DDoS is abbreviation of Distributed Denial of Service.
DDoS refers to multiple attackers in different locations launching attacks on one or several targets at the same time. Or an attacker controls multiple servers located in different locations and uses these machines to attack the victim at the same time. Since the DDoS attack points are distributed in different places, this type of attack is called a distributed denial of service attack, in which there can be multiple attackers.
DDoS attacks can cause many computers to be attacked at the same time, making the target computers unusable, and causing many large websites unable to operate.
This will not only affect the normal usage of websites, but also cause huge economic losses.
In DDoS attacks, the source IP address can be forged. This makes the concealment of this attack very good, and it is also very difficult to detect the attack. Therefore, this type of attack has become a very difficult attack to prevent.
DDoS is a special form of denial of service attack based on DoS. It is a distributed and coordinated large-scale attack method. A single DoS attack is generally one-to-one.
It uses some flaws in network protocols and operating systems, adopting tactics of deception and disguise to carry out cyber attacks. It floods the web server with a lot of information requesting replies and consumes network bandwidth or system resources, causing the network or system to be overloaded and paralyzed and stop providing normal network services.
A complete DDoS attack system consists of four parts: the attacker, the master, the agent and the target. The master and the agent are used to control and actually launch the attack respectively. The master only issues commands and does not participate in the actual attack, and the agent sends out the actual DDoS attack package. The attacker has full control or partial control of the computer on the master and agent. It will use various methods to hide itself from being discovered by others during the attack. Once the attacker sends the attack command to the master, the attacker can shut down or leave the network. And the master issues the command to each agent server. So that the attacker can evade tracking. Each attacking server will send a large number of service request packets to the target server, these data packets are disguised, and its source cannot be identified. Moreover, the services requested by these data packets often consume a large amount of system resources, cause the target host to be unable to provide normal services to the user, and even cause the system to crash.
SYN Flood attack is the most common DDoS attack on the current network. It takes advantage of a flaw in the implementation of the TCP protocol by sending a large number of attack packets with forged source addresses to the port where the network service is located. This may cause the half-open connection queue in the target server to be full, thereby preventing other legitimate users from accessing it.
UDP Flood is an increasingly rampant flow-based DDoS attack. Its principle is also very simple. The common situation is to use a large number of UDP packets to attack the DNS server, Radius authentication server, and streaming media video server. As the UDP protocol is a connectionless service, in a UDP Flood attack, the attacker can send a large number of small UDP packets with forged source IP addresses.
ICMP Flood attacks are traffic-based attacks. It uses large traffic to bring a large load to the server, which affects the normal service of the server. Because many firewalls currently filter ICMP directly. Therefore, the frequency of ICMP Flood is low.
Connection Flood is a typical attack method that uses small traffic to impact large-bandwidth network services. The principle of this attack is to use real IP addresses to initiate a large number of connections to the server. And the connection is not released for a long time, occupying the resources of the server, causing too many remaining connections (WAIT state) on the server, reducing efficiency, and even running out of resources, unable to respond to links initiated by other clients.
This attack is mainly aimed at script programs such as ASP, JSP, PHP, CGI, etc.
It is characterized by establishing a normal TCP connection with the server, and continuously submitting queries and lists to script programs that consume a lot of database resources. This attack can bypass ordinary firewall protection and can be implemented through a proxy. The disadvantage is that the website that attacks static pages does not work well and exposes the attacker's IP address.
The method used in the UDP DNS Query Flood attack is to send a large number of domain name resolution requests to the attacked server.
Usually the domain name requested for resolution is randomly generated or a domain name that does not exist. The process of domain name resolution puts a lot of load on the server. If the number of domain name resolution requests exceeds a certain number per second, it will cause the DNS server to resolve the domain name timeout.
Not only for DDoS, but for all network attacks, we should take as thorough defensive measures as possible, and strengthen the detection of the system, and establish a rapid and effective response strategy at the same time.
The DDos attacks defensive measures that should be taken are:
A distributed denial of service (DDoS) attack uses multiple computers to launch coordinated attacks against one or more targets through malicious programs. The attack undermines the performance or consumes network bandwidth and makes the target servers unresponsive.
Typically, an attacker installs a DDoS master program on a single computer using an unauthorized account and then installs agent programs on multiple computers. During a specified period, the DDoS master program communicates with a large number of agent programs. When the agents receive the command, they initiate attacks. The master program can initiate hundreds or even thousands of agent programs within seconds.
DDoS attacks may turn out to be disastrous for online businesses and, if left unchecked, may adversely impact an organization’s bottom line and reputation. An intelligent anti-DDoS service is a critical element of a dynamic cybersecurity strategy that helps companies improve their security posture and safeguard against DDoS attacks. Alibaba Cloud Anti-DDoS is a world-class global DDoS protection designed to intelligently mitigate incoming malicious traffic and defend against sophisticated DDoS attacks.
Comprehensive DDoS protection for enterprise to intelligently defend sophisticated DDoS attacks, reduce business loss risks and mitigate potential security threats.
Anti-DDoS service is based on Alibaba Cloud's global scrubbing centers, combined with intelligent DDoS detection and protection systems developed at Alibaba, automatically mitigates attacks and reinforce the security of your applications, reduce the threat of malicious attacks.
World-class global Anti-DDoS protection with high-quality China Gateway acceleration
Contact us immediately to obtain a $299 voucher or a free proof of concept (POC)
Thomas KW Poon - February 23, 2021
Alibaba Clouder - December 23, 2020
Alibaba Clouder - January 18, 2019
Alibaba Clouder - May 31, 2017
Alibaba Clouder - April 8, 2021
Alibaba Clouder - May 27, 2019
A cloud-based security service that protects your data and application from DDoS attacksLearn More
A comprehensive DDoS protection for enterprise to intelligently defend sophisticated DDoS attacks, reduce business loss risks, and mitigate potential security threats.Learn More
More Posts by Alibaba Clouder