What is a DDoS attack?

Distributed Denial of Service (DDoS) refers to the malicious access of a large number of computers to one or more targets through remote connections. As a result, the performance or network bandwidth of the target server is reduced and the server cannot provide services properly.

In plain English, you have thousands of ignorant users wandering around your store without buying or breaking anything, so that your customers can’t get in while you’re busy Shouting “Welcome” and waiting on them! ~

Hackers can act as ignorant users by buying lots of proxy IP addresses, chickens (controlled victim computers), etc.

Two, DDoS attacks harm

DDoS attacks may cause the following damage to your services:

  • Significant economic loss

After a DDoS attack, your source server may not be able to provide services, causing users to be unable to access your business, resulting in huge financial losses and brand losses.

For example, when an e-commerce platform is attacked by a DDoS attack, the website cannot be accessed or even temporarily shut down. As a result, legitimate users cannot place orders and purchase goods.

  • The data reveal that

During DDoS attacks on your servers, hackers may take the opportunity to steal core data of your services.

For example, the distributed crawler is used to crawl the data of a website, resulting in a large amount of resource occupation of the website, or even service unavailability.

  • Malicious competition

Vicious competition exists in some industries. Competitors may attack your services through DDoS attacks to gain an advantage in the industry competition.

For example, a game business was hit by a DDoS attack, and the number of players dropped dramatically. The game business went offline in a matter of days.

Common DDoS attacks

1. Malformed packet attacks

The value can be Frag Flood, Smurf Flood, Stream Flood, Land Flood, and IP/TCP/UDP malformed packets.

Principle: Malformed packet attacks send defective IP packets to the target system, causing the target system to crash when processing such packets.

2. Transport layer DDoS attacks

The Flood modes include Syn Flood, Ack Flood, UDP Flood, ICMP Flood, and RstFlood.

Principle: The Syn Flood attack uses the three-way handshake of TCP. When the server receives a Syn request, the server must use a listening queue to save the connection for a certain period of time.

Therefore, the server continuously sends Syn requests but does not respond to Syn+Ack packets, consuming resources on the server. When the listening queue is full, the server cannot respond to the requests of normal users, thus achieving the purpose of denial of service attack.

DNS DDoS attacks

The attacks include DNS Request Flood, DNS Response Flood, forged source + real source DNS Query Flood, authoritative server attack, and Local server attack.

Principle: The DNS Query Flood attack is used as an example. In essence, it performs real Query requests and is a normal service behavior. However, if multiple puppet computers initiate massive domain name Query requests at the same time, the server cannot respond to normal Query requests, resulting in service denial.

4. Connected DDoS attacks

It mainly refers to TCP slow connection attack, connection exhaustion attack, Loic slow attack, Hoic slow attack, Slowloris slow attack, Pyloris slow attack, Xoic slow attack and so on.

Take the Slowloris attack, which targets the concurrency limit of a Web server. When the number of concurrent connections to the Web server reaches the upper limit, the Web service cannot accept new requests.

When a Web service receives a new HTTP request, it establishes a new connection to process the request and closes the connection when the processing is complete. If the connection is always connected, a new connection needs to be established when a new HTTP request is received. When all connections are connected, the Web cannot handle any new requests.

The Slowloris attack exploits the features of THE HTTP protocol. The HTTP request ends with \r\n\r\n, indicating Headers. If the Web server receives only \r\n, it considers the HTTP Headers part to be open and will retain the connection and wait for subsequent requests.

5. DDoS attacks on the Web application layer

These attacks include HTTP Get Flood, HTTP Post Flood, and CC attacks.

Generally, application-layer attacks completely simulate user requests, similar to various search engines and crawlers. There is no strict boundary between these attacks and normal business, so it is difficult to distinguish them.

Some resource-intensive transactions and pages in Web services. For example, if the control page parameters are too large, frequent page turning will occupy a lot of Web service resources. Especially in the case of high concurrency and frequent invocations, transactions like this are the target of early CC attacks.

Since most attacks today are hybrid, frequent operations that simulate user behavior can be considered CC attacks. For example, all kinds of ticket brushing software to visit the website, in a way, is CC attacks

CC attacks target back-end services of Web applications. In addition to service denial, CC attacks directly affect the functions and performance of Web applications, including Web response time, database services, and disk read and write.


原 文 : How to prove that DDoS is being attacked?


Well, that’s all for today’s sharing.

If you like this article, please pay attention to the public account: Open ape notes, there will be continuous updates!