DDoS attacks
The method of DDoS attacks
Attack network bandwidth resources
We can use network bandwidth resources target of attack, the other purpose is a waste of limited network bandwidth resources, making the goal stagnant until the advent of the Internet service network bandwidth resources are scarce, inaccessible or slow access speed.
Direct attack
Direct attack, sending a large number of network packets directly to the target using a large number of controlled hosts, network bandwidth targets and consumption data processing capabilities of the server and network equipment, the purpose of denial of service attacks. [Flooding and sea tactics can be understood like]
- Direct attack: there are major ICMP / IGMP flood attacks and UDP flood attacks two kinds.
ICMP / IGMP flood attack
Internet Control Message Protocol (ICMP) is one of the TCP / IP protocol level among the core, for transmitting control messages over a network, a variety of problems may occur in a communications environment feedback.
Internet Group Management Protocol (IGMP) is a communication protocol for managing Internet Protocol multicast group members.
An attacker using a controlled host sends a large number of ICMP or IGMP message to the target, the attack to flood the network bandwidth resource consumption targets. In the early use of cmd ping command can be sent in the ping target host a large number of ICMP packets when the packet size exceeds the target network bandwidth limit (when all Fast Ethernet) and they will cause the target network Caton (known as ping ping of death Blair said); of course, such attacks have almost ineffective, because the target can be directly filtered out invalid packets, making it ineffective attack.
UDP flood attack
User Datagram Protocol, an unreliable transport protocol for connectionless, packet arrival is not required mainly for the transmission of certain (smaller content transmission task)
Use UDP flood attack packets sent, with almost ICMP / IGMP flood attack mechanism principle, in terms usually choose UDP packet or bale way to attack the target.
64-byte packet refers to a packet, which is the minimum value of the Ethernet data frame transmission. At the same flow rate, the smaller package size, the greater the number of data packets; and as switches, routers and other network equipment need to be verified for each packet, so the UDP packet can be increased attack network devices maximum pressure packet processing, the processing speed is slow and the resulting transmission delay effects attacks
It refers to a packaged or more 1500-byte packets, which size exceeds the maximum transmission unit Ethernet. Use large package attacks, network bandwidth data transmission can be the greatest degree of forcing the target had to fragment reassembly in the received data, thus resulting in network congestion, slow service response purposes.
Reflection and amplification attacks
Use ICMP and UDP flood attacks and other attacks on targets launched direct consumption of network bandwidth resources, the limitations of this method of attack is very large, and very easy to find the source, even forged their own IP position.
Reflection attacks (DRDoS), using routers, servers and other devices a request for a response issued, so that the reflecting attack traffic and a method for hiding the source of the attack.
Reflection attacks
Reflection attack, an attacker using a controlled host to send large amounts of data packets, these packets are special in that: the destination IP address at the network infrastructure as a reflector, and the source IP address of the attack were falsified IP address of the destination. The reflector is a packet is received, the packet is considered to be a request issued by the target, so the data will be transmitted in response to the target, when a large amount of data packets in response to a flock same target, the target will consume network bandwidth resources, thereby causing the purpose of DDoS attacks.
The attack need to find a lot of "reflector" on the Internet, some kind of reflection attack is not difficult to realize, for the reflected ACK attack, only to find open TCP ports on the server to the Internet.
Reflection attacks are undocumented (do not shake hands), so if there is a handshake or authentication of, can not be achieved the next step; therefore reflection attack is carried out on the establishment of a network of UDP protocol.
Amplifying the reflected attack is a special attack, special in that the reflector has an amplification effect on the network traffic, it can be such a reflector amplifier.
ACK reflection attacks
TCP connection, the need for three-way handshake (SYN-ACK, SYN - ACK), the client receives the SYN connection request sent by the server in the connection process, will request ACK response; attacker can use three times ACK response mechanism when the handshake, ACK reflection carried out the attack.
