[Cloud Computing Network Security] Analysis of DDoS attacks: working principles, identification and defense strategies | Book delivery at the end of the article

I. Introduction

In today's digital age of cloud computing, cybersecurity issues have become increasingly important. Especially for network security issues designed in cloud computing, one of the common network threats is distributed denial of service (DDoS) attacks. DDoS attacks are designed to flood a target server or network with large-scale network traffic to disrupt normal online services. Understanding how DDoS attacks work and how to identify and protect against them is critical to protecting the stability of your network and servers.

In this article, we will delve into DDoS攻击each aspect, starting with what a DDoS attack is, understanding how it works, and how to identify various types of DDoS attacks. We'll also cover some common DDoS attack types, including application layer attacks and protocol attacks, along with examples of them. In addition, we will discuss how to take steps to protect yourself from DDoS attacks, including defense methods such as blackhole routing, rate limiting, web application firewalls, and Anycast network flooding.

By having an in-depth understanding of DDoS attacks and response strategies, we can better prepare and protect our network resources and ensure their stability and availability. Let's start this journey of exploration about DDoS attacks.

2. What is a DDoS attack?

A distributed denial-of-service (DDoS) attack is a malicious behavior that floods a target server or its surrounding infrastructure with large-scale Internet traffic and is designed to disrupt the normal operation of the target server, service, or network.

A DDoS attack uses multiple infected computer systems as the source of attack traffic for the purpose of the attack. These computer systems can include ordinary computers as well as other networked resources such as IoT devices.

My simple understanding can be that a DDoS attack can be compared to a traffic jam on a highway, which prevents normal vehicles from reaching their destination.

3. How DDoS attacks work

DDoS attacks are carried out over a computer network connected to the Internet. These networks include computers and other devices (such as IoT devices) that are infected and controlled by malware that allows attackers to remotely control the devices. These infected individual devices are often called "bots", and their collection constitutes a "botnet".

Once a botnet is established, an attacker can launch an attack by sending remote commands to each zombie. When a botnet targets a victim's server or network, each bot sends a request to the target's IP address, which can overwhelm the server or network and deny service to normal traffic.

Given that every bot is a legitimate Internet device, it can be difficult to distinguish attack traffic from normal traffic.

4. How to identify DDoS attacks

One of the most obvious signs of a DDoS attack is a sudden slowdown or unavailability of a website or service. However, similar performance issues can have multiple causes (such as a surge in legitimate traffic) and often require further investigation. Traffic analysis tools can help you identify some of the distinguishing characteristics of DDoS attacks:

1. Suspicious traffic from a single IP address or range of IPs.
2. A large amount of traffic comes from users who share the same behavioral characteristics, such as device type, geographic location, or web browser version.
3. An unexplained spike in the number of requests to a single page or endpoint.
4. Unusual traffic patterns, such as surges during unusual time periods or patterns that appear unnatural (for example, a surge every 10 minutes).
   Additionally, the specific characteristics of a DDoS attack can vary depending on the type of attack.

5. What are the common types of DDoS attacks?

Different types of DDoS attacks target different network connectivity components. In order to understand how different DDoS attacks work, it is necessary to know how network connections are established.

Network connections on the Internet are made up of many different components, or "layers." Just like laying a foundation to build a house, each step in the model serves a different purpose.

The OSI model (shown in the figure below) is a conceptual framework that describes seven different levels of network connectivity.

Almost all DDoS attacks involve flooding the target device or network with traffic. The attacker may use one or more different attack methods, or may cycle through multiple attack methods depending on the defensive measures taken by the target.

In summary, DDoS attacks can be divided into three categories:

5.1 Application layer attacks

5.1.1 Attack target

This type of attack is sometimes called a layer 7 DDoS attack (referring to layer 7 of the OSI model), and its goal is to exhaust the target's resources.

The attack targets the server layer that generates web pages and transmits them in response to HTTP requests. Executing an HTTP request on the client is computationally cheap, but responding to the target server can be very expensive because the server often must load multiple files and run database queries to create the web page.

Layer 7 attacks are difficult to defend against because it is difficult to distinguish between malicious and legitimate traffic.

5.1.2 Application layer attack examples

5.1.3 HTTP Flood

An HTTP flood attack is similar to pressing refresh again and again in a web browser on a large number of different computers at the same time - a flood of HTTP requests floods the server, causing a denial of service.

Attacks of this type range from simple to complex.

Simpler implementations can access a URL using the same range of attacking IP address, referrer, and user agent. Sophisticated versions may use a large number of offensive IP addresses and use random referrers and user-agents to target random URLs.

5.2 Protocol Attacks

5.2.1 Attack target

Protocol attacks, also known as state exhaustion attacks, cause service disruption by excessively consuming server resources and/or network device resources such as firewalls and load balancers.

Protocol attacks exploit weaknesses in Layers 3 and 4 of the protocol stack to render the target inaccessible.

5.2.2 Examples of Protocol Attacks

5.2.3 SYN Flood

A SYN flood is like a supply room worker taking requests from a store counter.

The staff receives the request, goes to pick up the package, waits for confirmation, and then delivers the package to the counter. Staff received so many package requests without acknowledgment that they were so overwhelmed that no more packages could be processed, leaving no one to respond to the requests.

This type of attack exploits the TCP handshake (the series of communications that occurs when two computers initiate a network connection) by sending a large number of TCP "Initial Connection Request" SYN packets with spoofed source IP addresses to the target.

The target computer responds to each connection request and then waits for the final step in the handshake, which never happens, thus exhausting the target's resources in the process.

5.3 Volume Exhaustion Attacks

5.3.1 Attack target

This type of attack attempts to cause congestion by consuming all available bandwidth between the target and the larger Internet. The attack uses some kind of amplification attack or other means of generating large amounts of traffic (such as botnet requests) to send large amounts of data to the target.

