I, DDos attack principle DDOS is an abbreviation of Distributed Denial of Service, namely Distributed Denial of Service. DDoS attack principles can be divided into the following three types: 1. Blocking the server bandwidth by sending large data packets causes the server line to be paralyzed; 2. By sending special data packets, the server consumes CPU and memory resources in the TCP/IP protocol module and finally crashes. 3. After a connection is established through a standard connection, special data packets are sent, causing the network service software running on the SERVER to consume CPU memory and eventually paralyze (such as WEB SERVER, FTP SERVER, and game servers).
II, DDoS attack types can be divided into the following types:
because the zombie Trojan can update attack data packets and attack methods at any time, new attacks are updated very quickly. Here we introduce the principles and classifications of several common attacks 1, the SYN variant attack sends SYN data packets with forged source IP addresses but the data packets are thousands of bytes instead of 64 bytes. This attack may cause some firewall processing errors and cause locking, when the CPU memory of the server is consumed, the bandwidth is also blocked. 2. TCP chaotic packet attacks send TCP packets with forged source IP addresses. The TCP Flags of TCP headers may be syn ,ack ,syn + ack ,syn + rst, etc, some firewall processing errors lead to lock, which consumes the CPU memory of the server and also blocks the bandwidth. 3. Against UDP attacks, many chat rooms, video and audio software are transmitted through UDP data packets. Attackers send the same data packets as normal data packets for analyzing the network software protocol to be attacked, this kind of attack is very difficult to protect. Generally, the protective wall blocks the attack data packets by the signature code, but this will cause normal data packets to be intercepted. 4, the multi-connection attack against WEB Server prevents websites from being paralyzed by controlling a large number of zombies to connect to websites at the same time. This attack is the same as normal website access, however, the number of instant traffic increases by dozens or even hundreds of times. Some firewalls can protect each connection by limiting the number of IP connections, but this will cause normal user slightly more open a few times website also will be sealed 5, for WEB Server variants attack pass control a large broiler while connection access website, a little connection establishment constantly open, sending special GET requests all the time consumes a lot of CPU on the website database or some pages. Therefore, the protection method by limiting the number of IP connections connected to the website becomes invalid, because each zombie may establish only one or only a small number of connections. This kind of attack is very difficult to protect. We will introduce the firewall solution later. 6. The variant attack against WEB Server controls a large number of zombies to connect to the website port at the same time, but does not send GET requests but is a mess of characters, most firewall analyzes that the first three bytes of an attack packet are GET characters and then analyzes the http protocol. This attack can bypass the firewall to reach the server without sending a GET request, generally, servers share bandwidth and the bandwidth does not exceed 10MB. Therefore, a large number of zombie attack packets will block the shared bandwidth of this server and cause server paralysis. This kind of attack is also very difficult to protect, if you simply intercept packets without GET characters sent from the client, many normal packets will be blocked incorrectly, causing normal users to be inaccessible. Next, we will introduce the firewall solution 7, attacks against game servers because there are many game servers, the earliest and most influential legendary games are introduced here. Legendary games are divided into login registration Port 7000, character selection Port 7100, and game running Port 7200,7300,7400, etc., because the game's own protocol design is very complex Miscellaneous, so the types of attacks are doubled, there are about dozens of kinds, and new types of attacks are constantly found. Here we introduce the most common dummy attacks at present, dummy attack simulates normal gamers from the data protocol level by automatically registering, logging in, building characters and entering game activities through the zombie simulation game client, it is difficult to analyze which are attacks and which are normal players from game packets. 3. Basic DDoS protection methods: 1.. Disable unnecessary services
1.Alerter [notify selected users and computers to manage alerts]
2.ClipBook [enable the "scrapbook viewer" to store information and share it with a remote computer]
3.Distributed File System [merge scattered File sharing into a logical name and share it out. After it is disabled, the remote computer cannot access the sharing
4.Distributed Link Tracking Server [applicable to Lan Distributed links]
6.Indexing Service [provide index contents and attributes of files on local or remote computers to disclose information]
8.NetMeeting Remote Desktop Sharing [collection of customer information left by netmeeting]
9.Network DDE [Provide Dynamic Data Exchange for programs running on the same computer or different computers]
10.Network DDE DSDM [manage Dynamic Data Exchange (DDE) Network sharing]
11.Remote Desktop Help Session Manager [manage and control Remote assistance]
12.Remote Registry [enable Remote computer users to modify the local Registry]
13.Routing and Remote Access [provide Routing service in Lan and wide area. Hacker reason Routing service spies registration information]
14.Server [supports file, printing, and naming pipeline sharing of this computer over the network]
15.TCP/ IPNetBIOS Helper [provides **support for NetBIOS on services and NetBIOS name resolution on clients on the network so that users can share files, print, and log on to the network]
16.Telnet [allow remote users to log on to this computer and run programs]
17.Terminal Services [allow users to interactively connect to remote computers]
18.Window s Image Acquisition (WIA)[Photographic Service, application and digital camera]
2. The number of data packet connections is changed from the default value of 128 or 512 to 2048 or more to lengthen the length of the data packet queue processed each time, so as to ease and digest the connection of more data packets;
3. Set the connection timeout period to a shorter period to ensure normal data packet connection and block illegal attack packets.
