https://baike.baidu.com/item/dos%E6%94%BB%E5%87%BB/3792374?fr=aladdin
DOS: Chinese name is a denial of service, all can cause the behavior of DOS attacks are referred to as DOS attacks. The effect of the attack is to make a computer or network can not provide normal services. Common DOS attack computer network bandwidth and connectivity attacks. DOS is a single machine to attack between the stand-alone.
The principle of DOS attacks: first attacker sends a large number of false IP requests to the server is attacked, the attacker will return confirmation message after receiving the request, the attacker wait for confirmation, (here you need to have a working TCP three-way and HTTP protocol basic knowledge handshake) this process requires TCP three-way handshake, since the request for information sent by the attacker is false, so the server receives an acknowledgment message is not returned within the period of time the server will wait at the state and assigned to the the requested resource has been released. When the attacker wait for a certain period of time, due to a connection timeout and disconnect, then the attacker sends false information requested in the new times, so eventually the server resources are exhausted, until paralysis.
DDOS: Chinese name is a distributed denial of service attack. It refers to the attacker's control multiple hosts simultaneously launch DOS attacks to the same host or network.
DoS attacks, DDoS attacks and DRDoS attack I believe we have already heard of it! DoS is a Denial of Service abbreviation is a denial of service, while the DDoS is short for Distributed Denial of Service is a distributed denial of service, and is Distributed Reflection Denial of DRDoS service shorthand, which is distributed reflective denial of service means.
However, this 3 most powerful attack, or DDoS, attacks an attack method that DRDoS although recently out, but it is only the deformation of DDoS attacks, it's the only difference is not occupied by a large number of "chicken." These three methods are using the TCP three-way handshake vulnerability to attack, so their defensive approach is similar.
DoS attacks are the earliest, and its attack methods that white is singled out, the machine performance is better than anyone else, and fast. But now the rapid development of technology, general site host has more than a dozen hosts, and have rapid development of the processing capabilities of the host, memory size and speed of the network, and some even more than a gigabit of network bandwidth levels. So that our one on one singled out attacks to no effect, and they might their own machine will die. For examples of such attacks, if your machine 10 can be transmitted per data packet with attack, the attack is your machine (for network bandwidth are the top) and second handle 100 can accept attack packets, in that case, your attack on what are not useful, and very likely to crash. You know, if you send this 1Vs1 attack, your machine's CPU occupancy rate is more than 90%, if the configuration of your machine is not high enough, then you're dead.
Figure -01 DoS attacks
However, in the development of science and technology is also developing, hacking techniques. So-called one foot, high magic battle. After numerous crashes, hackers have finally found a new method of DoS attacks, this is the DDoS attacks. Its principle that the white gang fights, with a lot of machines with the launch DoS attacks on the target machine, but this is not a lot of hackers involved with this attack only by a hacker to operate. This is not a hacker has many machines, he is through his machine occupied a lot of "chicken" on the network, and control of these "chicken" to launch a DDoS attack, or else how it is called distributed. Or the earlier example, your machine can send 10 attacks per second data packets, while the attack machine to accept 100 per packet, so you attack certainly will not work, and you then 10 or more and more machines to attack targets on the attack machine, then, hey! I will not say the result.
Figure -02 DDOS attack
DRDoS distributed reflective denial of service attack is a DDoS attack this deformation, it differs from DDoS is DrDoS occupation does not require a lot of "chicken" before the attack. It attacks the principle similar to principle and Smurf attack, but DRDoS can be carried out in the WAN, and Smurf attacks are carried out in the local area. Its role is based on the principle of a broadcast address and respond to the request. One computer to another computer transmits special ping request packet is such, will receive its response; if the transmission request packet to the broadcast address of the network will actually reach all the computers on the network, then you all computers will get a response. These responses are to be received by computer processing, each process will take up a copy of system resources, and at the same time receiving the response from all the computers on the network, the recipient's system is likely too much for a DDoS attack was the same as . But no one is stupid enough to own their own attacks, but this method is of great hackers to improve the power. Hacker sends a request packet to the broadcast address, all the computers get request, response sent to the hackers would not there, but sent to the attacked host. This is because the hacker posing as the attacked host. Hacking software transmission request packet used in the source address can be forged, falsified data packet to the host will issue the response to the source address, which of course is to be attacked address of the host. Hackers while also sending a request packet to the time interval is reduced, so that in a short time be able to issue a large number of request packet, the attacker was received like a computer from being deceived, where the flood came the response, as was a DDoS attack cause the system to crash. With the hacker network all the computers to attack the victim, without the need for these to be deceived prior to occupation of the host, this is the Smurf attack. And it is this principle DRDoS attack, the hacker the same contract the use of special tools, first forged source address of the SYN connection request packet to be deceived on those computers, according to the rules of TCP three-way handshake, these computers will be issued to the source IP or RST SYN + ACK packet response to the request. As with the Smurf attack, the hacker sent the request packet's source IP address is the address of the attacking host, so it will deceive the host response sent to the attacked host, causing the attacked host is busy processing paralyzed by these responses.