5.3.2 Attack example

5.3.3 DNS amplification

DNS amplification is like someone calling a restaurant and saying "order one of each dish, please call me back to go over the entire order" when the callback number provided actually belongs to the victim. A long response can be generated and sent to the victim with almost no effort.

After a request is made to an open DNS server with a spoofed IP address (the victim's IP address), the target IP address will receive a response back from the server.

6. How to protect against DDoS attacks?

To mitigate DDoS attacks, the key is to distinguish attack traffic from normal traffic.

For example, if your company's website is flooded with enthusiastic customers because of a product launch, it would be a mistake to completely cut off traffic. If a company receives a sudden surge in traffic from a known malicious user, it may need to work to mitigate the attack.

The difficulty lies in distinguishing real customer traffic from attack traffic.

DDoS traffic appears in many forms on the modern Internet. Traffic designs can vary, ranging from non-spoofed single-source attacks to complex adaptive multi-faceted attacks.

Multi-faceted DDoS attacks employ a variety of attack methods in order to defeat the target in different ways, potentially distracting mitigation efforts at all levels.

A typical example of a multi-faceted DDoS attack is a simultaneous attack on multiple layers of the protocol stack, such as DNS amplification (for layer 3/4) plus HTTP flooding (for layer 7).

To protect against multi-faceted DDoS attacks, multiple different strategies need to be deployed to mitigate attacks at different levels.

Generally speaking, the more complex the attack, the more difficult it is to distinguish attack traffic from normal traffic - the attacker's goal is to blend in as much normal traffic as possible, thereby minimizing the effectiveness of the mitigation.

If mitigations drop or throttle traffic indiscriminately, it is likely that good traffic will be dropped along with attack traffic, and the attack may be modified to evade the mitigation. To overcome complex means of destruction, a layered solution works best.

6.1 Black hole routing

There's a solution that applies to nearly all network administrators: create a blackhole route and funnel traffic into that route. In its simplest form, when blackhole filtering is implemented without specific constraints, both legitimate and malicious network traffic is routed to null routes or blackholes and dropped from the network.

If an Internet device is subject to a DDoS attack, the device's Internet Service Provider (ISP) may send all of the site's traffic into a black hole as a defense. This is not an ideal solution, as it amounts to allowing the attacker to achieve what they intended: making the network inaccessible.

6.2 Rate Limiting

Limiting the number of requests a server receives during a certain period of time is also a way to protect against denial-of-service attacks.

While rate limiting is helpful in slowing down content theft by web crawlers and protecting against brute force attacks, rate limiting alone may not be sufficient to effectively combat sophisticated DDoS attacks.

However, rate limiting can be an effective tool in an effective DDoS protection strategy.

6.3 Web Application Firewall

A web application firewall (WAF) is an effective tool that helps mitigate layer 7 DDoS attacks. After a WAF is deployed between the Internet and the origin site, the WAF can act as a reverse proxy, protecting the target server from specific types of malicious traffic.

Layer 7 attacks can be blocked by filtering requests based on a set of rules designed to identify DDoS tools. A key value of an effective WAF is the ability to quickly implement custom rules in response to attacks.

6.4 Anycast network diffusion

This type of mitigation uses the Anycast network to spread attack traffic across a distributed network of servers until the network absorbs the traffic.

This approach is like channeling a fast-flowing river into several independent small channels, dispersing the impact of distributed attack traffic to a manageable level, thereby spreading the destructive power.

The reliability of the Anycast network in mitigating DDoS attacks depends on the scale of the attack as well as the size and efficiency of the network. Adopting an Anycast distributed network is an important part of implementing a DDoS protection strategy.

7. At the end of the article, a book titled "Building a Cyberspace Security System under a New Network Form" is given.

This article introduces DDoS attacks in the Network Security Center: working principles, identification and defense strategies. If you want to learn more, you can read this book recommended by the blogger below.

• Participation method: follow the blogger, leave a message in the comment area to participate,

• Quantity to be given out: 5 copies will be sent to fans tentatively (3 copies will be drawn from the blog post + 2 copies will be drawn from the fan group)

After more than 30 years of development, security has penetrated into all aspects of informatization, forming a huge industry and complex theory, technology and product system.

Therefore, we need to view the relationship between security and networks from the perspective of cyberspace, the relationship between security manufacturers and customers from the perspective of the security industry, and the relationship between security system design and security system construction from the perspective of enterprises.

This is an in-depth deconstruction and reconstruction of the security industry with cyberspace as the framework, thinking as the knife, security products and technologies as the blade, and enterprise security system construction as the bull.

• Official JD purchase link : https://item.jd.com/13767561.html

If you are an investor , you can see here the driving force for the development of the entire industry, the development trends of security technology and manufacturers, the characteristics of outstanding security manufacturers and technologies in the future, and the landscape of manufacturers and technology in the next ten years.

If you are a customer , you can find a reasonable combination of logic among dozens of security standards and security theories, hundreds of security vendors, and thousands of products and solutions, so as to make security Construction becomes rational, well-founded, and orderly.

If you are a security practitioner , due to the focus of your daily work, you may have in-depth research on a certain point of security, but you still lack a complete understanding of the entire security system. For example, those who write anti-virus engines may not have the opportunity to analyze viruses; those who write client programs may not understand server-side technology. Here, you can systematically understand what security is, what security has, how to do security, and how security will develop in the future.

If you are a security enthusiast , there are still a lot of basic security knowledge and interesting security stories waiting for you to discover.

Here, safety is no longer a bunch of spare parts, but a complete organism. You can understand security from a certain perspective, from far to near, from outside to inside, and then better control it.