In the current Internet society, the importance of preventing DDoS has been recognized by most Internet companies. However, some companies may not know much about DDoS attacks and have not done enough protection. In fact, the essence of DDoS is: using distributed clients to initiate a large number of seemingly legitimate requests to the target, consuming or occupying a large amount of resources, thereby achieving the purpose of denial of service. There are 4 main attack methods:
1. Attack the system
Creating a TCP connection requires three interactions between the client and the server, which is often referred to as the "three-way handshake". This information is usually stored in the connection table structure, but the size of the table is limited, so when the storage capacity is exceeded, the server cannot create a new TCP connection.
The attacker uses this to establish a large number of malicious TCP connections with the controlled host, which fills up the connection table of the attacked target, making it unable to accept new TCP connection requests. If an attacker sends a large number of TCP SYN packets, causing the server to generate a large number of half-open connections in a short period of time, the connection table will be filled up quickly, making it impossible to establish a new TCP connection. This method is a SYN flood attack. Many attackers are more commonly used.
2. Attack bandwidth
The principle of DDoS is the same as the traffic jam. A large number of network packets are sent to occupy the entire bandwidth of the attacked target, causing normal requests to fail. When the number of network packets reaches or exceeds the upper limit, network congestion will occur. , Respond slowly to achieve the purpose of denial of service. Attackers can use ICMP flood attacks (that is, send a large number of ICMP-related messages), or UDP flood attacks (that is, send large or small packets of User Datagram Protocol), use forged source IP addresses to conceal, and cause congestion and network congestion. The server response speed slows down and other effects.
However, this direct method usually relies on the network performance of the controlled host itself, so the effect is not very good, and it is easy to find the source of the attack by defensive DDoS measures. So the reflection attack appears. The attacker uses a special data packet, that is, the IP address points to the server as the reflector. The source IP address is faked as the IP of the attack target. When the reflector receives the data packet, it is cheated. Sending the response data to the attacked target will exhaust the bandwidth resources of the target network.
3. Attack the application
Because of the widespread and importance of DNS and Web services, these two services have become the main targets of distributed denial of service attacks that consume application resources. For example, sending a large number of query requests to the DNS server to achieve the effect of denial of service. If the domain name queried by each DNS resolution request is different, then the resolution records cached by the server can be effectively avoided, and some methods of defense against DDoS attacks can be avoided. , To achieve better resource consumption effect. When the availability of DNS services is threatened, a large number of devices on the Internet will be affected and cannot be used normally.
In recent years, Web technology has developed very rapidly. If an attacker uses a large number of controlled hosts to continuously send a large number of HTTP requests to the Web server, requiring the Web server to process it, it will completely occupy server resources and allow normal users to request Web access. Failure to process, resulting in denial of service. Once a Web service is subject to such an attack, it will have a fatal impact on the business it carries.
4. Mixed attacks
In actual life, many hackers do not care about which attack method they use is effective. As long as they can achieve their goal, they will generally launch all their attack methods and launch an offensive as much as possible. For the attacked target, DDoS defense measures need to face distributed denial of service attacks of different protocols and different resources, and the cost of analysis, response and processing will increase greatly.
With the development of botnets toward miniaturization, in order to reduce the cost of attacks, effectively hide the source of the attack, avoid security devices, and ensure the effect of the attack, low-traffic and slow attacks on the application layer have gradually developed and grown. Therefore, from another point of view, DDoS attacks are currently mainly two aspects: UDP and reflection type large-flow high-speed attacks, and multi-protocol small-flow and slow attacks.
As far as my country's current situation is concerned, defense against DDoS needs to be more fully prepared, and every Internet company needs to take it seriously. Because according to the research and analysis of the relevant DDoS situation, from the perspective of global traffic distribution, China and the United States are the hardest hit areas of DDoS.
This article is from: https://www.zhuanqq.com/News/Industry/325.html