Distributed Denial of Service (DDoS) attacks are the most powerful and difficult to defend against. To understand DDos, start with DoS. The most basic DoS attack is the use of reasonable client requests to occupy too many server resources, so that legitimate users cannot get a response from the server. DDoS attacks are based on traditional DoS attacks. Traditional DoS attacks are one-to-one. When the performance indicators of the target, such as CPU speed, memory, or network bandwidth, are not high, the attack is effective.
However, with the development of computer and network technology, the processing capacity of the computer is significantly increased, memory is increasing, but also the emergence of gigabit level of network, which makes DoS attack gradually lost effect. This is where distributed denial of service (DDoS) attacks come in. After understanding the DoS attack, the principle of DDoS is very simple. It refers to an attacker using a public network to unite a large number of computer devices as an attack platform to launch an attack on one or more targets, so as to achieve the purpose of disabling the target host. Usually before the attack, the attacker will control a large number of user computers in advance, called “chicken “, and make a large number of chicken access to a host at the same time through instructions, so as to achieve the purpose of paralyzing the target host.
DDos attacks can be launched in various forms, such as ICMP Flood and UDP Flood attacks that rely on brute force. As hardware performance improves, large-scale attacks become more and more difficult to organize. And depend on the protocol features and specific software vulnerabilities to attack, such as missile loris attack, Hash collision attack and so on, this kind of attack is mainly using protocol and software vulnerabilities to attack, need to occur in certain circumstances, more attackers mainly have two ways in front of mixture, it is using the protocol, the defect of system, And has a massive amount of traffic.
Then we’ll talk about two common DDos methods.
1.SYN Flood was once one of the most classic attack modes. To understand the attack mechanism, we can start from the process of ESTABLISHING TCP connections. If you have no foundation, you can read this article:
More detailed analytical third TCP handshake, wave four times, flow control, sliding window www.jianshu.com/p/b0d0023b3… Look again at the three-way handshake.
To ensure reliable transmission, TCP provides some exception handling mechanisms during the three-way handshake. In step 3, if the server does not receive an ACK packet from the client, the server retries the packet. That is, the server sends a SYN +ACK packet to the client and the client is in the SYN_RECV state to add the client to the waiting list. Resending is usually done 3-5 times, polling the wait queue every 30 seconds or so, and retry all clients; Another aspect, the server sends a SYN + ACK packet, part will be pre-allocated a resource to establish a TCP connection, the resources during the period of waiting for retry – straight, more importantly, the server resources are limited, can maintain the waiting list after more than limit will no longer receive new SYN packet, is refusing to establish a new TCP connection.
SYN Flood attacks use the three-way TCP handshake to attack packets. Attackers forge a large number of IP addresses to the server sends the SYN packet, but because of the forged IP address almost impossible, also can’t get any response from the client, the server will maintain a very large half connection wait list, and constantly to traverse the list of IP address and try again, take up a lot of system resources. Worse, the server resources are limited and a large amount of malicious client information occupies the waiting queue of the server. As a result, the server does not receive new SYN requests and normal users cannot complete the three-way handshake to communicate with the server. This is the SYN Flood attack.
- DNS Query Flood
DNS Query Flood is actually a variant of UDP Flood attack. As THE DNS service plays an irreplaceable role on the Internet, once the DNS server breaks down, the impact is great.
The DNS Query Flood attack sends massive domain name resolution requests to the attacked server. Typically, the resolved domain names are generated randomly, most of which do not exist at all, and the ports and client IP addresses are forged to prevent query requests from being filtered by acLs. After receiving a domain name resolution request, the attacked DNS server checks whether the corresponding cache exists on the server. Because domain names are randomly generated, it is almost impossible to have corresponding cache information. I If the domain name cannot be resolved by the DNS server, the DNS server recursively queries the domain name information from the upper-layer DNS server to the 13 root DNS servers on the global Internet. A large number of non-existent domain name resolution requests bring heavy load to the server. When the number of resolution requests exceeds a certain amount, the DNS server will time out in resolving domain names. In this way, the attacker achieves the purpose of attack.
- CC attack
Challenge Collapsar (CC) attack is an application-layer HTTP attack, also known as HTTP Flood.
The principle of CC attack is like this, the attacker through the control of a large number of “chicken” or using a large number of well-known HTTP proxy search from the Internet, simulate normal users to initiate requests to the site until the site refused service. Most of the sites will be through the CDN and distributed cache to speed up the server response, improve throughput, and these carefully constructed HTTP requests often managed to avoid these caches, the need for multiple DB queries or a request to return a large amount of data, accelerate the system resource consumption, so as to bring down the back-end business processing system, Even the associated storage and log collection systems are not immune.
Cc attacks are easy to launch, difficult to guard against, but widely affected. Cc attacks are the mainstream DDos attacks in recent years.
Cc attacks do not require the attacker to control a large number of “chickens”, instead, it is easy to find a variety of HTTP proxies on the Internet, “chickens” due to abnormal traffic, easy to be detected by the management, the duration of the attack is difficult to continue, and using HTTP proxy enables the attacker to launch a sustained and high-intensity attack. Attacks are launched at the application layer and are often closely connected with websites’ services, making it difficult for the defense to filter attack requests without affecting services. A large number of accidental kills will affect normal users, indirectly achieving the attacker’s purpose.
Other common attacks include DNS domain name hijacking, CON back source attacks, server privilege promotion, buffer overflows, and some platform-dependent or software-specific attacks. The lag in defense means that there are always more ways to attack than to defend.
To be continued…
From: Large distributed Website architecture Design is not easy to organize, like please give a like.