The concept of DDoS attacks
DoS attack a variety of ways, the most basic DoS attacks is the use of reasonable service request to take up too much of the service resources so that legitimate users can not get response from the service.
DDoS attacks are based on a traditional DoS attack produced a class of attack.DoS attacks are generally single use one-way, low speed when the target CPU, memory, network bandwidth is small or the performance of small and so the effect is not high it is obvious.With the development of computer and network technology, the rapid growth of computer processing power, memory, increased significantly, there has also been Gigabit-level network, which makes DoS attacks, increasing the degree of difficulty - the target of malicious attack packets "digestcapacity "to strengthen a lot, such as your attack software can send 3,000 attacks per second package, but my host and network bandwidth attacks per second can handle 10,000 packages, so that an attacker will not have any effect on.
Hou then distributed denial of service attacks (DDoS) came into being.You understand the DoS attacks, its principle is very simple.If the processing power of computers and networks has increased 10 times, with a strike aircraft to attack no longer works, then the attacker to use 10 attack aircraft at the same time attack?With the 100 it?DDoS is to use more machines to attack the puppet, to a larger scale than ever to attack victims.
Extensive network of high-speed connectivity to give us convenience, but also for the DDoS attack has created extremely favorable conditions.In the low-speed Internet age, the hacker attacks with the occupation puppet machine, always give priority to short distance away from the target network of machines, because the number of hops through routers less effective.Now the connection between the telecommunications backbone nodes are based on G as the level, even between major cities can reach 2.5G connectivity, which allows an attacker from further afield, or other cities launched, the attacker can place a puppet machinein the distribution in a larger scope, select it more flexible.
DDoS attack is a phenomenon
Attacked hosts a large number of TCP connections waiting
The network is flooded with a lot of useless data packets, the source address is false
Manufacture of high flow useless data, resulting in network congestion, so that the injured host can not communicate properly with the outside world
Services provided by the victim host or defects on the transport protocol, the specific issue of repeated high-speed service request, so that the victim host can not handle all normal request in a timely manner
Can cause serious system crash
Operating principle of attack
Figure I, a relatively perfect system of DDoS attacks is divided into four parts, the first look at the most important parts 2 and 3: they were used as control and the actual attack.Please note that control the difference between machine and attack aircraft, and Part 4 of the victims, DDoS attack packets are from the real Part 3 issued by the attack on the puppet machine, Part 2 of the control unit only and not involved in the actual release orderattack.2 and 3 on the part of the computer, hackers have control over, or is part of the control and the corresponding DDoS programs uploaded to the platform, these programs run as normal procedure and wait for instructions from the hacker, usuallyIt will also use various means to hide themselves not to be found.In peacetime, these puppets, and there is nothing unusual machine, but once the hacker is connected to control them, and give instruction when the attack machine to become a puppet to attack the victimizers.
Some friends may be asked: "Why not go directly to the control of hackers attacking the puppet machine, and a puppet machine from the control switch for a while?. "That is a DDoS attack was difficult to trace one of the reasons.As the attacker's point of view, certainly not want to be caught (I'm a child of the hen house to throw stones at someone's home, they also know that in the first escape, huh, huh), but the attacker to use the puppet machine moreHe actually provides the basis for the analysis of the more victims.After the occupation of a machine, a high level of the attacker would first do two things: 1. Consider how to stay well back door (I'll have to come back oh)!2. How to clean up the log.This is the erase step, do not allow yourself to be perceptible to others.Less dedicated hackers will just-do-delete all the logs, but so network administrators will find the log did not know that someone did a bad thing, and at most can not find who did it from the log only.On the contrary, the real players will pick their own journal entries to delete on, people do not see the unusual situation.This prolonged use of a puppet machine.
But the attacks in Part 3 is really a puppet machine cleaning up the log is a huge project, even in a very good tool to help clean up the log, the hacker is a headache for this task.This has led some attackers confused not very clean, through its control of the above clues to find it on a computer, this higher level of computer hackers if it is your own machine, then he will be pulling out.But if it is controlling the words of the puppet machine, hackers, or the safety of their own.Control the number of machines is relatively small puppet, usually one can control dozens of strike aircraft, clearing the log of a computer hacker in terms of a lot easier, so that hackers from the control unit to find the possibility of greatly reduced.
