Development of technology for people to bring a lot of convenience, whether it is personal social behavior, or commercial activities are inseparable from the network. But the network development opportunities, but also poses a threat, of which the most destructive DDoS, it has become a different organization and personal attacks for network blackmail, revenge, and even cyber warfare. Period, ISEC lab teacher for everyone to resolve DDoS attack and defense.
First, the concept of DDoS
1. What is "DDoS"?
DDoS: Distributed Denial of Service (DDoS) attack refers to the aid of client / server technology, multiple computers together as an attack platform, one or more target launch DDoS attacks, thus exponentially improving denial of service attack power. Typically, an attacker using a stolen account the DDoS master program is installed on a computer, control large quantities of chicken attack.
2. What is a "denial of service" attack?
It can be simply understood as: make a public website inaccessible. To achieve this purpose the method is very simple: continue to make service requests, so that legitimate users can not process the request.
3. What is "distributed"?
With the network development, many large companies with strong service delivery, so deal with individual requests attack is not a problem. Then the attacker organize many associates, while the service request until the service can not access, which is called "distributed." But in reality, the attacker can not generally organized around cooperative partnership "war", it will use "botnets" to control the N multi-computer attack.
4. What is a "zombie network"?
Botnets are a huge number of bots (Bot) by a certain combination, for malicious purposes, the use of many large networks controlled manner, it can be said to be a composite of the attack. Because the number of zombie hosts large and widely distributed, so harmful levels of difficulty and defense are great.
Two, DDoS attacks
The essence of distributed denial of service attacks: the use of distributed client initiates a large number of look legitimate request to the target, consuming or resource intensive, so as to achieve the purpose of denial of service. The main method of attack there are four:
1. Bandwidth attack
Like traffic jams in big cities, we all know that, when the number of network packets reaches or exceeds the upper limit of the time, there will be network congestion, slow response situations. DDoS is to use this principle to send a large number of network packets occupy the full bandwidth of the target, causing a normal request fails to achieve the purpose of denial of service.
An attacker can use ICMP flood attack (ie send a large number of ICMP related packets), or UDP flood attack (ie send large packets or packet User Datagram Protocol), using a forged source IP address hidden manner, and the resulting network congestion, so that the server slows down the response speed.
But this direct way often rely on to host their own network performance, so the effect is not very good, but also likely to be found in the source of the attack. Thus reflection attack occurs, the attacker uses special data packet, i.e. the IP address points to the server as a reflector, a source IP address is the IP falsified target, the reflector receives a data packet, when the response data will be sent to the the target, the target network bandwidth resources are depleted.
2. Attack System
Creating a TCP connection requires a client to interact with the server three times, which is often said that "three-way handshake." This information is usually stored in the connection table structure, but the limited size of the table, so when more than storage, the server can not create a new TCP connection.
An attacker who exploited this, the establishment of a large number of malicious hosts controlled the TCP connection, fill the target of the connection table, so that it can not accept new TCP connection requests. If an attacker sends a large number of TCP SYN packet, the server generates a large number of half-open connections in a short time, connections will also be filled quickly, making it impossible to establish a new TCP connection, this way of SYN flood attacks the attacker is more commonly used.
3. Application Attack
Because of the breadth and importance of DNS and Web services, both services have become the primary target applications consume resources distributed denial of service attacks.
Such as sending a large number of queries to the DNS server, so as to achieve the effect of a denial of service if a DNS domain name resolution requests that each query is different, so we can effectively avoid the resolution records the server's cache, the consumption of resources to achieve better results . When the DNS service availability is threatened, a large number of devices on the Internet will be affected and not work properly.
In recent years, Web technology is developing rapidly, if an attacker using a large number of controlled hosts continue to send a large number of malicious HTTP request to the Web server, Web server processing requirements, it will be fully occupied server resources, so that the normal user's Web access request was less than treatment, leading to a denial of service. Once a Web service to this attack, it will cause a fatal impact on its carrier business.
4. blended attacks
In real life, the attacker does not care what kind of attack they use effective, as long as they achieve their goals, the general will mobilize all its means of attack, do our best to expand the offensive. For the target, the need to face different protocols, different resources distributed denial of service attacks, analysis, response and handling costs will be greatly increased.
With botnets trend toward miniaturization, in order to reduce the cost of the attack, effectively hide the source of the attack, avoid safety equipment to ensure that the effect of the attack, for low flow application layer attacks have gradually slow grow up. Therefore, from another perspective, DDoS attacks are mainly two aspects: UDP and reflective high-volume high-speed attack, a small multi-protocol traffic and slow attacks.
Three, DDoS defense
DDoS attack is only a means, the ultimate goal is to benefit. Future wars will be a more extensive network, frequent, precise attack, when these comes, how should we respond?
1. a high performance device
For network devices do not become a bottleneck, select routers, switches, hardware firewalls and other equipment when we should try to use high-profile, reputation good products. If and network providers have an agreement, when a large number of attacks and ask them what to do at the network junction traffic restrictions to combat certain types of DDoS attacks are very effective.
2. increase the network bandwidth
Network bandwidth directly determine the ability of anti-attack, if there is only 10M of bandwidth, then no matter what measures are difficult to fight against SYN Flood attack now. Therefore, the best choice or higher bandwidth 100M.
3. Do not forget to upgrade
Subject to the availability of network bandwidth guarantee, try to upgrade the hardware configuration, to be effective against SYN attacks per 100,000 packets; and the best use of resources can be optimized to improve the web server's load capacity.
4. The abnormal traffic cleaning
Abnormal flow of cleaning filtered through DDoS hardware firewall, packet filtering rules through the data stream fingerprint detection filtering and packet filtering content customization and other top technology can accurately determine the foreign traffic is normal, abnormal traffic ban will further filtration.
5. Consider the site made a static page
The site made a static page as far as possible, not only can greatly improve the anti-attack capability, but also bring a lot of trouble for hacking. The best script to call database, refused to use proxy access, experience shows that using a proxy to access your site 80% of malicious behavior.
6. distributed clusters defense
This is the most effective way to present large-scale network security community defense DDoS attacks. Defense is characterized by a distributed cluster configure multiple IP addresses in each server node, and each node can withstand no less than 10G of DDoS attacks. If a node can not provide service attack, the system will automatically switch to another node according to the priority setting, and the attacker's return transmission of all packets, enabling the attack becomes paralyzed, from a deeper level to influence the safety angle security companies implementing decisions.
On DDoS defense, the current mainly two aspects, high-volume attack can be handed over to operators and cloud clean, low flow protection device attacks can be carried out at local businesses, this cut-off point will vary depending on the industry and business characteristics difference, probably of the order should be about Fast BPS. Related mitigation and management, are interested in children's shoes can look Baoxu Hua's "Love On Delivery", will be no small revelation.
Transfer: https://www.freebuf.com/company-information/166345.html
