What is a Denial of Service Attack?

A denial of service attack is one in which the attacker finds a way to stop the target machine from providing services. It is one of the common attacks used by hackers. In fact, a consumable attack on network bandwidth is only a small part of a denial-of-service attack. As long as it can cause trouble to the target, cause certain services to be suspended, or even the host to crash, it is a denial-of-service attack. The problem of denial of service attacks has not been solved reasonably. The reason is that because of the security flaws of the network protocol itself, denial of service attacks have also become the ultimate method of attackers. An attacker conducts a denial-of-service attack, which actually allows the server to achieve two effects: one is to force the server's buffer to be full and not to accept new requests; the other is to use IP spoofing to force the server to reset the connection of illegal users, affecting legitimate users. connection.

Denial of service attack, the English name is Denial of Service, or DOS for short, which means denial of service, causing its attack behavior to be called a DoS attack. Its purpose is to make the computer or network unable to provide normal services. The most common DoS attacks are computer network bandwidth attacks and connectivity attacks. Bandwidth attack refers to impacting the network with a huge amount of traffic, causing all available network resources to be used up, and ultimately causing legitimate user requests to fail. ^[1]

SYN Flood

SYN Flood is currently the most popular

J. Mirkovic and P. Reiher [Mirkovic04] proposed the attribute classification method for denial of service attacks, that is, the attack attributes are divided into three types: attack static attributes, attack dynamic attributes, and attack interaction attributes. Classify attacks in detail. Any attribute that has been determined before the attack begins and usually does not change in a continuous attack is called an attack static attribute. Attack static attributes are determined by the attacker and the attack itself, and are the basic attributes of the attack. The attributes that can be dynamically changed during the attack, such as attack target selection, time selection, and the use of source addresses, are called attack dynamic attributes. Those attributes not only related to the attacker but also related to the configuration, detection and service capabilities of the specific victim are called attack interaction attributes.

Attacking static attributes

Attack static attributes mainly include attack control mode, attack communication mode, attack technology principle, attack protocol and attack protocol layer.

(1) Attack control method

attack

The dynamic attributes of an attack are not only related to the attacker's attack mode and ability, but also to the victim's ability. It mainly includes the detectability of the attack and the impact of the attack.

(1) Detectable degree

Depending on whether you can attack

As with other types of attacks, the motivations for attackers to launch denial-of-service attacks are also diverse. Attacks that occur at different times and occasions and are launched by different attackers may target different victims. Here are some of the main purposes of denial of service attacks. It should be noted that none of the attacks listed here can not include all the purpose of the attack; at the same time, these purposes are not exclusive, an attack event may have multiple purposes.

As a means of practice

As DoS attacks are very simple, you can also directly from the Internet

Many modern UNIXes allow administrators to set limits such as limiting the maximum memory that can be used, CPU time, and the maximum files that can be generated. These restrictions are useful if you are currently developing a new program without accidentally slowing down the system or making it unusable by other users who share this host. Korn Shell's ulimit command and Shell's Iimit command can list the resource limits of the current process.

SYN Flood Defense

As described above, SYN Flood attacks consume a lot of server CPU and memory resources and fill up the SYN waiting queue. Correspondingly, we can effectively mitigate by modifying the kernel parameters. The main parameters are as follows:

net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_max_syn_backlog = 8192

net.ipv4.tcp_synack_retries = 2

They are enabling SYN cookies, setting the maximum SYN queue length, and setting the maximum number of SYN + ACK retries.

The role of the SYN cookie is to relieve the pressure on server resources. Before enabling, after receiving the SYN packet, the server immediately allocates storage space and randomizes a number as a SYN number to send a SYN + ACK packet. Then save the status information of the connection and wait for the client to confirm. After the SYN cookie is enabled, the server no longer allocates storage space, and sets a SYN number through a random number algorithm based on the time seed instead of a completely random SYN number. After sending the SYN + ACK acknowledgement message, emptying the resources does not save any status information. Until the server receives the final ACK packet from the client, it checks whether it matches the SYN + ACK message sequence number sent through the cookie inspection algorithm. If it matches, it completes the handshake, and discards it if it fails. Of course, the SYN mixed ACK attack method in the previous advanced attack is a counterattack to this defense method, in which the pros and cons are determined by the hardware configuration of both parties.

tcp_max_syn_backlog uses the server's memory resources in exchange for a larger waiting queue length, so that attack packets do not fill up all connections and normal users cannot complete the handshake. net.ipv4.tcp_synack_retries is to reduce the number of server SYN + ACK packet retries and release waiting resources as soon as possible. These three measures correspond one-to-one with the three hazards of the attack, and they are completely corrective. However, these measures are also double-edged swords, which may consume more memory resources of the server and even affect normal users to establish TCP connections. You need to evaluate the server hardware resources and set the attack size carefully.

