DDoS attack, the full name is distributed denial of server. Generally speaking, it means that the attacker uses the "broiler" to launch a large number of requests to the target website in a short time, which consumes the host resources of the target website on a large scale, making it unable to service normally. Online games, Internet Finance and other fields are high incidence industries of DDoS attacks.
Distributed denial of service( DDoS:Distributed Denial Of service) attack refers to the use of client / server technology to combine multiple computers as attack platform to launch
DDoS attacks on one or more targets, thus increasing the power of denial of service attacks. Usually, the attacker uses a theft account to install the DDoS master on a computer. At a set time, the host program will communicate with a large number of agents, which have been installed on many computers on the network. The agent attacks when it receives an instruction. Using client / server technology, the master can activate hundreds of times of agent running in a few seconds.
Among the three elements of information security - "confidentiality", "integrity" and "availability", DOS (denial of service), namely, denial of service attack, aims at "availability". The attack method makes use of the network service function defect of the target system or directly consumes the system resources, which makes the target system unable to provide normal services.
There are many kinds of DDoS attacks. The most basic DoS attack is to use reasonable service requests to occupy too many service resources, so that legitimate users can not get the response of services. A single DoS attack usually adopts one-to-one method. When the target CPU speed is low, memory is small or network bandwidth is small and other indicators are not high performance, its effect is obvious. With the development of computer and network technology, the processing capacity of computer is growing rapidly, the memory is greatly increased, and at the same time, the Gigabit level network appears, which makes the DoS attack more difficult - the target's "digestion ability" of malicious attack packets is strengthened a lot. At this time, distributed denial of service attack (DDoS) came into being. DDoS is to use more puppet machines (also known as "broilers") to launch attacks and attack victims on a larger scale than before.
The most common DDoS attack is based on the defect of TCP protocol three-way handshake. The communication based on TCP protocol must be negotiated before communication. The negotiation process is realized by three handshakes. Under normal circumstances, the client sends a syn packet, indicating that communication is needed. After receiving the syn packet, the server responds with an ACK confirmation packet. The client responds with a confirmation packet. In this way, the three handshakes will complete the negotiation, and the following will be the formal communication. When a hacker wants to carry out a DDoS attack, he will manipulate many botnets to send syn packets to the attacked server. When the server replies to the ACK confirmation package, the botnet will no longer respond. In this way, the server will keep the semi connection and wait. Each such semi connection will consume the resources of the server. If there are a large number of semi connections, the server will stop working normally.
There are also
DDoS Attacks Based on UDP. UDP is a connectionless protocol. If a vulnerability port is opened on the server and a large number of useless UDP packets are sent, the server can be quickly flooded. In addition, the principle of ICMP based DDoS attacks is similar.
DDoS attack phenomenon:
1. There are a lot of waiting TCP connections on the attacked host;
2. There are a lot of useless packets in the network;
3. The source address is fake to create high traffic useless data, causing network congestion and making the victim host unable to communicate with the outside world normally;
4. Make use of the defects in the transmission protocol provided by the victim host, send out specific service requests repeatedly at high speed, which makes the host unable to handle all normal requests;
5. If it is serious, it will cause system crash.
When we know the type and harm of DDoS attack, we should prevent it effectively. If we don't do a good job in prevention, it will be too late to discover the hazards. Next, taking the prevention of DDoS Attacks Based on TCP as an example, this paper briefly expounds.
One of the characteristics of DDoS attack is that it produces huge attack traffic suddenly. With the help of traffic monitoring equipment, the emergence of abnormal traffic can be found in time.
Characteristics of mainstream DDoS Defense means
Advanced defense equipment room
The advanced anti DDoS computer room adopts the most traditional DDoS Defense scheme. By increasing the entrance bandwidth and deploying DDoS protection equipment in the computer room, based on the known feature library, the rules matching detection of the traffic of the access server is carried out, and the network bandwidth is cleaned to realize the defense.
