ACK Flood attack means that after the TCP connection is established, all transmitted TCP packets are data packets with the ACK flag bit.
When the receiving end receives a packet with the ACK flag bit, it needs to check whether the connection quadruple represented by the packet exists, and if it exists, check whether the state represented by the packet is legal, and then send the Layer passes the packet.
If the data packet is found to be illegal during the inspection, and if the destination port pointed to is not open, the operating system protocol stack will respond with a RST packet to tell the other party that this port does not exist.
Only when the attack program sends ACK messages per second at a certain rate can the load on the host and firewall change significantly. When the packet sending rate is very high, the host operating system will spend a lot of energy receiving packets, judging the status, and actively responding to RST packets at the same time, so normal data packets may not be processed in time. At this time, the performance of the client (taking IE as an example) is that the response to accessing the page is very slow, and the packet loss rate is high. This is the ACK hit.
At this time, the server has to do two actions, look up the table and respond to ack/rst.
This kind of attack is not as big as the impact of syn flood on the server (because syn flood occupies the connection), this type of attack must use large traffic ack packets to impact the server.
According to the principle of the tcp protocol stack, the ack packet of the random source IP should be quickly discarded by the server, because there is no status information of these ack packets in the server's tcp stack.
In the actual test, it is found that some tcp services are more sensitive to ack flood.
For Apache or IIS, an ack flood of tens of kpps will not pose a threat, but a higher number of ack flood impacts will cause the network card to stop responding due to high interrupt frequency and heavy load.
It is difficult for the jsp server to handle normal connection requests under the impact of a small number of ack packets.
Therefore, ack flood not only endangers network devices such as routers, but also has a great impact on applications on servers.
Combating harm
Attackers use botnets to send a large number of ack packets, which will cause the following three harms:
1. An ack flood (An-031217) attack with a large payload will cause link congestion.
2. When the crackdown message arrives at the server, the processing performance is exhausted, thus refusing normal service.
3. Extremely high-speed source-to-port ack flood (An-031217) attacks can easily lead to reduced forwarding performance of devices relying on session forwarding and even network paralysis.
Defense principle
The anti-D device counts the rate of ack packets based on the destination address, and starts source authentication defense when the rate of ack packets exceeds the threshold.
The authentication source defense process is shown in the figure:
Note
1. Start ack protection after the attack traffic reaches the threshold.
2. After the real message is retransmitted by ack, the client will re-initiate the connection. At this time, it will be added to the whitelist trust after passing the SYN verification algorithm.
3. The forged ack message is directly discarded by querying the session table.
Thank you for reading, if you want to know more about server technology dry goods, add attention and go~