How to organize a DDoS hacker attack?
Here with the "organization" of the word is that DDoS is not as simple as a host invasion.In general, the DDoS attacks hackers will go through this steps:
1. Collection to understand the goals of the
The following situation is very concerned about hackers information:
Is the number of target host, address the situation
Target host configuration, performance
Target bandwidth
For DDoS attackers, attacking a site on the Internet, such as http://www.mytarget.com, there is a focus is to determine the number of hosts in the end to support this site, a large site may have a lot of hostsusing load balancing technology to provide the same services of a website www.To yahoo, for example, generally have the following address http://www.yahoo.com services are provided:
66.218.71.87
66.218.71.88
66.218.71.89
66.218.71.80
66.218.71.81
66.218.71.83
66.218.71.84
66.218.71.86
If you want to DDoS attacks, attacks which should address?Paralysis to 66.218.71.87 out this machine, but others outside the host can still provide www service, so not want others to access http://www.yahoo.com, then all of these IP addresses to machines paralysis outCaixing.In practical applications, an IP address is often also represents the number of machines: Webmaster four or seven switches used to do load balancing, the IP address of a specific algorithm visits to each assigned to a subordinateHost up.DDoS attackers when the situation is more complex, and he faced the task may be host to dozens of services are not normal.
So prior to the DDoS attackers to collect intelligence is very important, it relates to the use of a puppet machine how many problems can achieve the desired effect.Briefly consider, in the same conditions, attack the same site needs 2 sets of 2 hosts puppet machine, the attacker may need to 5 hosts more than 5 puppet machine.Some people say that machines do better against the puppet, no matter how many hosts you have to use my machine as much as possible to attack it wants a puppet, a puppet machine anyway, over time better.
But in the actual process, there are many hackers does not conduct intelligence gathering and direct DDoS attack, this time on the big blind attack, the effectiveness also depends on luck.In fact, hackers can do the same as the network administrator, can not be lazy.Do one thing good or bad, attitude, most important, the level is still followed.
2. Occupation puppet machine
Hackers are most interested in any of the following hosts:
Link status good hosting
Good performance of the host
Host of poor safety management
This part is actually using the other type of attacks: the use of shaped attack.This is a parallel and DDoS attacks.In short, is the occupation and control of the attacked host.Achieve the highest management authority, or at least get a DDoS attack has permissions to complete the task of account.For a DDoS attackers, ready to be puppets of the number of machines is a necessary condition, following what he said was how to attack and occupy them.
First, the hacker is generally done scanning, random or targeted use of the scanner to find those who are vulnerable on the Internet machine, like the overflow process, cgi, Unicode, ftp, database vulnerability ... (just give numerousgive ah), are all hackers want to see the scan results.Then came the attempt to invade, and the specific means here is not to say, are interested there are many online articles about the content.
In short hackers are now occupied by a puppet machine!Then what does he do?In addition to the above mentioned brush footprints left the back door these basic work, he would use DDoS attacks procedures contained in the past, the general is the use of ftp.In the attack aircraft, there will be a DDoS of contracting procedures, hackers are using it to send to the victims of malicious attacks target package.
3. The actual attack
After the first two stages of careful preparation, began to aim at a target for hackers launched.The preparation of the front is well done, but the actual attack process is relatively simple.As shown in the way, the hacker logged on to the puppet as a console machine, all of the attack aircraft to an order: "Preparing for ~, ~ aim, fire!."This time in an ambush in the DDoS attack attack aircraft program will respond to the command console, together with the victim host to a large number of data packets sent at high speed, causing it to crash or not respond to normal requests.Hackers will normally far beyond the capacity of the speed of the injured party to attack, they will not "Lianxiangxiyu."
Seasoned side of the attacker attacks, but also use various means to monitor the effects of the attack, when needed some adjustments.Simpler to open a window that is continuously ping the target host, can be received in time to respond to further increase the number of traffic or re-ordered more machines to join the puppet attacks.
DDoS Attack - SYN Flood Attack
SYN-Flood is the most popular means of DDoS attacks, DoS means the earlier the stage of development to the distributed time also experienced a wave of sand in the scouring process.SYN-Flood attack works best, it should be all the hackers invariably select the reason for it.Then we take a look at the details of SYN-Flood.
