Before talking about defense, a brief introduction of all kinds of attacks, because DDOS is a kind of attack rather than a kind of attack, and DDOS defense is a relatively automatic but not absolutely automatic process, many evolving attack modes automation may not be able to identify, or need to further expert naked eye judgment.
What is a DDOS attack and why is it attacked?
Distributed Denial of Service (DDoS) attacks are Distributed Denial of Service attacks.
The main purpose of the attack is to disable the specified target from providing normal services. It’s one of the most powerful and difficult attacks to defend against.
In recent years, DRDoS (distributed reflection attack) has made the level of DDoS attacks rise rapidly, and Internet security has been threatened by network violence.
The purpose of attack: blackmail, peer hire fierce attack, offended users revenge attack.
Measures: do not give blackmailers a penny, should find IDC/ISP for defense reinforcement, is the best way not to be bullied forever.
The classification of DDOS
Before talking about defense, a brief introduction of all kinds of attacks, because DDOS is a kind of attack rather than a kind of attack, and DDOS defense is a relatively automatic but not absolutely automatic process, many evolving attack modes automation may not be able to identify, or need to further expert naked eye judgment.
Network layer attacks:
Syn-flood
Using the “vulnerability” of three-way handshake in TCP connection, SYN packets with false source address are sent through the original socket, so that the target host can never complete the three-way handshake, which occupies the protocol stack queue of the system, resources can not be released, and then the denial of service, which is one of the most important DDOS attacks in the Internet. Some hardening methods on the network, such as adjusting kernel parameters, can reduce waiting and retry, and speed up resource release. In the case of syn-flood traffic with a small volume, it can be alleviated, but in the case of large traffic, it cannot be used. Syn proxy, SYN cookies, and first-packet discarking (syn packets of the first request) are common methods of syn flood defense.
Network-layer Attacks (Traffic)
ACK-flood
For false ACK packets, the target device directly replies to the RST packet discarded connection. Therefore, the damage value is much lower than that of SYN-flood packets. A primitive form of DDOS.
UDP-flood
A UDP packet that uses a raw socket to forge a large number of bogus source addresses. Currently, DNS is the main protocol.
ICMP-flood
Ping the flood, the old way.
CC attack
The name “ChallengeCollapsar” originated from the anti-ddos device “black hole” of Green League, a well-known Security company in China. The challenger sends a large number of real HTTP requests to the target through botnet’s puppet host or an anonymous proxy server, which ultimately consumes a large number of concurrent resources, slows down the entire website or even rejects the service completely.
The architecture of the Internet pursues extensibility in essence to improve concurrency, various SQL performance optimization measures: Eliminates slow query, table depots, index, optimize the structure of data, and limit the search frequency essence is to solve the resource consumption, and CC is exactly the opposite, filled the server number of concurrent connections, as far as possible make the request to avoid cache and read the database directly, read the database query to find the most consume resources, had better not use index, each query is a full table scan, This allows maximum denial of service with minimal attack resources.
Internet products and services rely on data analysis to drive improvement and continuous operation. Therefore, in addition to OLTP systems such as front-end APP, middleware and database, there is also OLAP, a big data platform from log collection and storage to data processing and analysis. When CC attacks occur, not only the PART of OLTP is affected. In fact, CC will generate a large number of logs, which will directly affect the later OLAP. The impact includes two aspects, one day’s data statistics are completely wrong. The second level also increases the burden of back-end data processing due to the surge of access logs during CC.
CC is one of the main means of application layer attack at present. There are some methods in defense, but they cannot solve this problem perfectly.
attacks
A hybrid
In actual high-traffic attacks, TCP and UDP traffic are mixed, and the network layer and application layer attacks are carried out simultaneously.
reflective
Real TCP server sends a TCP SYN packet, which received the SYN packet TCP server to shake hands three times in order to complete the SYN | ACK packet “response” to the target address, completed a “reflection” attack, the attacker hides itself, but there is a problem is made in the attacker’s attack traffic flow and the target received 1:1, Immediately after and SYN | ACK packet to the target is back to the RST packet, the attack rate of return on investment is not high.
The essence of the reflective attack is to use “challenge – response” agreement, the inquiry package source address by raw socket set to the destination address, the response of the “package” has been sent to the target, if back to the package volume is larger or protocol support recursive effect, attack traffic will be amplified, as a cost-effective flow type of attack.
The protocols used in reflection attacks include NTP, Chargen, SSDP, DNS, AND RPC PortMap.
2004 DRDOS disclosed for the first time, through sets the source address of the SYN packet to the target address, and then send a large number of real TCP server TCP SYN packet, which received the SYN packet TCP server to shake hands three times in order to complete the SYN | ACK packet “response” to the target address, completed a “reflection”, Attackers hide themselves, but there is a problem is made of the attacker’s attack traffic flow and the target received 1:1, and the SYN | ACK packet to the target RST packet in return immediately after the attack rate of return on investment is not high.
Pulse type
Many attacks last very short periods of time, usually less than five minutes, and show up on traffic charts as spikes.
Such attacks are popular because “fight-fight-stop-stop” works best, as soon as the defense threshold is triggered and the defense mechanism takes effect the attack stops and the cycle repeats. Mosquitoes don’t bite you, but they fly around your ears. When you turn on the light, they run away and disappear. When you turn off the light, they come back and you can’t sleep.
Automated defense mechanisms are largely triggered by setting thresholds. Although many vendors claim that their defenses are second-level responses, they are actually more difficult.
Multi-layer defense architecture (Telecom cloud dyke, near source suppression)
The original link