In simple terms DDoS attack defense - attack articles

1. DDoS attack basis

The main purpose of a Distributed Denial of Service (DDoS) attack is to make the specified target unable to provide normal services or even disappear from the Internet. It is one of the strongest and most difficult to defend attacks.

According to the way initiated, DDoS can be simply divided into three categories.

The first category to win, massive data packets from all corners of the Internet flocked to plug the IDC entrance, so that a variety of powerful hardware defense systems, rapid and efficient emergency process no useless. Typical representatives of this type of attack are ICMP Flood and UDP Flood, which are now uncommon.

The second type of skill to win, clever and difficult to detect, send a packet every few minutes or even just need a package, you can let the luxury configuration server no longer respond. Such attacks are mainly initiated by exploiting protocol or software vulnerabilities, such as Slowloris attack, Hash collision attack, etc., which need to happen in a specific environment.

The third category is a mixture of the above two, Brisk and vigorous both, both the use of the agreement, the system flaws, but also with the massive traffic, such as SYN Flood attacks, DNS Query Flood attacks, is the current mainstream attack .

This article will describe each of these most common and representative attacks and describe their defenses.

1.1. SYN Flood

SYN Flood is one of the most classic DDoS attacks on the Internet. It first appeared around 1999 and Yahoo was the most famous victim of the time. The SYN Flood attack takes advantage of TCP's three-way handshake, making the target server unresponsive and difficult to trace at a fraction of the cost.

Standard TCP three handshake process is as follows:

l The client sends a TCP packet containing the SYN flag. The SYN is synchronized. The synchronization packet indicates the port used by the client and the initial sequence number of the TCP connection.

l After receiving the SYN packet from the client, the server will return a SYN + ACK packet indicating that the client's request is accepted and the initial TCP sequence number is incremented automatically.

l The client also returns a confirmation message ACK to the server, the same TCP sequence number is incremented.

After these three steps, TCP connection is established. TCP protocol in order to achieve reliable transmission, in the process of three-way handshake to set up some exception handling mechanism. In the third step, if the server does not receive the final ACK packet from the client, it will always be in the SYN_RECV state, add the client IP to the waiting list, and retransmit the SYN + ACK packet in the second step. Resend the general 3-5 times, about 30 seconds intervals to poll waiting list retry all clients. On the other hand, after the server sends a SYN + ACK message, the server pre-allocates resources to prepare for storing information about the TCP connection to be established. The resource is reserved for waiting for the retry period. More importantly, the server resources are limited, the SYN_RECV can maintain the state exceeds the limit no longer accept the new SYN message, that is, refuse to establish a new TCP connection.

SYN Flood is the use of the above TCP protocol settings to achieve the purpose of the attack. An attacker disguised a large number of IP addresses to send SYN packets to the server. Since counterfeit IP addresses are almost impossible to exist, almost no device will return any response to the server. Therefore, the server will maintain a huge waiting list, keep retrying to send SYN + ACK packets, and occupy a large amount of resources can not be released. More crucially, the attacked server's SYN_RECV queue is filled with malicious packets, no longer accepting new SYN requests, and legitimate users can not complete the three-way handshake to establish a TCP connection. In other words, this server is denied service by SYN Flood.

Interested in the SYN Flood can look at http://www.icylife.net/yunshu/show.php?id=367 This is my code written in 2006, and later made several changes to modify the Bug, and Reduced aggressiveness, purely for testing use.

1.2. DNS Query Flood

As the most basic and core service of the Internet, DNS is also one of the important targets of DDoS attacks. Breaking down a DNS service can indirectly destroy the entire business of a company or break down a regional network service. Sometime ago, the thunderstruck hacker organization anonymous also announced 13 root DNS servers to attack the global Internet, but ultimately failed.

UDP attack is the most easy to launch massive traffic attacks, and the source IP random forgery is difficult to trace. However, it is easier to filter because most IPs do not provide UDP services and discard UDP traffic directly. So now pure UDP traffic attacks are rare, replaced by UDP protocol hosted DNS Query Flood attacks. In short, the more difficult a DDoS attack is to be launched on the upper layer protocol, the more it is associated with the service and the more complicated the defense system is.

