Shulou(Shulou.com)06/01 Report--

This article mainly introduces "what are the ways of DDOS attack and how to defend". In daily operation, I believe many people have doubts about what are the ways of DDOS attack and how to defend themselves. Xiaobian consulted all kinds of information and sorted out simple and easy operation methods. I hope to help you answer the doubts about "what are the ways of DDOS attack and how to defend"! Next, please follow the small series to learn together!

DDoS attacks

There are many ways to attack Dos, the most basic Dos attack is to use reasonable service requests to occupy too many service resources, so that legitimate users can not get service response. A single DoS attack is generally one-to-one, when the attack target CPU speed is low, memory is small or network bandwidth is small and other indicators are not high performance, its effect is obvious. With the development of computer and network technology, the processing capacity of computers has increased rapidly, memory has increased greatly, and gigabit networks have also appeared, which makes DoS attacks more difficult-the target's "digestion ability" to malicious attack packets has strengthened a lot. This is when distributed denial of service attacks (DDoS) came into being. DDoS is the use of more puppets to launch attacks, attacking victims on a larger scale than before.

1. Attack mode

1. Synflood

The attack sends SYN packets to the destination host with multiple random source host addresses, but does not respond after receiving SYN ACKs from the destination host. In this way, the destination host establishes a large number of connection queues for these source hosts, and because it does not receive ACKs, it maintains these queues all the time, resulting in a large consumption of resources and eventually leading to denial of service.

2. Smurf

The attack sends a packet with a specific request (such as an ICMP echo request) to a subnet broadcast address and masquerades the source address as the intended host address. All hosts on the subnet respond to the broadcast packet request by sending packets to the attacked host, making the host vulnerable.

3. Land-based

An attacker sets both the source and destination addresses of a packet to the address of the target host, and then sends the packet to the attacked host through IP spoofing. This packet can cause the attacked host to fall into an endless loop due to trying to establish a connection with itself, thus greatly reducing system performance.

4. Ping of Death

According to TCP/IP specifications, the maximum length of a packet is 65536 bytes. Although a packet cannot exceed 65536 bytes in length, the superposition of multiple fragments into which a packet is divided can be done. When a host receives a packet longer than 65536 bytes, it has suffered a Ping of Death attack, which causes the host to crash.

5. Teardrop

IP packets can be broken into smaller pieces as they travel through the network. An attacker can implement a TearDrop attack by sending two (or more) packets. The first packet has an offset of 0 and a length of N, and the second packet has an offset less than N. In order to merge these data segments, the TCP/IP stack allocates unusually large resources, resulting in a lack of system resources and even a restart of the machine.

6. PingSweep

Use ICMP Echo to poll multiple hosts.

7. Pingflood

The attack sends a large number of ping packets to the target host in a short period of time, causing network congestion or exhaustion of host resources.

II. Defensive methods

1. Classified by attack traffic size

(1)Smaller traffic: less than 1000Mbps, within the acceptance range of server hardware and applications, and does not affect business: software layer protection using iptables or Anti-DDoS applications. (2)Large traffic: More than 1000Mbps, but within the performance range of DDoS cleaning equipment, and smaller than the computer room exit, which may affect other services in the same computer room: use iptables or Anti-DDoS application to implement software layer protection, or directly configure black hole and other protection policies on the computer room exit equipment, or switch domain names at the same time, modify the external service IP to the high-load Proxy cluster external network IP, or CDN high-imitation IP, or public cloud DDoS gateway IP, and proxy it to the RealServer; or directly access the DDoS cleaning equipment. (3)Ultra-large traffic: outside the performance range of DDoS cleaning equipment, but within the performance of the equipment room exit, which may affect other services in the same equipment room, or larger than the equipment room exit, which has affected all or most services in the same equipment room: Contact the operator to check the deployment of packet current limiting configuration and observe the service recovery.

2. Classified by attack traffic protocol

(1)TCP protocol package such as syn/fin/ack: Set warning threshold and response threshold, the former starts alarming, the latter starts processing, adjust protection strategy and protection means according to traffic size and impact degree, and gradually upgrade. (2)UDP/DNS query and other UDP protocol packets: For most game services, they are TCP protocols, so a TCP protocol whitelist can be developed according to the service protocol. If a large number of UDP requests are encountered, UDP packets can be discarded directly at the system level/HPPS or cleaning equipment without product confirmation or delay confirmation. (3)http flood/CC and other attacks that need to interact with the database: This generally leads to a high load on the database or webserver or a high number of connections. After limiting or cleaning the traffic, it may be necessary to restart the service to release the number of connections. Therefore, it is more inclined to reduce the number of supported connections when the system resources can support it. Relatively speaking, this kind of attack is more difficult to defend, and it consumes a lot of performance of protective equipment. (4)Others: icmp packets can be discarded directly. First, discard or limit the current at all levels below the computer room exit. Such attacks are now rare and have limited business disruption.

At this point, the study of "what are the ways of DDOS attack and how to defend" is over, hoping to solve everyone's doubts. Theory and practice can better match to help you learn, go and try it! If you want to continue learning more relevant knowledge, please continue to pay attention to the website, Xiaobian will continue to strive to bring more practical articles for everyone!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.