What is a DDoS
Distributed Denial of Service (DDoS) is an abbreviation of Distributed Denial of Service. What is a Denial of Service? Any action that prevents legitimate users from accessing network services is a denial-of-service attack. That is to say, the purpose of denial of service attack is very clear, is to prevent legitimate users from accessing normal network resources, so as to achieve the hidden purpose of the attacker.
Once a distributed denial of service attack is implemented, the attack network packets flood the victim host from many DoS attack sources. The network requests from legitimate users are flooded, and legitimate users cannot access the network resources of the server.
DDoS attack types
-
reflective
In general, depending on the protocol and the type of attack, DDoS attacks are classified into SYN Flood, ACK Flood, Connection Flood, UDP Flood, NTP Flood, SSDP Flood, DNS Flood, HTTP Flood, ICMP Flood, and CC Flood And other types of attacks.
Each type of attack has its own characteristics, and reflex DDoS attacks are a new variant. IP of the attacker does not directly attack the target service, but some special services using the Internet to open the server, by forging is the IP address of the attacker to have open service request message of the structure of the server sends the server will reply several times the request packet data sent to the attacked IP, indirect form DDoS attacks to the latter.
As shown below, the Attacker (who in reality would most likely attack using a puppet machine) did not send the Attacker packets directly to the victim, but rather posed as the victim and issued the Attacker to Amplifiers, which then reflected back to the victim through the amplifier.
In a reflection attack, the attacker exploits the defects or vulnerabilities of network protocols for IP spoofing, mainly because many protocols (such as ICMP and UDP) do not authenticate source IP addresses. At the same time, to achieve better attack effect, hackers generally choose the protocol service with magnification effect to attack.
To sum up is the use of IP spoofing reflection and amplification, so as to achieve the effect of four two dial thousands of catties. Common reflection attacks include DNS reflection attacks, NTP reflection attacks, and SSDP reflection attacks.
Note: SYN Flood attacks cannot be responded if the source IP address is set to false. The traffic received by the manufacturer and the attack target is 1:1, and the rate of return is low.
-
Flow amplification
An attack type that amplifies attack traffic by recursion. For example, the SSDP protocol is used as an example. The attacker sets the Search type to ALL. Search all available devices and services, the amplification of this recursive effect is very large, the attacker only needs to forge the source address of the small query traffic can produce dozens or even hundreds of times the response traffic sent to the target.
-
A hybrid
In reality, the attacker’s only goal is to defeat the other side. Up to now, advanced attackers are not inclined to use a single attack method. But according to the specific environment of the target system clever combination, launch a variety of attack means.
For example, TCP and UDP, network layer and application layer attacks are launched simultaneously. Such attacks not only have massive traffic, but also exploit the defects of protocols and systems. For the attacked target, the cost of analysis, response, and processing will increase greatly in the face of distributed attacks with different protocols and resources.
-
Pulse wave type
This is a new DDoS attack method that poses problems for some DDoS attack solutions because it allows attackers to attack servers that were previously considered secure. The new technique is named pulse wave because the pattern of attack traffic looks like discrete, repeated pulses. The attack usually takes the shape of a slanted triangle with a top and a bottom, which shows the attacker slowly assembling the robot and aiming it at the target to be attacked.
A new pulse wave attack starts at zero, reaches a maximum in a very short time span, then returns to zero, then returns to maximum again, and the cycle repeats with very short intervals in between. Pulse-wave DDoS are relatively difficult to defend against because they attack in a way that avoids the defense mechanisms that trigger automation.
-
Link flood
With the development of DDoS Attack technology, a new Attack mode, Link Flooding Attack, does not Attack the target directly but blocks the upper Link of the target network. For an enterprise network that uses IP Anycast, regular DDoS attack traffic is distributed to infrastructures of different addresses, effectively alleviating heavy traffic attacks. Therefore, an attacker invents a new method to attack the penultimate hop to the target network traceroute, that is, the upstream route, causing link congestion.
