Preface
This chapter mainly introduces DDoS attack and defense methods
Theoretical knowledge comes from https://www.microsoft.com/zh-cn/security/business/security-101/what-is-a-ddos-attack
1: Attack
Generally speaking, DDoS attacks are divided into three categories: Volumetric attacks, protocol attacks, and resource layer attacks.
1> Volumetric attacks overwhelm the network layer with traffic that initially appears to be legitimate. This type of attack is the most common form of DDoS attack. DNS (Domain Name Server) amplification is a type of volumetric attack that uses open DNS servers to flood a target with DNS response traffic.
2>Protocol attacks cause service disruption by exploiting weaknesses in layer 3 and layer 4 protocol stacks. An example of such an attack is a SYN attack, which consumes all available server resources (thus rendering the server unusable).
3> Resource (or application) layer attacks target web application packets and disrupt data transmission between hosts. Examples of such attacks include HTTP protocol violations, SQL injections, cross-site scripting, and other layer 7 attacks.
Cyber attackers may use one or more types of attacks against a network. For example, an attack may start as one type of attack and evolve or combine with another threat to wreak havoc on a system.
Additionally, there are multiple types of cyberattacks included in each category. As cybercriminals become more sophisticated, the number of new cyber threats is increasing and expected to climb.
If a network attack is suspected, it is imperative to act quickly because in addition to causing downtime, a DDoS attack can leave an organization vulnerable to other hackers, malware, or cyber threats.
2: Detection
How to Detect and Respond to a DDoS Attack
While there is no one way to detect a DDoS attack, there are some signs that may indicate that the network is under attack:
1> Seeing a surge in network traffic from an unknown source, the traffic actually comes from the same IP address or range.
2> Slow or abnormal network performance.
3> Websites, online stores or other services are completely offline.
Modern software solutions can help identify potential threats. Network security and monitoring services can alert you to system changes so you can respond quickly.
You also need to develop a DDoS attack action plan (with clear roles and procedures) so that the team can take swift and decisive action against these threats. It's important to remember that not all DDoS attacks are the same; different response protocols need to be developed to mitigate different attacks.
3: Prevention and Protection
"Prevention"
Before discovering cyber threats, it is necessary to formulate a response process. Preparedness is key to detecting and responding to attacks in a timely manner.
The following actions are required:
1>Develop a denial of service defense strategy to help detect, prevent and reduce DDoS attacks.
2> Identify security gaps and assess potential threats against the setup.
3>Update any protective software or technology and make sure it is working properly.
4> Form relevant teams and assign roles for responding to attacks.
Be sure to further enhance security with products, processes, and services that help secure your business. This way, if a threat is detected, the team has the knowledge and the ability to take action.
Protection
protects the network from future attacks. To help protect your business, you need to do the following:
1> Conduct risk analysis on a regular basis to understand which parts of the organization require threat protection.
2>Establish a DDoS attack response team to be responsible for identifying and mitigating attacks.
3> Incorporate detection and prevention tools into your online operations and educate users on what to look out for.
4> Assess the effectiveness of defense strategies (including conducting exercises) and determine follow-up actions.
DDoS attack protection comes in many forms, from online resources to monitoring software to threat detection tools. Learn how to stop malicious attacks with help from industry-leading and trusted Microsoft security experts
4: Specific case analysis
1>DDOS attack (SYNFoold)
The client keeps sending tcp syn packets, but does not reply the ACK of the third handshake. Then there will be a large number of connections in the SYN_RECV state on the server side
to view the maximum syn queue (semi-connection queue) size
cat /proc/sys/net/ipv4/tcp_max_syn_backlog
OR sysctl -a|grep max_syn
to view the current semi-connection queue size of the system
ss -s
Check ss -antp | grep SYN-RECV | wc -l
If the return is relatively large, such as 256
intervals, execute netstat -s | grep “SYNs to LISTEN” to check the cumulative value
If the cumulative value returned above is increasing, it means that the SYN queue is full up.