An attacker sends a SYN request source IP address of the target caused by the pseudo IP address, when the server establishes a TCP connection ACK response data packet, sends SYN ACK packet according to the IP address of the request packet, the ACK packet to will be sent to the destination host; when a large amount of ACK packets back to the fake IP (i.e., the IP destination host), it will cause network congestion bandwidth of the target; when an attack, a large number of network scanning reflector address, and these addresses to the transmission source IP SYN request packet forged.
DNS amplification attacks
DNS Domain Name System; as a distributed database of domain names and IP addresses will be mapped each other, mainly using the UDP protocol. Typically, DNS response packets will be bigger than the query packet, so an attacker can use ordinary DNS query request to initiate a reflection amplifying (times) attack. The method is more effective use EDNS0 DNS extension mechanism defined in RFC-2671;
An attacker can use dig and efficient EDNS0 DNS amplification attacks; attacker's DNS resolver to an open transmission dig query command, the UDP packet size provided OPT RR field to a large value 4096, and the source IP address of the dummy causing the target's IP address, DNS resolver received results send request will be resolved after the attack to target IP.
NTP amplification attacks
The NTP Network Time Protocol, is a protocol used to synchronize time of the computer, he can cause the computer to synchronize with the clock source and the time to improve the correction accuracy, NTP using UDP-123 communication port.
On the server of NTP, typically implemented Debug Interface Mode 7 series, and the interface monlist communication request can obtain the last synchronization client 600 an IP address to the target NTP server. This means that only a small transmission request packet, can trigger a large number of UDP continuous data including the IP address information of the response packet.
Similarly amplification and reflection attacks and DNS attacks ACK mechanism, sending NTP amplification attacks also required network scan implemented, a lot of the NTP server.
SNMP amplification attacks
SNMP Simple Network Management Protocol, is the most widely used network management protocol, SNMP use UDP 161 port communication; using the SNMP protocol and the default string GetBulk communication request, the attacker can perform SNMP amplification attacks.
Due to good effect SNMP service, the SNMP protocol written almost every network device, various devices are by default opens up SNMP services; at the same time have adopted the default SNMP communication string, these strings are communications program to obtain device information and modify the configuration of the essential, the most common default communication string is public and private, in addition there are many private companies default communication string.
Defined in the SNMP get request can try in order to obtain a plurality of MIB objects, but limits the size of the response message received by the device processing capability, if the device is not returned in response to all the requests, an error message is returned. Getbulk later added a request, the request will notify the device returns as much data, which makes it possible to manage the program once you get a request to retrieve information by sending a large segment.
An attacker sending a request to the king Arrow getbulk SNMP enabled devices and services, as the default authentication credentials communication strings, and IP masquerading as the source IP address of the target; getbulk device after receiving the request, the response data packet will result issued a camouflaged source IP address (ie, the target IP address)
Attack links *
Link directly attack and attack and reflection / amplification attacks differently; their goal is not to attack end bandwidth resources, but the backbone of the Internet link bandwidth resources.
Coremelt attack is on the way to distributed denial of service link, the attacker needs to control a botnet distributed widely enough to send Coremelt attack.
Attack system resources
In very often mistaken for DDoS attacks are attacks consume network bandwidth resources, but in addition, DDoS attacks have also consume system resources.
TCP connection attack
TCP is a connection-oriented, reliable byte stream transport protocol based, require reliable end to end connection between different hosts an application layer, the IP layer but not provide such a flow mechanism, it is in reality rely on TCP protocol.
TCP connection process known as the "three-way handshake" in the three-way handshake stage are very vulnerable to DDoS attacks.
TCP connection flooding
TCP flood attack is "to establish a connection" phase of TCP resources attacks.
In the three-way handshake process is carried out, the server will create and save a TCP connection information, but this information is usually stored in the structure will be connected to the table; but the size of the connection table is limited, the number of connections the server receives more than once when the number of connections table storage, the server can not create a new TCP connection.
An attacker could exploit a large number of controlled hosts establish a TCP connection to the target host, target host connection table filled so that the target host can not receive a new TCP connection.
SYN flood attack
SYN flood attacks are the most classic kind of DDoS attack, this attack (SYN flood attack) is one of the main ways of DDoS attacks.
