What is a DDOS traffic attack? Most of us think that DDOS is in English at the first sight, which is a little difficult, after all, it is foreign. In fact, in simple terms, DDOS attack is to use bandwidth traffic to attack servers and websites.
For example, the current bandwidth of the server is 100M, and suddenly 200 MB of bandwidth traffic comes in from outside, so the server cannot bear the 200 MB of bandwidth traffic. The network of the server will crash instantly, causing the server to be unable to connect, and even causing the website of the server to be unable to open, because the 200 MB of bandwidth traffic, It has occupied the 100 MBIT/s bandwidth of the entire server.
Take another example that is more relevant to life: a restaurant can normally carry 100 people for dinner at most. Due to the competition of peers, the owner of the opposite restaurant hired 200 social bullies to eat in the restaurant, which led to the full restaurant and could not accept normal guests to eat in the restaurant. This is a DDOS attack that uses traffic to saturate a server’s bandwidth, leaving no bandwidth available for users to visit the site.
DDOS traffic attacks are classified into UDP flood attacks, TCP-flood attacks, icMP-flood attacks, TCP/UPD/ICMP fragment attacks, SYN-flood attacks, ACK-flood attacks, and zeroWindow attacks. Ssl-flood attack, SSLkeyrenego attack, DNS reflex amplification traffic attack, NTS reflex, NTP reflex,SNMP reflex, SSDP reflex, Chargen reflex.
Udp-flood is a type of UDP traffic attack. It forges a large number of real IP addresses and sends a small number of data packets to the target server. As long as UDP is enabled on the server, the server is attacked by traffic. To defend against such traffic attacks, set the size of THE UDP packet data, strictly control the size of the sent packets, and discard the packets exceeding a certain value. Another defense method is to send UDP packets only when the IP address of the TCP connection is established. Otherwise, the IP address is directly masked.
ICMP Pings the server using THE ICMP protocol, amplifying the ICMP length and bytes of packets to attack the server. The TCP-flood attack uses the TCP three-way handshake protocol to forge a large number of real IP addresses to connect to the target server. As a result, the server cannot bear more TCP connections and breaks down.
SYN Flood attacks use the SYN protocol. The client sends SYN data, and the server receives AND responds with SYN and ACK responses. In this way, an attacker simulates massive client connections to send packets, causing the server to break down.
In both cases, packets are sent to the server. The attacker uses ACK packets to attack. As long as the server accepts ACK packets, too many ACK connections will exhaust the server resources and the server has no spare resources to receive ACK packets. The server can’t be opened.
Ssl-flood uses clients to continuously shake hands with SSL channels. SSL resources consume dozens of times more than ordinary users accessing HTTP websites. A server with low configuration cannot bear multiple SSL requests and handshakes, resulting in 90% of the CPU usage of the server. There is no spare CPU to handle user access. How to defend against SSL traffic Attacks: Disable Renegotiating’s security mechanism to defend against massive SSL traffic attacks.
Reflection amplifies traffic attacks
Reflective attacks, both DNS reflection and reflection (NTP), are using UDP protocol, the UDP protocol in the access to the user sends a request packet to the server, the server and then feedback to the client, the client is in the request packet is sent to the server, the user’s IP can be forged, can be forged into the server’s IP, The server IP sends packets to the server IP, which causes a reflection attack.
DNS reflection attacks use the resolution of the DNS server to forge the IP address of the server to be attacked, perform DNS query, and query the IP address to the DNS server. The DNS server returns data packets to the IP address of the server to be attacked