Syn Flood principle - three-way handshake
Syn Flood advantage of the TCP / IP protocol of the inherent vulnerabilities.Connection-oriented TCP three-way handshake is a Syn Flood basis for their existence.
TCP three-way handshake connection
Figure II TCP three-way handshake
Figure II in the first step, the client connection requests made to the server.Then TCP SYN flag is set.The client to tell the legitimate server serial number area, you need to check.Client TCP sequence number header into his own area ISN.Server receives the TCP segment after the second step to respond to their own ISN (SYN flag is set), while recognizing that the client receives the first TCP segment (ACK flag is set.)In the third step, the client acknowledge receipt of the server's ISN (ACK flag is set.)So far to establish a complete TCP connection, start the process of full duplex data transfer.
Syn Flood attacks are not complete three-way handshake
Figure III Syn Flood malicious not to complete the three-way handshake
Suppose a user sends a SYN to the server suddenly crashes, after packet or dropped, then the server send SYN + ACK response packet is not received after the client's ACK packet (the third handshake can not be completed), in which casegeneral will retry the server (again send SYN + ACK to the client) and discarded after a period of time to wait for the completion of this connection, we call this time the length of the SYN Timeout, in general this time is the minute orders of magnitude (about-2 minutes 30 seconds); a user an abnormal result in the server thread to wait for 1 minute is not a big problem, but if a malicious attacker to simulate a large number of such cases, the server will be to maintain a very largehalf-connection list and a lot of resources consumed ---- tens of thousands of semi-connected, even a simple walk will save and consume a lot of CPU time and memory, not to mention must keep the IP on this listthe SYN + ACK retry.Indeed, if the server's TCP / IP stack is not strong enough, the final result is often a stack overflow crashes server system --- even if strong enough, the server will also be busy with the attacker forged TCP connection requests and no time to ignore the customer's normal request(After all, the normal client request rate is very small), this time from the normal customer's point of view, server not responding, in which case we are called: server-side SYN Flood attack by the (SYN flood attack).
Here is my first time in the laboratory simulation of the actual process of Syn Flood Attack
This is a LAN environment, only one attack aircraft (PIII667/128/mandrake), was attacked is a Solaris 8.0 (spark) of the host, network equipment is Cisco's Fast switches.This is not an attack before, in the Solaris snoop on the record, snoop and tcpdump and other network monitoring tools, is also a good network packet capture and analysis tools.Can see that before the attack, the target host are basically received a number of common network packet.
... ...? ->
(Broadcast) ETHER Type = 886F (Unknown),
size = 1510 bytes? ->
(Broadcast) ETHER Type = 886F (Unknown),
size = 1510 bytes? ->
(Multicast) ETHER Type = 0000 (LLC/802.3),
size = 52 bytes? ->
(Broadcast) ETHER Type = 886F (Unknown),
size = 1510 bytes192.168.0.66 ->
192.168.0.255 NBT Datagram Service
Type = 17 Source = GU [0] 192.168.0.210 ->
192.168.0.255 NBT Datagram Service Type = 17
Source = ROOTDC [20] 192.168.0.247 ->
192.168.0.255 NBT Datagram Service Type = 17
Source = TSC [0]? ->
(Broadcast) ETHER Type = 886F (Unknown),
size = 1510 bytes192.168.0.200 ->
(Broadcast) ARP C Who is 192.168.0.102, 192.168.0.102?
? -> (Broadcast) ETHER Type = 886F (Unknown),
size = 1510 bytes? ->
(Broadcast) ETHER Type = 886F (Unknown),
size = 1510 bytes192.168.0.66 ->
192.168.0.255 NBT Datagram Service Type = 17
Source = GU [0] 192.168.0.66 ->
192.168.0.255 NBT Datagram Service Type = 17
Source = GU [0] 192.168.0.210 ->
192.168.0.255 NBT Datagram Service Type = 17 Source = ROOTDC [20]
? -> (Multicast)
ETHER Type = 0000 (LLC/802.3),
size = 52 bytes? -> (broadcast)
ETHER Type = 886F (Unknown), size = 1510 bytes? ->
(Broadcast) ETHER Type = 886F (Unknown),
size = 1510 bytes ... ...