DNS Query Flood is the attacker to manipulate a large number of puppet machines, launched a massive request for domain name query on the target. To prevent ACL-based filtering, you must increase the randomness of packets. Commonly used method is UDP layer randomly forged source IP address, randomly forged source port and other parameters. At the DNS protocol layer, the query ID is randomly forged and the domain name to be resolved. Randomly forged domain name to be resolved In addition to preventing filtering, but also reduce the possibility of hitting the DNS cache, as much as possible to consume the DNS server's CPU resources.

Code on the DNS Query Flood, I wrote a code in July 2011 in order to test server performance, the link is http://www.icylife.net/yunshu/show.php?id=832. Similarly, this code is man-made to reduce aggression, for testing purposes only.

1.3. HTTP Flood

The SYN Flood and DNS Query Flood described above have been effectively defended at this stage. HTTP Flood attacks are the real headache for all major vendors and Internet companies. HTTP Flood is an attack on the Layer 2 protocol for Web services. Its great harm mainly in three aspects: easy to launch, filtration difficulties, far-reaching impact.

Both SYN Flood and DNS Query Flood require an attacker to control large numbers of puppets with root privileges. It takes time and effort to collect a lot of root privileges puppet machine, and the puppet opportunity in the attack process due to traffic abnormalities found by the administrator, the attacker's rapid loss of resources and make-up slow, resulting in significantly reduced attack strength and can not be long-term sustainability. HTTP Flood attacks are different. The attacker does not need to control a large number of puppets. Instead, the port scanning program searches for an anonymous HTTP proxy or SOCKS proxy on the Internet. The attacker initiates an HTTP request to the attack target through anonymous proxy. Anonymous proxy is a rich resource, it takes a few days to obtain the proxy is not difficult, so the attack is easy to launch and can be sustained long-term high-intensity.

On the other hand, HTTP Flood attacks originate at the HTTP layer and try to mimic the normal web page request behavior of the normal users, which is closely related to the website business. Therefore, it is very difficult for a security vendor to provide a universal solution that does not affect the user experience. Rules that work well in one place can result in a large number of manslaughts for another scene.

Finally, HTTP Flood attacks can cause a serious chain reaction, increasing the pressure on them not only by slow response to the attacked web front end, but also by indirectly attacking back-end business layer logic such as Java and back-end database services, and even Have an impact on the log storage server.

Interestingly, HTTP Flood has a rather historical nickname called CC Attack. CC is the abbreviation of Challenge Collapsar, a DDoS defense device of a famous domestic security company. From the current situation, not only Collapsar, all the hardware defenses are still being challenged, the risk has not been lifted.

1.4. Slow connection attack

To attack, the first reaction is massive traffic, massive messages. However, there is an attack that is done in the opposite direction, so slow that some targets are killed and do not know how to die. This is a slow connection attack, most notably the invention of Slowloris by rsnake .

HTTP protocol stipulates that the HTTP Request end with \ r \ n \ r \ n indicates that the client sends the end, the server starts processing. So what happens if you never send \ r \ n \ r \ n? Slowloris is to use this to do DDoS attacks. An attacker set Connection to Keep-Alive in the HTTP request header, and asked the Web server to keep the TCP connection open. Then, it slowly sends a key-value data to the server every few minutes, for example, a: b \ r \ n, causing the server to wait until the HTTP header has not received. If an attacker uses a multithreaded or puppet machine to do the same thing, the server's web container quickly becomes compromised by the attacker's TCP connection and no longer accepts new requests.

Very quickly, Slowloris begins to appear in a variety of variants. For example, the POST method submits data to the Web Server, populates a large Content-Length but a slow byte-by-byte POST real data content and so on. For a Slowloris attack, rsnake also gives a test code, see http://ha.ckers.org/slowloris/slowloris.pl.

2. DDoS attacks advanced

2.1. Mixed attacks

Above describes several basic means of attack, any one of them can be used to attack the network, or even destroy Ali, Baidu, Tencent such a giant site. But these are not all. Different levels of attackers can launch totally different DDoS attacks, use the wonderful things, and keep one heart.

Advanced attackers never use a single means of attack, but according to the flexible combination of the target environment. Ordinary SYN Flood is easily filtered by the traffic cleaning device through reverse probing, SYN Cookie and other technical means. However, if a SYN SYN packet is mixed with a SYN packet, each forged SYN packet has a corresponding Fake client acknowledgment packet, where the corresponding source IP address, source port, destination IP, destination port, TCP window size, TTL and so on are consistent with the same host with a TCP Flow features, reverse flow cleaning equipment Probe and SYN Cookie performance pressure will be significantly increased. In fact, SYN data packets with a variety of other flag bits, have a special attack effect, not introduced here. There are also unique tips for DNS Query Flood.