Common DDoS attack methods
DDoS attacks are classified into network layer attacks and application layer attacks, and fast traffic attacks and slow traffic attacks. However, these attacks result in resource overload and service unavailability.
Network layer DDoS attacks
Common DDoS attacks at the network layer include SYN Flood, ACK Flood, Connection Flood, UDP Flood, ICMP Flood, TCP Flood, and Proxy Flood.
-
SYN Flood attack
The SYN Flood attack exploits TCP defects and sends a large number of forged TCP connection requests. As a result, the resources of the attacked party are exhausted (CPU load is full or memory is insufficient). To establish a TCP connection, a three-way handshake is required. The client sends a SYN packet, the server accepts the request, and the client confirms the request.
In SYN Flood attacks, a user suddenly crashes or disconnects after sending packets to the server. In this case, the server fails to receive the acknowledgement packet from the client after sending the reply packet (the third handshake fails). In this case, the server tries again and waits for at least 30 seconds before discards the incomplete connection.
The abnormal cause the server a user of a thread to wait for a while is not a big problem, but a malicious attacker a large number of simulation source IP to send SYN packet (structure) in this case, the server in order to maintain the half of the tens of thousands of connections that consume a lot of resources, and the results are often too busy to ignore normal customer requests, even collapse. From a normal customer’s point of view, the site is unresponsive and inaccessible.
-
ACK Flood
The ACK Flood attack is launched after the TCP connection is established. All TCP packets are transmitted with AN ACK flag bit. When receiving a packet with an ACK flag bit, the host needs to check whether the connection quad represented by the packet exists. If so, check whether the state represented by the packet is valid, and then pass the packet to the application layer. If the packet is found to be invalid (for example, the destination port of the packet is not open on the local host), the host OS responds to the RST packet to tell the peer that the port does not exist.
Here, the server does two things: look up the table and respond to ACK/RST. When the host and the firewall receive ACK packets and SYN packets, the load of ACK packets is much smaller. This attack is not as severe as SYN Flood attacks on the server. Therefore, an attacker must use large ACK packets to attack the server. Therefore, only when the rate of ACK packets sent by an attacker per second reaches a certain level can the loads on the host and firewall be greatly changed.
When the packet sending rate is high, the host operating system spends a lot of energy to receive packets, determine the status, and proactively respond to RST packets. Therefore, normal packets may not be processed in a timely manner. In this case, the client responds slowly to the page and has a high packet loss rate. However, the stateful firewall can effectively filter attack packets by judging whether the ACK packets are legitimate or not with the help of its powerful hardware capabilities. Of course, if the attack traffic is very large, the firewall may be overwhelmed because it needs to maintain a large number of connection status tables and check the status of a large number of ACK packets.
At present, ACK Flood has not become the mainstream of attacks, but is usually combined with other attacks.
-
Connection Flood
Connection Flood is a typical and effective attack mode that uses small traffic to attack network services with large bandwidth. The principle of this attack is to use the real IP address to initiate a large number of connections to the server, and after the establishment of connections for a long time. The server resources are occupied for a long time. As a result, the server has too many residual connections (WAIT states), which reduces the efficiency, and even resources are exhausted. Therefore, the server cannot respond to connections initiated by other customers.
One attack sends a large number of connection requests to the server every second. This is similar to the SYN Flood attack with a fixed source IP address, but the real source IP address is used. Usually this can be done by limiting the number of connections per second per source IP address on the firewall.
But now there are tools to use slow connection, that is, it takes a few seconds to establish a connection with the server, after the successful establishment of the connection is not released and regularly send junk data packets to the server so that the connection can be maintained for a long time. This allows an IP address to establish hundreds or thousands of connections to a server that can only handle a limited number of connections, creating a denial of service effect.