In addition to customizing the TCP / IP protocol stack, there is also a common approach to the TCP first packet discarding scheme, which uses the retransmission mechanism of the TCP protocol to identify normal users and attack packets. When the defense device receives the SYN packet of an IP address, it simply compares whether the IP exists in the white list, and then forwards it to the backend if it exists. If it does not exist in the white list, check whether it is the first SYN packet of the IP within a certain period of time. Otherwise, check whether the packet is retransmitted. . This is the first time that a SYN packet is discarded and waits for a period of time to try to accept the SYN retransmission packet of the IP. If the waiting timeout occurs, it is determined that the attack packet is added to the blacklist.

The first packet discarding solution has a slight impact on user experience, because discarding the first packet and retransmitting will increase the response time of the service. In view of this, a better TCP Proxy solution has been developed. All SYN data messages are accepted by the cleaning equipment and processed in accordance with the SYN Cookie scheme. The IP address that has successfully established a TCP three-way handshake with the device is determined to be a legitimate user to be added to the whitelist. The device pretends to be the real client IP address, completes a three-way handshake with the real server, and then forwards the data. However, the IP address that did not complete the three-way handshake with the device within the specified time was determined to be a masked malicious IP address for a certain period of time. In addition to the SYN Cookie combined with the TCP Proxy, the cleaning device also has the ability to detect a variety of malformed TCP flag bits and detect normal access and malicious behavior by returning unexpected responses to SYN packets to test client responses.

The hardware of the cleaning equipment has a special network processor chip and a specially optimized operating system and TCP / IP protocol stack, which can handle very huge traffic and SYN queues.

HTTP Flood Defense

HTTP Flood attack defense is mainly implemented by caching. As far as possible, the cache of the device returns results directly to protect back-end services. Large Internet companies will have huge CDN nodes to cache content.

When an advanced attacker penetrates the cache, the cleaning device intercepts HTTP requests for special processing. The simplest method is to count the HTTP request frequency of the source IP, and IP addresses higher than a certain frequency are added to the blacklist. This method is too simple, it is easy to cause accidental killings, and it cannot block attacks from proxy servers. Therefore, it is gradually abolished and replaced by a JavaScript jump man-machine recognition scheme.

HTTP Flood is a program that simulates HTTP requests. Generally speaking, it does not parse the data returned by the server, nor does it parse code such as JS. Therefore, when the cleaning device intercepts the HTTP request, it returns a special JavaScript code. The normal user's browser will process and redirect normally without affecting the use, and the attack program will attack the empty space.

DNS Flood Defense

DNS attack defense also has similar HTTP defense methods. The first solution is caching. The second is retransmission. It can be the direct retransmission of UDP requests caused by directly discarding DNS packets. It can also return a special response to force the client to retransmit the DNS query request using the TCP protocol.

In particular, for the protection of authorized domain DNS, the device will extract the received DNS domain name list and ISP DNS IP list for backup during normal business hours. During an attack, requests other than this list will be discarded, which will greatly reduce performance pressure. For domain names, the same domain name whitelist mechanism is implemented, and domain name resolution requests that are not in the whitelist are discarded.

Slow connection attack prevention

Slowloris attack defense is relatively simple, there are two main schemes.

The first is to count the length of each TCP connection and calculate the number of packets passed in a unit time to make accurate identification. In a TCP connection, too few HTTP messages and too many messages are abnormal. Too few may be a slow connection attack, and too many may be HTTP Flood attacks using the HTTP 1.1 protocol. They are sent in a TCP connection. Multiple HTTP requests.

The second is to limit the maximum allowed time for HTTP header transmission. After the specified time, the HTTP Header has not been transmitted, and the source IP address is directly determined to be a slow connection attack. The connection is interrupted and added to the blacklist.

^[2]

IN OTHER LANGUAGES

• English
• Čeština
• Dansk
• Deutsch
• Svenska
• Français
• Italiano
• Nederlands
• Norsk
• Polski
• Português
• Español
• 日本語
• 한국어