TCP connection attack

Others 2021-03-03 07:30:06 views: null
1. Forging the protocol, causing the server to crash. For example, for the field length of a certain command, the maximum protocol is 1024, which is 4096 forged.
2. Falsify large packets, for example, a packet is as large as 1024M.
3. Consume server resources. Open a large number of connections and send packets at the turtle speed, for example, one byte per minute.
4. DDOS attack, which initiates a large number of connections from different IPs, floods the server with large traffic.
5. Attack the authorization system of the cluster, all or nothing.
6. The logic of the message sending sequence is wrong, causing the server to crash. For example, logically, A should be sent first and then B. The attacker adjusted the sequence.
7. Constant connection disconnection consumes the server's application and release of resources, which is usually very expensive.
8. Falsify key time events in the agreement, causing time confusion.
9. Exploit incident attacks that require a lot of computing and resources in the protocol.
10. Use the security loopholes in the protocol or the loopholes in the implementation system, such as the limitation of the number of atoms in erlang, to pose a threat to the system.
11. Attacks such as Hash Collision DoS.
12. The term_to_binary data depth is too large, and the underlying VM implementation uses the recursion of c, which can easily lead to stack overflow.
13. The roles of the Mnesia database are equal, and it is easy to initiate a data destruction operation on one of the nodes.
14. The influx of a large number of requests caused a large number of messages to be generated, and the message queue exploded.
15. Use the loopholes in the underlying implementation of inets to construct some malformed data to cause inet drv to work abnormally.
16. Attacking the RPC channel of the system, there is only one RPC channel between nodes that is easy to saturate.

17. Attack the system's NIF implementation loopholes, causing VM crashes.

TCP connection exhaustion attack and defense principle

Principle of Attack

A connection exhaustion attack means that an attacker initiates a large number of TCP connections to a server through a botnet, exhausting the server's TCP connection resources. The connection exhaustion generally has the following types of attacks:

  • After the three-way handshake is completed, no packets are sent, and these TCP connections are maintained.
  • After completing the three-way handshake, immediately send a FIN or RST message to release the local connection and quickly initiate a new connection.
  • The small TCP windows size presented to the server during the connection process causes the server's TCP protocol stack resources to be exhausted.
  • Sending a large number of TCP retransmission requests can cause congestion in the uplink of the attacked network with a small amount of traffic.

Principles of Defense

In view of the characteristic that this attack will exhaust the server’s TCP connection resources, the Anti-DDoS device collects statistics on the rate of new connections and the distribution of the number of concurrent connections of the destination IP address. When the rate of new connections or the number of concurrent connections is greater than the threshold, it triggers the source The corresponding check of the IP address, when the check finds an abnormality, the abnormal source IP address is added to the blacklist, and its TCP traffic is cut off.

  • Source IP address new connection rate check: After starting the source IP address new connection rate check, if the number of new TCP connections initiated by a source IP address during the check period is greater than the threshold, the source IP address is judged as the attack source.
  • Source IP address concurrent connection count check: After starting the source IP address concurrent connection count check, if the number of concurrent TCP connections of a source IP address is greater than the threshold, the source IP address is judged as the source of the attack.
  • Slow connection rate check: After starting the slow connection rate check, count the number of connections from the same source IP address to the same destination IP address. In each statistical time interval, if the number of consecutive connections is the same and exceeds the threshold for multiple times, it is determined to be TCP Slow connection attack.

  • Abnormal session check: If the number of TCP abnormal sessions initiated by a certain source IP address is greater than the threshold during the check period, the source IP address is judged as the source of the attack. The basis for judging TCP abnormal sessions is as follows:

    • Null connection check: If the number of packets passed on a TCP connection is less than the threshold during the check period, the connection is determined to be an abnormal connection.
    • Retransmission session check: When the number of retransmitted packets on a TCP connection is greater than the threshold, it is determined that the connection is an abnormal connection.
    • Slow-start connection check: When the window of packets passing on a TCP connection is less than the threshold, it is determined that the connection is an abnormal connection.

    When the number of abnormal sessions exceeds a certain number, add this source to the blacklist. The number of abnormal sessions is configurable.


Guess you like

Origin blog.csdn.net/m0_37541228/article/details/77653454
Recommended
Ranking
Empire cms smart tag calls four first-level recommended articles, starting from the fourth article
Linux environment installation and configuration Elasticsearch7.17
Big Data processing architecture and Lambda Kappa architecture
Explore the top of the AI large model platform - Wenxin Qianfan
Beijing car PK10 lucky airship Guanya size and value of the odd and even tips
W3B x Sui Hacker House|In-depth understanding of Sui and Move language
Know almost Ko Chan: Chinese what any decent open source software products? (Finishing from my original answer)
Comprehensively improve AD domain security authentication | Zhuyun IDaaS
Android Update Engine Analysis (24) What happened when making the downgrade package?
Spark Architecture and Operating Mechanism (1) - System Architecture
Daily
More
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)

Code World

© 2018 codetd.com