FIG reflective -03 DRDoS distributed denial of service attacks
Explanation:
SYN: (Synchronize sequence numbers) to establish a connection, in a connection request, SYN = 1, ACK = 0, when the connection response, SYN = 1, ACK = 1. That is, SYN and ACK to distinguish Connection Request and Connection Accepted.
RST: (Reset the connection) is used to reset for some cause connection errors occur, and is also used to reject illegal data request. If you receive a RST bit time, usually some error has occurred.
ACK: (Acknowledgment field significant) set to 1 indicates an acknowledgment number (Acknowledgment Number) as legitimate, to 0 when the block does not contain data indicating the confirmation, confirmation number is ignored.
TCP three-way handshake:
Figure -04 TCP three-way handshake
Suppose we should be prepared to establish a connection, the server is in a normal receive state.
Step: We i.e. the client sends a request with a SYN bit, it indicates to the server to be connected, assuming the request packet sequence number is 10, then was: SYN = 10, ACK = 0, the server waits for a reply.
Step Two: After the server receives such a request packet, to see whether the specified port is answered, if not sends RST = 1 response, refused connection. If the received request packet, the server sends an acknowledgment response, the SYN is a inner code server, is assumed to be 100, ACK bit is the request of the client sequence number by 1, the data of the present embodiment, the transmission is: SYN = 100, ACK = 11, we respond to the use of such data. He told us that the server connection is ready, waiting for our confirmation. Then after we receive a response, analyzing the information obtained, confirm that the connection is ready to send a signal to the server.
The third step: We send a confirmation to establish a connection to the server. Acknowledgment SYN ACK bit bit information is sent by the server, a SYN ACK bit transmitted plus 1-bit server. That is: SYN = 11, ACK = 101.
So that our connection is established.
How exactly DDoS attacks? The most popular is the best method of attack is to use SYN-Flood attacks, SYN-Flood is SYN flood attacks. SYN-Flood will not complete the TCP three-way handshake is the third step, that is, do not send confirmation information to connect to the server. In this way, the server can not complete the third handshake, but the server does not immediately give up, the server will not stop and wait for retry after a certain time to abandon the connection is not completed, this time called the SYN timeout, this time about 30 seconds about to 2 minutes. If a user lead to problems when connecting a server thread to wait one minute is not a big deal, but if a lot of people use special software to simulate this situation, then the consequences can imagine. If a server process these large amounts of semi-connection information consumes system resources and network bandwidth, so that the server will not have to deal with normal spare normal user request (since the client requests a normal ratio is small). This server will not work this way, and this attack is called: SYN-Flood attack.
So far, the defense DDoS attacks carried out is quite difficult. First, the characteristics of the attack is that it takes advantage of loopholes in TCP / IP protocol, unless you do not have TCP / IP, will it be possible to live completely against DDoS attacks. But this does not mean we have no way to stop DDoS attacks, we can try to reduce the DDoS attacks. Here are some defensive methods:
1. Ensure that the system file server is the latest version, and update system patches.
2. Turn off unnecessary services.
3. SYN half open while limiting the number of connections.
4. Shortening the time out time SYN half connection.
5. Correct firewall settings
Prohibition of the host non-open access to services
Restrict access to specific IP addresses
Enable anti-DDoS firewall properties of
Strictly limit the outward opening up access servers
Woe to run the port mapper port scanner, to carefully check privileged ports and non-privileged port.
6. Carefully check the logs of network devices and host / server system. As long as a loophole or a time log to change, then the machine may come under attack.
7. Limit file sharing and network outside the firewall. This will give hackers the opportunity to intercept the system files, host of information exposed to hackers, no doubt to invade each other's opportunities.
8. router
Cisco router, for example to
Cisco Express Forwarding(CEF)
The use of unicast reverse-path
Access Control List (ACL) filtering
The SYN packet flow rate
An upgraded version of low ISO
Build log server router
Be able to understand the principles of DDoS attacks on our defensive measures to improve in, we can block part of the DDoS attacks, to know ourselves, know yourself Well.