TCP half-open connections:
In the process of establishing a TCP connection, the server returns the response to the SYN + ACK packet, if the client does not confirm it, the server will retransmit the SYN + ACK message and waits for an acknowledgment of the client, thereby will be formed TCP half-open state, in the half-open state, if maintained half-open connections would have been stored in the connection table server.
Due to the size of the connection table is limited, if produced in a short time a large number of half-open connections, and the connection is no sense of connection, it will occupy a lot of space in the connection table.
Controlled to the target host system send a large number of SYN packets, the ACK packet skip the last transmission, so that the connection is half-open state; hi but easily whereby the IP address of the controlled exposure of the host, while the response packet will as the flow rate of the reflection bandwidth resources attacker; so more powerful approach is to: cause the IP address of the attacker's IP address or other host does not exist SYN packet source IP address of the dummy so that the target will send a response packet a fake IP address, so that the frame element occupying connection i and hide the attack source.
PSH + ACK flood attack
TCP data transfer process, may be provided by PSH flag to indicate the current end of data transmission, the server needs to be processed.
In normal TCP transmission process, the data will be transmitted if the transmit buffer is empty, then the operating system's TCP / IP protocol stack will automatically set the PSH flag for a TCP packet, also when the service receives a set PSH + ACK packet time mark, means that the current data transfer has been completed, it is necessary to immediately submit these data to the service process and empty the receive buffer, without waiting to determine whether there is additional data.
Since TCP packets with the PSH flag will be mandatory for the receiving side to clear the receive buffer and data submitted to the application service for processing, so that when an attacker sends a large number of hosts with controlled PSH + ACK packet to the target packet when the target will consume a large amount of system resources constantly emptying process the receive buffer, resulting in not process the data properly, resulting in DDoS.
Alone PSH + ACK flooding effect is not too significant, a more effective way is SYN flood attacks combined with ACK attack, thus bypassing a part of protective equipment, enhance the effect of the attack.
RST flooding
When TCP disconnect, there is usually with four interactive FIN flag messages (four wave) to break the TCP connection, but if the client or server abnormality occurs, you can not complete the normal four waving terminate the connection , it will be forced to terminate connections using RST packets.
RST denotes a reset, to close the connection when the abnormality, when the sender sends the RST packet connection is closed without waiting for the data packets in the buffer are all sent, but will discards the packet buffer and transmits the RST text; the same receiving terminal after receiving the RST packet will also empty the buffer close the TCP connection between the two.
Attack which can use this feature RST packets to send forged TCP packets with the RST flag, Traps TCP client and server connections; in forged RST packets during the IP address and port number of the server is already known, attackers still have to seek an IP address and port number of the client, so that the RST packet and the sequence number is within the receiving window server. [If the attacker and the target is in the same network, or can be obtained by ARP spoofing this network sniffer]
Without knowing the client's IP and port situation, often a "touch typing" guess the strategy, as long as a huge amount of data RST packets can and client ip and port match, will be able to disconnect.
Usually this mandatory truncation DDoS attacks TCP connections, often for online users games, video services.
Sockstress attack
Sockstress attack does not belong to flooding, but a slow attack.
When a TCP connection, the data is not submitted directly to the application process, but the first temporarily stored in the receive buffer, the receive buffer size is represented by the TCP window; if the TCP window size is 0, it indicates receive buffer has been filled, the sender should stop sending data, the receiving end know the updated transmission window. Sockstress attack is to use this principle for a long time to maintain the TCP connection, the purpose of the completion of DDoS.
First complete a TCP connection, but in the third ACK response handshake, the attacker will be TCP window is set to 0, followed by a request for this data; target in the transmission of data and found TCP window is 0, transmission will stop data and sends TCP window probe packets, the attacker asked to update the TCP window, if the window does not update TCP state will have to maintain this connection, it has been waiting to send data and continuously sends TCP window probe packets. Thus an attacker using a large number of controlled hosts, the goal would have been to maintain the state of TCP connections and has been updated receive window probe data, each TCP connection table will gradually be consumed.