4. Update the system and install patches in a timely manner
5. Load balancing technology is used to distribute application services to several different servers
6. Traffic traction technology is the most ideal defense method for large-traffic attacks, but it is generally a professional hardware firewall, which is expensive.
IV, determine the manifestation of website DDoS attacks
1. The attacked host has a large number of waiting TCP connections, which can be seen by using the netstat -an Command
2. Serious packet loss or failure to ping the server.
3. CPU utilization is very high, sometimes even up to 100%. In serious cases, blue screen crashes (this is the most common phenomenon of CC attacks).
4. When connecting to 3389, it should be slow or prompt that the computer is too busy to accept the new connection.
5. The network is full of a large number of useless data packets, and the source address is false.
5. Emergency response to DDOS attacks
1. If you have surplus IP resources, you can change a new IP address to point the website domain name to the new IP address;
2. Disable port 80, use port 81 or other ports to provide HTTP services, and point the website domain name to IP:81
6. Suggestions for DDOS defense
1. Use high-performance network equipment
2. Sufficient network bandwidth guarantee
3. Install a professional anti-DDOS firewall
for example, ice shield firewall, Golden Shield firewall, black hole firewall, and proud shield firewall
7. Configure ice shield firewall to prevent DDOS attacks and HTTP flood attacks
test environment: A WEB server with Port 80 open and IP address 192.168.2.250. Install the latest version of ice shield firewall and DDOS attack monitor. One anti-DDOS server is involved in attacks. IP address: 192.168.2.252. The anti-DDOS stress testing software is crepe network anti-DDOS stress testing 2009. One broiler. IP address: 192.168.2.249.
Test 1: UDP attacks:
two zombies online
the effect is as follows: the traffic reaches 36MB, and the traffic generated by two zombies
enable the firewall and set the maximum UDP packet size to 512 bytes.
The traffic is very small, almost no.
Test 2: TCP concurrent connection attacks
the effect of not enabling the firewall is as follows: the traffic reaches 2.2MB, the traffic generated by the two zombies, and a large number of TCP connections
enable the firewall and configure corresponding rules
the log shows that the IP address is blocked and the TCP connection is not used.
Test 3: ICMP attacks:
the effect is as follows: the traffic reaches 5.8MB, the traffic generated by the two zombies, and there are a large number of ICMP packets
test 4: SYN attacks
the effect of enabling the firewall is as follows: a large number of SYN network packets are received without traffic.
The effect of disabling the firewall is as follows: the traffic reaches nearly 3MB at a time, and only one zombie attack is triggered.
Test 5: HTTP flood attacks
no firewall is enabled, and a large number of SYN and ACK packets are received. The traffic of the two zombies reaches nearly 12MB, and a large number of TCP connections are received.
After the firewall is enabled, it is restored to normal.
This article is transferred from success not only as a personal honor, but also as a responsibility for family members blog 51CTO blog, the original link http://blog.51cto.com/hukunlin/337584如需转载请自行联系原作者
Start Building Today with a Free Trial to 50+ Products
Learn and experience the power of Alibaba Cloud.Sign Up Now