Then, attack aircraft began to contract, DDoS started ... and suddenly snoop on the host sun began rapidly to scroll off the window, showing that the request received a huge number of Syn.Then the screen as if the train is 300 km per hour on a window.This is a Syn Flood attack, the snoop output:
... ... 127.0.0.178 ->
lab183.lab.net AUTH C port = 1352 127.0.0.178 ->
lab183.lab.net TCP D = 114 S = 1352 Syn Seq = 674711609
Len = 0 Win = 65535 127.0.0.178 ->
lab183.lab.net TCP D = 115 S = 1352
Syn Seq = 674711609 Len = 0 Win = 65535 127.0.0.178 ->
lab183.lab.net UUCP-PATH C port = 1352 127.0.0.178 ->
lab183.lab.net TCP D = 118 S = 1352
Syn Seq = 674711609 Len = 0 Win = 65535 127.0.0.178 ->
lab183.lab.net NNTP C port = 1352 127.0.0.178 ->
lab183.lab.net TCP D = 121 S = 1352 Syn
Seq = 674711609 Len = 0 Win = 65535 127.0.0.178 ->
lab183.lab.net TCP D = 122 S = 1352 Syn
Seq = 674711609 Len = 0 Win = 65535 127.0.0.178 ->
lab183.lab.net TCP D = 124 S = 1352
Syn Seq = 674711609 Len = 0 Win = 65535 127.0.0.178 ->
lab183.lab.net TCP D = 125 S = 1352
Syn Seq = 674711609 Len = 0 Win = 65535 127.0.0.178 ->
lab183.lab.net TCP D = 126 S = 1352
Syn Seq = 674711609 Len = 0 Win = 65535 127.0.0.178 ->
lab183.lab.net TCP D = 128 S = 1352
Syn Seq = 674711609 Len = 0 Win = 65535 127.0.0.178 ->
lab183.lab.net TCP D = 130 S = 1352
Syn Seq = 674711609 Len = 0 Win = 65535 127.0.0.178 ->
lab183.lab.net TCP D = 131 S = 1352
Syn Seq = 674711609 Len = 0 Win = 65535 127.0.0.178 ->
lab183.lab.net TCP D = 133 S = 1352
Syn Seq = 674711609 Len = 0 Win = 65535 127.0.0.178 ->
lab183.lab.net TCP D = 135 S = 1352 Syn
Seq = 674711609 Len = 0 Win = 65535 ... ...
Entirely different this time, no longer just those who can not receive normal network packets, only DDoS packets.We note here that all of the Syn Flood attack packet source address is forged, has caused great difficulties to trace.Then attack the host in the number of Syn accumulation of half-connected it?We look with netstat:
# Netstat-an | grep SYN ... ... 192.168.0.183.9 127.0.0.79.1801
0024656
0 SYN_RCVD192.168.0.183.13
127.0.0.79.1801
0024656
0 SYN_RCVD192.168.0.183.19
127.0.0.79.1801 0
0 24656 0 SYN_RCVD192.168.0.183.21
127.0.0.79.1801 0
0 24656 0 SYN_RCVD192.168.0.183.22
127.0.0.79.1801 0
0 24656 0 SYN_RCVD192.168.0.183.23
127.0.0.79.1801 0
0 24656 0 SYN_RCVD192.168.0.183.25
127.0.0.79.1801 0
0 24656 0 SYN_RCVD192.168.0.183.37
127.0.0.79.1801 0
0 24656 0 SYN_RCVD192.168.0.183.53
127.0.0.79.1801 0
0 24656 0 SYN_RCVD ... ...
Which represents the current SYN_RCVD TCP SYN queue is not completed, statistics about:
# Netstat-an | grep SYN | wc-l
5273
# Netstat-an | grep SYN | wc-l
5154
# Netstat-an | grep SYN | wc-l
5267
... ..
There are more than five thousand Syn semi-attached storage in memory.At this time the attack machine has not respond to requests for new service, the system is running very slow, can not ping.
This is just after the attack was launched around the time of 70 seconds.