-
UDP Flood attack
UDP is a connectionless protocol. Therefore, an attacker can forge a large number of source IP addresses to send UDP packets. In normal applications, the bidirectional TRAFFIC of UDP packets is almost the same. Therefore, it consumes resources of the other party as well as its own.
-
The ICMP Flood attack
This attack is a large-volume traffic attack. Abnormal ICMP packets are continuously sent, which occupies the target bandwidth. However, it also consumes resources, and many servers currently disable ping (ICMP packets can be blocked in the firewall), so this approach is outdated.
-
Smurf attack
This attack is similar to an ICMP Flood attack, but it subtly modifies the process. Smurf attacks overwhelm the victim host by using ICMP reply request packets with the reply address set to the broadcast address of the victim network. All hosts on the network respond to the ICMP reply request, causing network congestion. The more complex Smurf changes the source address to the victim of the third party, eventually causing the third party to crash.
Application-layer DDoS attacks
Application layer DDoS attacks occur at the network layer after the TCP handshake is established and applications process requests. Common attacks include CC attacks, DNS Flood attacks, and low-speed connection attacks.
-
CC attack
Challenge Collapsar (CC) is a DDoS attack, formerly known as Fatboy attack, and is a common website attack method. CC attacks also have an interesting history. Collapsar is a green Alliance technology product that specializes in DDoS attack defense. Collapasar has a high reputation in the field of denial-of-service attacks. However, in order to Challenge Collapasar, hackers developed a Challenge Collapasar tool called CC.
The principle of CC attack is that the proxy server continuously launches normal requests to the pages that consume large resources of the target system, resulting in the exhaustion of the server resources until the breakdown and crash. Therefore, before sending CC attacks, we need to look for pages that load slowly and consume more resources. For example, you need to query database pages and read and write files on hard disks. CC is a bit more technical than other DDoS attacks where you can’t see the real source IP. Abnormal traffic is not detected, but the server cannot be properly connected.
-
Slowloris attack
Slowloris is a slow connection attack that exploits vulnerabilities or design flaws in the Web Server to directly cause denial of service. Its principle is: to send HTTP requests to the server at a very low speed, Apache and other middleware will set the maximum number of concurrent links by default, and this attack is to keep the connection, resulting in the server link saturation unavailable. Slowloris is similar to SYN Flood attacks, except that Slowloris is based on the HTTP protocol.
Slowloris PoC
GET/HTTP/1.1\r\n Host: Victim Host \r\n user-agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident / 4.0; The.net CLR 1.1.4322; The.net CLR 2.0.503 l3. The.net CLR 3.0.4506.2152; The.net CLR 3.5.30729; MSOffice 12)\r\n Content-Length: 42\r\n
Copy the code
The full HTTP request header should end with two \r\n\r\n, which is one less, so the server will wait.
-
Slow Attack
Slow Attack is also a Slow DoS Attack that consumes system resources and connections of the server, causing the Web server to fail to work properly. Common attacks include Slow Header, Slow Body, and Slow Read.
-
Slow headers: Normal HTTP headers end with two CLRFS and consume all available connections to the server by sending a deformed Header request that contains only one CLRF. As a result, the Web server saturates and rejects new services.
-
Slow Read: Requests large files to the server and then sets the TCP sliding window to a smaller value, causing the server to transfer files at a very Slow speed. In this way, the server will occupy a large amount of memory, resulting in denial of service.
-
Slow Body: When sending HTTP Post packets to the server, specify a very large Content-Length value, then send the packets at a very low speed and keep the connections going, eventually causing the server to saturate and become unusable.
SlowHTTPTest, a special test tool provided by Kali Linux, can realize the above three Slow Attack modes.
-
JavaScript DDoS
Javascript-based DDoS attacks use ordinary Internet users’ Internet terminals, which means that any computer with a browser can be used as a tool for DDoS attackers. When the number of browsers being manipulated reaches a certain level, this type of DDoS attack can be devastating.
