Common DOS attacks

Others 2021-03-30 20:38:56 views: null

Reprint: click here

Denial of Service attack DoS (Denial of Service) : Make the system too busy to perform useful business and occupy key system resources. It is based on the idea of ​​flooding the local system with data packets to disturb or severely prevent the bundled local service from responding to legal requests from outside, or even crash the local system. Common ways to implement Dos attacks are: TCP SYN flood, ping flood, UDP flood, fragmentation bombs, and buffer overflow ) And ICMP routeing redirect bomb (ICMP routeing redirect bomb)

1. TCP SYN flooding
TCP SYN flooding is a three-way handshake process when TCP is used to establish a connection, combined with IP source address spoofing. As shown below:
Insert picture description here

The attacker disguised his own source address as a private address to initiate a connection request to the TCP service of the local system. The local TCP service replies with a SYN-ACK as a response, but the address sent to the response is not the address of the attacker (real address) , But the private address disguised by the attacker. Since the private address does not exist in the network where the local server is located, all local systems will not receive the RST message (to end the half-open connection). The local TCP service will then wait to receive an ACK response, but the response will never come. The half-open connection will remain open until the connection attempt times out, so the limited connection resources are consumed. The attacker's connection request arrives faster than the TCP timeout releases resources, and the local connection resources (such as the connection queue of limited size created by listen()) are flooded with connection requests again and again, so that the local service cannot receive more connections. request.

The SYN cookie module in the Linux operating system can significantly delay the lack of network resources caused by SYN flooding: when the TCP service receives a TCP SYN packet and returns a SYN-ACK, it does not allocate a special data area, but based on this SYN The package calculates a cookie value. The cookie value is a serial number generated based on the original serial number, source address, destination address, port number, and secret value in SYN. Cookie is used as the initial sequence number of the SYN-ACK to be returned. When the client returns an ACK packet, the TCP service checks the legitimacy of the ACK packet according to the cookie value, and then allocates a special data area for processing the next operation. The cookie timeout period is very short, and the client must respond within a short time.

echo 1> /proc/sys/net/ipv4/tcp_syncookies command can turn on the SYN cookie protection function of the Linux kernel; you need to note that some distributions need to configure the kernel to enable it.

2. Ping flooding
The ICMP echo request message sent by the attacker through ping is also one of the common DoS attacks. The principle is to force the system to consume most of the time for useless responses and reduce the quality of the system network. The main implementation methods are: ① disguise the source address of the ping packet as the victim’s address and broadcast an echo request to the network where the entire host is located. Such a request message can cause a lot of responses to the victim’s machine; The attacker's machine installs a Trojan horse program and sends a large number of echo requests to a host at a certain moment; ③The attacker sends more simple ping floods to flood the data connection.

An older attack method is called ping of death. The attacker sends huge ping packets to the victim machine. The vulnerable system may crash because of this. UNIX-like systems such as Linux do not have this vulnerability. For the victim host, discarding ping requests is not a good solution, because no matter what response to incoming ping packets, the system or the network will still be submerged in the process of detecting/dropping data packets.

3. UDP flooding is
different from TCP. UDP is stateless and no information is maintained to indicate the next expected data packet. Therefore, UDP services are more susceptible to these types of attacks. Many sites prohibit the use of all non-essentials. UDP port.

4. Buffer overflow
Buffer overflow attacks cannot be protected by filtering firewalls. The system or service crashes by overwriting the data space of the program or the runtime stack, which requires professional skills and an understanding of hardware and system software. For example, some server programs used the sprintf() function in the early days and were attacked by attackers. The program crashed because of buffer overflow, so it is more appropriate to use snprintf() instead of sprintf().

5. ICMP route redirection bomb
We know that type 5 in the message type of ICMP is to inform the target system to change the routing table in the memory to obtain a shorter route, so as to inform the host that more paths are available. The redirection rarely originates from a router near the host. For residential or commercial sites connected to an ISP (operator), it is very unlikely that a router near the host will generate a redirected ICMP message. If our host uses static routing and receives a redirect message, it may be that someone is attacking our system and tricking the host to forward all traffic to another remote host.

6. Fragmentation bomb
We know that when data packets travel from one router to the next router along the path (the path from the source computer to the destination computer), the gateway router may need to divide the data packets into smaller pieces before they are passed on to the next network. The fragments (which exceed the MTU value will be fragmented). The first fragment in these fragments will contain the source port number and destination port number in the UDP or TCP header, and the following fragments will not. When the data packet is fragmented, the intermediate router will not reassemble the data packet, and the data packet will be reassembled when it reaches the destination host or neighboring routers.

The realization of the fragment bomb is to construct a very small data packet to cause the system or program to crash: for example, construct an initial fragment so that the source port and destination port of UDP or TCP are included in the second fragment. Many firewalls do not check the fragments after the first fragment. However, the first fragment is passed because the information to be filtered by the firewall has not been presented yet, and finally all fragments are assembled in the host.

In addition, because the intermediate fragmentation is basically more expensive than sending smaller packets without fragmentation, generally the non-fragmentation flag is set in the IP header when sending, and the system will initiate a connection to the target host after setting. For MTU discovery, if the intermediate router must fragment the packet, it will drop the packet and rush back to the ICMP 3 error message, that is, "fragmentation required".

Guess you like

Origin blog.csdn.net/qq_43288259/article/details/115251867
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com