Sockstress Another way is to attack the TCP window is set to a very small byte value, such targets would have to send the data it needs to cut into a large number of data bytes * fragment size, will greatly consume target memory and processor resources, making slow service.
Attack SSL connection
Secure Sockets Layer (SSL) to provide secure network communications and data integrity of a secure protocol; the SSL can be encrypted in the transport network layer, data transmission to prevent plaintext be monitored and intercepted.
However, in the course of the SSL protocol encryption, decryption keys and consultation will consume a large amount of system resources and seriously degrade the performance of the machine, usually only use the SSL protocol will be transmitted in encrypted transmission mechanism when content information.
During the consultations, the secret key in the SSL protocol, CPU computing resources on the client and server-side resource consumption because consumption of different secret key algorithms are different. For example the use of public key cryptography algorithm RSA series, then it would have more than the client server to ask depletion of resources; in extreme cases, using RSA 4096 encryption and decryption, the server takes the equivalent of 25 times the client resources to complete the calculation. As a result, an attacker can take advantage of the characteristics of DDoS attacks SSL protocol consumption of resources.
THC SSL DoS attacks
Before SSL data transfer is performed, communication parties must first be SSL handshake to negotiate an encryption algorithm to exchange encryption keys, identity authentication; SSL handshake process is usually such a case can be done only once, but in the SSL protocol renegotiation only option, it can renegotiate the secret key by which to create a new secret key.
Use Renrgotiation option, causing the target resource depletion; after the handshake of the SSL connection, the attacker repeatedly continue to carry out secret key renegotiation process, the secret key renegotiation process requires server invested more than 15 times more than the client CPU computing resources ; attacker only needs an ordinary desktop computer can slow down a high-performance servers, and if there are a large number of hosts simultaneously attack, the server is busy and will negotiate keys completely stopped responding.
SSL flooding
During the SSL handshake, the server will consume more CPU computing resources for encryption and decryption, and check the validity of the data; the client sent me the data, the server takes a lot of computing resources for encryption and decryption, after the validity of the data can be verified; it is important regardless of whether the data is valid, the server must first be decrypted to be able to do the inspection; thus an attacker can use this feature to perform SSL flood attacks.
SSL flood attack, a point is the need for an attacker can issue a large number of attacks on the client request, which the client needs to be calculated as small as possible; SSL for flooding, a better way is performed prior to data transmission process SSL handshake in the attack; the attacker does not need to complete the SSL handshake and a secret key exchange, but only for the server in the process to decrypt and verify, it can be mass consumption of computing resources on the server side, therefore, against this can very easily configured keys exchanged heavy request data, the purpose of reducing the amount of computation of the client.
SSLSqueeze attacker can use tools such as SSL to launch flood attacks.
Attack application resources
DNS service attacks
Internet DNS service is a core service; by using DNS, people do not need to remember its IP address when you visit the site, simply enter the domain name and can be accessed. Attacks against DNS services DNS QUERY major flooding and flood DNS NXDOMAIN attack in two ways.
DNS QUERY flooding
DNS QUERY flood attacks point to the DNS server sends a large number of queries in order to achieve the effect of denial of service.
In the DNS resolution process, the client initiates a query request, DNS server may require additional multiple queries can be resolved through the process and gives the answer in this process will consume a certain amount of computing and network resources; if An attacker using a large number of controlled hosts continue to send a different domain name resolution request, then the DNS server's buffer is constantly refreshed, and a large number of resolution requests can not hit a buffer and cause the DNS server must consume additional resources iterative queries, it would be extremely earth increase DNS server resource consumption, resulting in slow response or even DNS denial of service.
Important DNS QUERY flooding that each domain query DNS resolution request should be different, and so may be more efficient to avoid DNS resolution record, more efficient consumption of resources.
DNS NXDOMAIN flooding
DNS NXDOMAIN flood attack DNS QUERY variant attacks flood attacks, except that the latter is a real domain name queries to DNS servers, while the former is a non-existent domain name queries to DNS servers.