Defense
The kernel has three logics for the restriction of the semi-connection queue:
1. The semi-connection queue is full and tcp_syncookies is not enabled, and discarded.
2. The full connection queue is full, and there are multiple (more than 1) connections that do not retransmit syn+ack. Then discard
3 If tcp_syncookies is not enabled, and max_syn_backlog minus the length of the semi-join queue is less than a certain value (sysctl_max_syn_backlog >> 2), then discard
1: cat /proc/sys/net/ipv4/tcp_syncookies #Check whether it is enabled The
default value of tcp_syncookies in the following PROC file is 1, indicating that when the SYN backlog queue of the socket overflows, the SYNCOOKIES function will be enabled to resist SYN flood attacks. If tcp_syncookies is set to 2, the SYNCOOKIES function will be unconditionally enabled.
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
2 :: How to increase the semi-join queue
Check cat /proc/sys/net/ipv4/tcp_max_syn_backlog # Generally, the default is 128 or 256 (ubuntu18), it
is recommended to adjust to 1024 and above
Check cat /proc/sys/net/core/somaxconn # 4096 is already available
3: Reduce the number of SYN+ACK retransmissions.
The default is 5 times, which can be changed to 1
echo 1 > /proc/sys/net/ipv4/tcp_synack_retries
4: Use iptables
1> shield the attacker's IP
netstat -an | grep ":port" | grep ESTABLISHED
to check which IPs are suspicious~for example: xxx.xxx.xxx.xxx This ip has many connections and is very suspicious. It has a connection to xxx.xxx.xxx.xxx again. Available commands:
iptables -A INPUT -s xxx.xxx.xxx.xxx -p tcp -j DROP
2>Prevent Sync Flood
iptables -A FORWARD -p tcp --syn -m limit --limit 1 /s -j ACCEPT
–limit 1/s Limit syn concurrency once per second, you can modify it according to your own needs to prevent various port scans
Ping洪水攻击(Ping of Death)
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
5: Use tools
Use DDoS deflate to automatically shield attacks ip
DDoS deflate is a free script used to defend and mitigate DDoS attacks. It uses netstat to monitor and track the IP addresses that create a large number of network connections.
When it detects that a node exceeds the preset limit, the program will ban or block these IPs through APF or IPTABLES.
DDoS deflate official website: http://deflate .medialayer.com/
5: The simulation tool
Hping3 is command-line-oriented, an open source tool for generating and analyzing TCP/IP protocol packet assembly/analysis
sudo apt install hping3 #Installation
Common applications are: port scanning, forged addresses and flood attacks
in hping3 The parameters are as follows:
-h --help display help
-v --version display version
-c --count number of sent data packets
-i --interval time between sending data packets (uX is X microseconds, for example: -i u1000 )
–fast is equivalent to -i u1000 (10 packets per second)
–faster is equivalent to -i u100 (100 packets per second)
–flood sends data packets as fast as possible, does not display reply
-n --numeric digital output, symbolic output Host address
-q --quiet silent mode, only display the last statistics
-I (big i) --interface specify the network interface to be used (default routing interface)
-V --verbose detailed mode
-D --debug debugging information
-z --bind Bind the "ctrl+z" combination key to the TTL value of the sent packet, press the TTL value plus 1 -Z --unbind
unbind the ctrl+z key
–beep for each matching data received Package beep prompt
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DOS attack: hping3 -q --rand-source --id 0 --icmp -d 56 --flood xxx.xxx.xxx.xxx
hping3 -c 10000 -d 120 -S -w 64 -p 80 --flood - -rand-source IP address or domain name
-q use silent mode
-rand-source fake source address
-d 56 size of each data packet sent to the destination PC
-id 0 ID value 0
-icmp send icmp package
-flood flood
mode- c 10000 number of packets sent
-S send only SYN packets
-w 64 TCP window size
-p 80 port number