DDoS Prevention
So far, the defense DDoS attacks is quite difficult.First, this attack is characterized by its use of the TCP / IP protocol vulnerability, unless you do not have TCP / IP, will it be possible to live completely against DDoS attacks.A senior security expert gives a vivid metaphor: DDoS same as if you have 1,000 people call home, this time your friend has played in?
But even if it is difficult to prevent, nor that we should be submissive, in fact, not absolutely impossible to prevent DDoS things.Internet users are various, and to fight DDoS, different roles have different tasks.We have several roles in the following example:
Enterprise network management staff
ISP, ICP Manager
Backbone network operators
Enterprise network management staff
As a network manager intranet managers, often the security officer, the patron saint.Maintenance of the network he has some WWW server needs to provide services outside, and thus inevitably become the target of DDoS, and he do it?Host and network equipment from two angles to consider.
Set on the host
Almost all of the host platform are set against DoS, summarize, there are several basic:
Turn off unnecessary services
Syn limit half-open connections at the same time the number of
Syn shortened half-time of the connection time out
Patch to update the system
Network settings on the device
Enterprise network devices from firewall and router considerations.The two devices are the interface devices to the outside world, set during the anti-DDoS, we should note that the efficiency is much sacrifice for the price, whether it is worth to you.
1. Firewalls
Against host non-open access to services
SYN limit while the maximum number of connections open
Restrict access to specific IP addresses
Anti-DDoS firewall properties
Strictly limit the outward opening up access to the server
The fifth is to prevent their servers being used as tools to harm.
2. Routers
Cisco router as an example to
Cisco Express Forwarding (CEF)
Using unicast reverse-path
Access Control List (ACL) filtering
SYN packet flow rate set
Upgraded version of the ISO is too low
Create log server for router
CEF and the Unicast setting in which to use to pay special attention, improper use can cause a serious decline in the efficiency of the router, IOS upgrades should also be cautious.The core router is a network device, set to share with you the experience of small modifications is to not save.Cisco router has two configuration startup config and running config, modify the time to change the running config, you can configure the start and let this period of time (three to five days of on random is), then save the configuration to find possible startup config; andIf not want to restore the original configuration, with a copy start run on the line.
ISP / ICP Manager
ISP / ICP for many small and medium scale enterprises to provide a variety of hosting services, so the anti-DDoS, besides the members of the same enterprise network management tools, but also special attention to their customers within the scope of management do not become the puppet master custodianmachine.Objectively speaking, the security of managed hosts are generally poor, and some are not even the basic patch to play on the shirtless, and a hacker favorite "chicken", because no matter how hackers use this machine nothave been found dangerous, it's too bad the security management; also managed not to mention the host are high performance, high bandwidth - is simply tailored for the DDoS.And as the ISP's administrator, on the managed host is no direct management authority, can only inform the customer to deal with.In reality, there are many customers with their hosting hosting provider was not a good match, resulting in administrators know that their ISP is responsible for the managed host has become a puppet machine, but there is no way the situation.The hosting business is a buyer's market, ISP has not dared to offend the customer, how do?Good relations with managers and clients we now, no way, Who people are God?Oh, and more with some of our customers, ISP's host safer, others complain of the possibility of being smaller.
Backbone network operators
They provide the physical basis of the existence of the Internet.If the backbone of the network operators can cooperate well, then, DDoS attacks can be prevented well.In 2000, yahoo and other famous sites are attacked, the U.S. network security research organization jointly proposed to solve the key operator program of DDoS attacks.In fact, very simple, that is, each operator in their exports to the source IP address of the router verification, if not their own routing table to the packet source IP routing, to throw away the package.This method can prevent hackers from using forged source IP to carry out DDoS attacks.But equally, this would reduce the efficiency of the router, which is the backbone of great concern to operators, so this practice is still very difficult to actually use them.
The principle of DDoS and coping methods of research has been underway to find an effective and practical solution is not an overnight thing.But at least we can do to maintain their own network and a good host, let your host does not become the object of other people use to attack others; Secondly, when under attack, to try to preserve evidence for later tracing, agood network and log system is necessary.No matter where DDoS defense to development, which will be a community and requires the IT industry together with colleagues to focus, to work together.