DNS flood attacks during NXDOMAIN, DNS server will query multiple domain names, while its cache will be filled with a lot of NXDOMAIN record, resulting in a response rate of normal DNS resolution requests the user's side slowly; this way and DNS QUERY We achieved similar results. In addition, a portion of the DNS server in the domain can not obtain analytical results, and will be again a recursive query, the DNS server sends up a resolution request is not waiting for a response, which further increases the resource consumption of the DNS server.
Attack Web Services
HTTP flood attack
Web services typically using the HTTP protocol for the transmission request and response data.
Common HTTP GET request to have two kinds of requests and POST requests; GET requests are usually used to obtain data and resources from the Web server; POST request for submission of data and resources to the Web server. Processing of these HTTP request, Web server typically needs to resolve the request, processing and implementation of server-side script to verify user rights and has access to the database, this time consume a large amount of computing resources and IO access resources.
Since the HTTP protocol is based on TCP protocol, complete the three-way handshake to establish a TCP connection to start HTTP traffic, can not use forged source IP addresses to attack when HTTP flood attack therefore; attacker generally uses HTTP proxy server to attack.
DNS and similar services, Web services caching mechanisms also exist; if a large number of requests have hit the attacker's server cache, then this will be reflected in a major role in the attack on the target consumption of network bandwidth resources for computer and IO resources consumed is very limited; therefore, efficient HTTP flood attack should continue to make an HTTP request for different resources and pages, and the request can not be cached resources as much as possible, thereby increasing the burden on the server.
In addition, if the server also supports HTTPS service, so HTTPS flooding is an effective method of attack, because HTTPS over HTTP data processing resources also need to call the request decryption operation; therefore lead to an excessive burden of service .
Slowloris attack
Slowloris attack is a slow HTTP attacks against Web servers. In the HTTP protocol states: a continuous "\ r \ n \ r \ n" as the end flag; many HTTP server holding the service request, the processing waits for the end of the head during transport. Therefore, if the Web server does not receive continuous "\ r \ n \ r \ n" marks the end, will always receive the data and stay connected with the amount of clients using this feature can be controlled so that the host of the long the Web server stays connected, and the gradual depletion of the resource server connection.
When the attacker sends an HTTP GET request, the slow transmission of unnecessary header fields, and has not sent the end of the flag, so long since you can connect to the Web server footprint and maintain the link is not reason timeout interrupted. However, the number of concurrent connections to the Web server is limited, if an attacker using a large number of controlled host sends an incomplete HTTP GET request and prolonged use connection resources, it will drag down the Web server.
Slow POST requests attack
Slow POST requests attack, is a slow Web server for HTTP attacks, and Slowloris difference is that the slow attack POST request sent using the slow take up HTTP BODY way and deplete the resources of the Web server connection.
When the HTTP header information may be used COnternt-Length field, the server as the value of the field length of the BODY HTTP; when the Web server receives a Content-Lengthde containing the header information of HTTP content data will of the BODY for processing. We can take advantage of this feature is that the attacker long stay connected to the Web server, and the gradual depletion of resources connected to the Web server.
Data processing attack
After the Web server receives the HTTP request, which need to check and process data, content request data through build a malicious attacker can significantly increase resource consumption data during processing.
Blended attacks (classified)
| Attack protocol layer | Network layer attacks | Transport layer attacks | Application-layer attacks |
|---|---|---|---|
| Flood attack | ICMP / IGMP flood attack | UDP flood attack TCP flood attack SYN flood attack PSH + ACK flood attack ACK reflection attacks RST flood attacks SSL flood attacks |
DNS QUERY flood attack DNS NXDOMAIN flood attack DNS amplification attacks HTTP amplification attacks SNMP amplification attacks NTP amplification attacks |
| Slow attack | Sockstress attack THC SSL DoS attacks |
Slowloris Attack Slow attack POST request data processing attack |
"DDoS attack prevention and depth profiling" Section 3 - Notes
Notes classified as: Class Network Security
Author: Wang Yuyang
E-mail: [email protected]
Time: 2019-06-09