themselves. The solutions are generally as follows:
1. Make full use of the server's functions, such as opening the server's syn cookie to protect small traffic SYN Flood;
2. Use switch / router ACL to filter out the traffic not needed by the server, such as UDP / ICMP traffic for web server;
3. The host firewall is used to discard some malicious IP, such as iptables of Linux, and log analysis with script is used to realize simple CC protection or connection exhaustion protection
4. For some CGI or web pages that may be browsed by users, frequent restrictions and captcha are added;
SYN Flood
SYN Flood is one of the most classic
DDoS attacks on the Internet. It first appeared around 1999, and Yahoo was the most famous victim at that time. SYN Flood attack takes advantage of TCP's three-way handshake, which can make the target server unable to respond at a small cost and is difficult to trace.
The standard TCP three-way handshake process is as follows:
1. The client sends a TCP message containing the syn flag, syn means synchronize. The synchronization message will indicate the port used by the client and the initial serial number of the TCP connection;
2. After receiving the syn message from the client, the server will return a syn + ACK message, indicating that the client's request has been accepted, and the initial TCP sequence number will be automatically increased by 1;
3. The client also returns an ACK message to the server, and the TCP serial number is increased by 1.
After these three steps, the TCP connection is established. In order to realize reliable transmission, some exception handling mechanisms are set up in the process of three handshakes. In the third step, if the server does not receive the final ack confirmation message from the client, it will always be in syn_ In recv state, add the client IP to the waiting list and resend the syn + ACK message in the second step. Generally, the retransmission is carried out 3-5 times, with an interval of about 30 seconds. The waiting list is polled and all clients are retried. On the other hand, after sending the syn + ACK message, the server will pre allocate resources to store information for the TCP connection to be established. This resource is always reserved during the waiting period. More importantly, server resources are limited and syn can be maintained_ When the recv state exceeds the limit, it will no longer accept new syn messages, that is, refuse to establish a new TCP connection.
SYN
Flood uses the TCP protocol settings above to achieve the purpose of attack. The attacker disguises a large number of IP addresses to send syn messages to the server. Since the forged IP address is almost impossible to exist, almost no device will return any response to the server. Therefore, the server will maintain a large waiting list and try to send syn + ack messages again and again. At the same time, it takes up a lot of resources and cannot be released. More importantly, the syn of the attacked server_ The recv queue is full of malicious packets and no longer accepts new syn requests. Legitimate users cannot complete three handshakes to establish a TCP connection. In other words, the server is syn
Flood refused to serve.
DNS Query Flood
As the most basic and core service of Internet, DNS is also one of the important targets of DDoS attack. The downfall of DNS service can indirectly bring down the whole business of a company or the network service of a region. Recently, anonymous, a popular hacker group, also announced that it would attack 13 root DNS servers of the global Internet, but it failed in the end.
UDP attack is the most easy way to launch massive traffic attacks, and source IP random forgery is difficult to trace. However, filtering is relatively easy, because most IPS do not provide UDP services, so simply discard UDP traffic. So now the pure UDP traffic attack is relatively rare. Instead, it is DNS carried by UDP protocol
Query flood attack. In short, the higher the protocol is, the more difficult it is to defend against DDoS attacks, because the higher the protocol level is, the greater the business association is, and the more complex the defense system is faced with.
DNS
Query
Flood is that the attacker manipulates a large number of puppet machines to launch massive domain name query requests to the target. In order to prevent ACL based filtering, the randomness of packets must be improved. The common method is to forge source IP address and source port randomly in UDP layer. In DNS protocol layer, query ID and domain name to be resolved are forged randomly. The random forgery of the domain name to be resolved can not only prevent filtering, but also reduce the possibility of hitting the DNS cache and consume the CPU resources of DNS server as much as possible.