First of all, the DNS can be divided into ordinary DNS and authorized domain DNS to attack common DNS. The IP address needs to be randomly forged and the server is required to perform recursive resolution. However, the attack authorized domain DNS and forged source IP address should not be purely random, Instead, it should be the DNS address of the ISP collected beforehand in order to achieve the maximum attack effect, so that the traffic cleaning device is in an awkward situation of adding an IP blacklist or not adding an IP blacklist. Addition will lead to a large number of manslaughter, without adding a blacklist, each packet needs to be reverse probing to increase performance pressure.

On the other hand, it is mentioned above that in order to increase the pressure on the cleaning equipment, cache caching needs to be randomized and the requested domain name needs to be randomized. However, it should be noted that the domain name to be resolved must have a certain regularity in counterfeit, for example, Part of the domain name and part of the curing, used to break the white list cleaning equipment settings. The reason is very simple, Tencent server can only resolve Tencent's domain name, completely random domain name may be directly discarded, you need to cure. However, if it is completely fixed, it can easily be discarded directly, so part of it needs to be forged again.

Second, DNS attacks should not only focus on UDP ports, but TCP ports are also standard services under the DNS protocol. In the attack, UDP and TCP attacks can be carried out simultaneously.

The key point of HTTP Flood lies in breaking the front-end cache and directly reaching the Web Server itself through setting fields in the HTTP header. In addition, the HTTP Flood target selection is also very crucial, the average attacker will choose to search such as the need to do a lot of data query page as a target, which is very correct, you can consume as much server resources. However, this attack can easily be identified by the cleaning equipment by means of human-machine identification. How to solve this problem? Very simple, try to choose normal users also visit the APP page, in general, is a variety of Web API. Normal users and malicious traffic are from APP, human-computer differences are small, the basic integration difficult to distinguish.

Slow attack, such as through clever means to occupy the connection is not released to achieve the purpose of attack, but this is also a double-edged sword, each TCP connection exists in both the server itself, also need to consume resources to maintain the TCP state , So the connection can not be kept too much. If you can solve this, the attack will be greatly enhanced, which means that Slowloris can attack in a stateless manner, the client sniffing to capture the TCP serial number and confirm the maintenance of TCP connections, the system kernel without paying attention to the TCP The state changes, a laptop can generate up to 65535 TCP connections.

As described above, all of them are attacks at the technical level. There are other ways people can do it. If SYN Flood sends a large number of packets frontal assault, supplemented by Slowloris slow connection, how many people can discover the secret? Even if the server is down may also only found the SYN attack would like to strengthen the TCP layer cleaning and ignore the application layer behavior. A variety of attacks can work together to achieve the maximum effect. Attack time of choice, but also a key, for example, choose to maintain the lunch time, maintenance staff stuck in the road or wireless network card in the subway there is no signal when the target business in large-scale activities such as the surge in traffic.

Described here is purely a attack, so do not provide code, nor do in-depth introduction.

2.2. Attacks from P2P networks

In front of the attack, more or less need some puppet machine, even HTTP Flood also need to search a large number of anonymous agents. If there is an attack, only need to issue some instructions, there are machines automatically come up to perform, is the perfect solution. This attack has emerged, that is from the P2P network attacks.

As we all know, P2P users and traffic on the Internet are all extremely large numbers. If they all go to a designated place to download data, so that tens of thousands of real IP addresses are connected, no device can support it. Take BT download, forging some popular video seeds, published to the search engine, is enough to fool a lot of users and traffic, but this is only a basic attack.

Advanced P2P attacks, is a direct fraud to the resource management server. For example, a Thunder client uploads the discovered resource to the resource management server and then pushes it to other users who need to download the same resource, so that a link is released. Through the agreement reverse, the attacker forged a large number of popular resource information distributed through the resource management center, can instantly spread throughout the entire P2P network. Even more frightening is that this attack can not be stopped, even if the attacker can not stop itself, the attack continued until the P2P official discovery problem update server and download the user to restart the download software.

3 summary

Due to space limitations, the introduction of DDoS attacks is so drafting, and I'm not willing to elaborate on it anymore - it's enough to understand that defense.

In general, DDoS attacks can be smart and graceful. Use of the wonderful, keep one heart.