The attacker will embed malicious JavaScript code pointing to the target site in the massive visited web pages. When Internet users visit the web page, the traffic will be directed to the target site. Typical attack events: GitHub DDoS attacks.
-
ReDoS attack
Regular expression Denial of Service (ReDoS) : Regular expression Denial of Service (ReDoS). Developers use regular expressions to verify the validity of data input by users. When the checked regular expressions are defective or not precise, attackers can construct special strings to consume a lot of system resources of the server, resulting in service interruption or stop of the server. For more details, please refer to “A Brief Analysis of the Principles and practices of ReDoS”.
-
DNS Query Flood
As one of the core services of the Internet, DNS is also a major target of DDoS attacks. DNS Query Flood manipulates a large number of puppet machines to send a large number of domain name resolution requests to the target server. When receiving a domain name resolution request, the server first checks whether the corresponding cache exists on the server. If the cache cannot be found and the domain name cannot be resolved, the server recursively queries the domain name information from the upper-layer DNS server.
Usually, the domain name that the attacker requests for resolution is randomly generated or does not exist on the network. Because the local DNS server cannot find the corresponding result, the local DNS server must use recursive query to submit resolution requests to the upper-layer DNS server, causing a chain reaction. The resolution process loads the local DNS server. If the number of domain name resolution requests exceeds a certain threshold every second, the DNS server times out when resolving domain names.
The maximum number of dynamic domain name queries a DNS server can handle is 9,000 requests per second, according to Microsoft statistics. However, a P3 PC can easily construct tens of thousands of domain name resolution requests per second, which is enough to paralyze a DNS server with extremely high hardware configuration, thus showing the vulnerability of DNS server.
Wireless DDoS Attack
-
Auth Flood attack
An Auth Flood attack is an authentication Flood attack. The target is mainly aimed at those in validation and AP to establish a link between the associated client, the attacker will send a large amount of fake authentication request frame to the AP (forged authentication service and status code), when I received a lot of fake authentication request more than one can bear ability, the AP will disconnect other wireless services.
-
Deauth Flood attack
Deauth Flood attack is a Deauth Flood attack that spoofs the unauthenticated frame from the AP to the unicast address of the client to turn the client into an unassociated or unauthenticated state. With current tools, this form of attack is very effective and fast at interrupting customer wireless service. Typically, the client reassociates and authenticates to get the service again before the attacker sends another unauthenticating frame. An attacker repeatedly spoofing the cancel authentication frame can cause all clients to continue denial of service.
-
Association Flood attack
Association Flood attacks are associated Flood attacks. The wireless router or access point has a built-in connection status table, which displays the status of all wireless clients connected to the AP. It attempts to overwhelm an AP by populating the AP’s client association table with a large number of mock and forged wireless client associations.
Since open authentication (empty authentication) allows any client to associate after authentication. An attacker exploiting this vulnerability can mimic many clients by creating multiple clients that arrive connected or associated to overwhelm the client association table of the target AP.
-
Disassociation Flood attack
Disassociation Flood attacks cancel associated Flood attacks, which are similar to Deauth Flood attacks. It forces the client into an unassociated/unauthenticated state by spoofing the unassociated frames from the AP to the client. Typically, the client reassociates to get the service again before the attacker sends another disassociative frame. An attacker repeatedly deceives the client into disassociating frames to perpetuate denial of service.
The principle of Disassociation Broadcast attack is the same as that of Disassociation Flood attack, but the sending degree and tools are different. The former is often used in conjunction with wireless man-in-the-middle attacks, while the latter is often used in targeted point-to-point wireless DoS, such as damaging or interfering with the wireless access point of a specific organization or department.
-
The RF Jamming attack
Fpga attack is an RF Jamming attack. The attack destroys normal wireless communication by sending out interference radio frequency. The previous attacks are mainly based on wireless communication processes and protocols. RF is the radio frequency, mainly including wireless signal transmitter and receiver.