Advanced defense machine room is divided into operator room, IDC room and public cloud room.
Advanced defense + IP jump
With the development of Internet technology, DDoS attacks become more and more easy, and the scale of attacks is also growing. For the traditional high defense computer room, these means more network bandwidth and higher protection costs.
Therefore, on the basis of the advanced defense equipment room, some manufacturers have launched the upgrade scheme of advanced defense room + IP jump. This scheme has several characteristics:
1. End cloud integration: through the integration of SDK on the client side and the distributed protection node array in the cloud, we can jointly defend.
2. Central scheduling: in front of the protection node array, there is a scheduling center to collect the data sent by the client SDK, and dynamically schedule the protection node for attack isolation and defense according to the real-time analysis results.
3. IP jump: when the IP address of a protection node is knocked down by attack, the dispatching center will import the traffic scheduling to the protection node of the next IP, which is a cycle. When all nodes purchased by the customer are paralyzed by attack, the traffic is imported into the advanced anti DDoS machine room protection.
4. Hierarchical isolation reduces the impact: the customer classifies the end users, corresponding to different levels of IP address pool. When an IP of a certain level is attacked, only the end users of this level are affected, and the users of other levels are not affected.
5. Exclusive resources: according to the number of protection nodes purchased by customers, provide corresponding protection capacity. The protection nodes purchased by game manufacturers are resource exclusive.
Full stack cloud
With the development of the Internet of things, broilers, botnets and reflective attacks are constantly changing and developing. All devices in the network can be used by hackers to form a super large-scale DDoS attack. The scheme of advanced anti DDoS + IP hop can alleviate DDoS attacks to a great extent, but at the cost of sacrificing some user experience. On the other hand, this scheme needs the cooperation of advanced defense to protect, which can not get rid of the dependence and limitation of protection bandwidth, and the cost is high.
Since 2017, a new full stack cloud DDoS Defense scheme has been proposed. This scheme is more intelligent and more active than the high defense + IP hop scheme. Theoretically, there is no upper limit on the protection traffic. It mainly includes the following features:
1. No advanced defense: it abandons the bondage of advanced defense equipment room, does not rely on bandwidth resources, and there is no hard anti link in the whole process.
2. End cloud collaboration: the client needs to integrate the SDK and conduct defense through the linkage between the SDK and the cloud protection node.
Compared with the previous two schemes, the full stack cloud scheme has obvious advantages.
If you find it difficult to understand, let's take a look at this solution. Let's combine the previous examples:
Advanced defense server
Take the Laoshan paomo restaurant I opened as an example. The advanced defense server is that I have added two security guards to the paomo restaurant. These two guards can protect the shop from being harassed by hooligans, and they will patrol around the shop regularly to prevent harassment by hooligans.
Advanced defense server mainly refers to a server that can independently and hard defend more than 50Gbps. It can help website denial of service attacks, and regularly scan the network master node. This is a good thing. It is expensive to hire people.
blacklist
In the face of the hooligans in paomo restaurant, I took photos of them and banned them from entering the shop. However, sometimes people who looked like me would also be forbidden to enter the shop. This is to set up a blacklist. This method adheres to the principle of "killing a thousand wrongly, but not putting a hundred". The disadvantage is that it will block normal traffic and affect normal business.
DDoS cleaning
DDoS cleaning means that I kick a customer out of the store after he / she enters the store for a few minutes but never orders.
DDoS cleaning will monitor the user's request data in real time, detect DoS attacks and other abnormal traffic in time, and clean up these abnormal traffic without affecting the normal business development.
CDN acceleration
CDN speed up, we can understand this: in order to reduce the harassment of hooligans, I simply opened the hotpot shop online to undertake takeout service, so that the hooligans can not find where the shop is, and they can't play hooligans.
In reality, CDN service allocates the website traffic to each node. On the one hand, it hides the real IP of the website. On the other hand, even if it encounters DDoS attacks, it can disperse the traffic to each node to prevent the source site from collapsing.