Methods for detecting DDoS attack symptoms
-
Identifies SYN attacks
-
The server CPU usage is high.
-
A large number of SYN_RECEIVED network connection states occur.
-
After the network is restored, the server load becomes high. After the network is disconnected, the instantaneous load will be.
-
UDP attack detection
-
The server CPU usage is high.
-
Network cards receive a large number of packets per second.
-
The TCP status is normal. Procedure
-
CC attack detection
-
The server CPU usage is high.
-
A message similar to Service Unavailable is displayed on the Web server.
-
A large number of ESTABLISHED network connections appear and there are dozens or even hundreds of connections for a single IP address.
-
Users cannot access the web page or the web page is opened slowly. After a soft restart, the web page recovers in a short time and becomes inaccessible again a few minutes later.
DDoS attack defense method
-
Network layer DDoS defense
-
Limit the frequency of single IP requests.
-
Optimize the network architecture and use load balancing.
-
Disable ICMP packets on security devices such as firewalls.
-
The DDoS hardware firewall uses technologies such as packet rule filtering, data flow fingerprint detection filtering, and packet content customization filtering to clean and filter abnormal traffic.
-
The ISP uses the near-source cleaning and traffic suppression provided by telecom carriers to prevent the entire site service from being inaccessible to all users. This is a complementary mitigation measure for excessive traffic that exceeds its bandwidth reserves and its DDoS defense capabilities.
-
Application-layer DDoS defense
-
Optimize the TCP/IP stack for the operating system.
-
The application server strictly limits the number of connections and CPU usage for a single IP address.
-
Optimize and use caching as much as possible when writing code. Try to make the site static, reduce unnecessary dynamic query. Static sites not only greatly improve the ability to resist attacks, but also cause a lot of trouble for hackers, at least so far with HTML overflow.
-
Add the Web Application Firewall (WAF) device, which is called the Web Application Firewall in Chinese. Web application firewall is a product that protects Web applications by implementing a series of HTTP/HTTPS security policies.
-
CDN/cloud cleaning is used to perform cloud cleaning when an attack occurs. Generally, the policies of the cloud cleaning vendor are as follows: Set the CNAME of the website in advance, and set the domain name to the DNS server of the cloud cleaning vendor. Generally, the DNS of the cloud cleaning vendor still points the requests from the CDN back to the source site. When an attack is detected, the domain name points to the cleaning cluster of the cloud cleaning vendor, and then sends the cleaned traffic back to the source.
-
CDN is only valid for Web services, but not for TCP services directly connected to games. In this case, DNS traffic diversion + ADS (Anti-ddos System) devices can be used for cleaning, and communication protocols between the client and server can be used for processing (such as labeling packets and relying on information symmetry).
DDoS attacks, by their nature, cannot be completely defended. What we can do is to constantly optimize our network and service architecture to improve the defense capability against DDoS.
Reference documentation
http://www.google.comhttp://t.cn/RrSkw6ahttp://t.cn/RrSkNKehttp://t.cn/RrSFJ1Bhttp://t.cn/RrovtI3http://t.cn/RrKGEIbhttp ://t.cn/RCwYkYfhttp://t.cn/RrKIAlNhttp://t.cn/RrKQ8j8http://t.cn/RcCzPCO
Today’s idea
Lesson LEARNED: 1. Know how to respond effectively to what you don’t know. 2. Study history to see eternal and universal laws and causation. Have clear principles to deal with these realities. The most important thing for us is values, what you are looking for in life. Next important are your abilities and your strengths and weaknesses. The least important thing is skills, because you can always learn new skills over time.
“– Ray Dalio” Principles”
Recommended reading
-
Nginx Unit tutorial
-
Configure multiple nics and gateways in Linux
-
MySQL User and role management
-
There are several excellent Alfred plugins to recommend
-
Vegeta is the recommended high-performance HTTP load testing tool