Basic to advanced Distributed Denial of Service (DDOS) Attack

DDoS attack

Compared to conventional penetration testing attacks, DDoS attacks are more harmful than the former, why say that? Because the launch of a large-scale DDoS attacks only need to have a certain number of botnets can be, and complete a penetration test is the need for long-term and a certain level of technology can. The implementation of the latter (DDoS) the threshold of the former is much lower, and the harm is less inferior to the former, it can be said DDoS attack is the most powerful and most difficult to defend one of the attacks.
The Principle of DDoS Attack

  1.  Basis DDoS Attack
    DDoS (Distributed Denial of Service) attack is the main purpose of the specified target can not provide normal services, or even disappear from the Internet, is the most powerful and most difficult to defend one of the attacks.
    In accordance with the way initiated, DDoS can be divided into three categories: the first category to win, massive data packets from all corners of the Internet flocked to plug the IDC entrance, so that a variety of powerful hardware defense system, rapid and efficient emergency procedures And no avail, this type of attack is typical of ICMP Flood and UDP Flood, is now uncommon; the second category to clever to win, Smart difficult to detect every few minutes to send a package or even just a package, you can let luxury configuration server is no longer responding. This type of attack is the use of software or protocol vulnerabilities to initiate, as Slowloris attack, Hash collision attacks, which require a specific environment chance to appear; the third category is a hybrid of the two, the ethereal sounding both, both The use of the agreement, the system flaws, but also have a massive flow, such as SYN Flood attack, DNS Query Flood attack, is the current mainstream attack.
    The following will describe these one of the most common and most representative of the attack, and introduce their defense program.

    SYN Flood

    SYN Flood is one of the most classic DDoS attacks on the Internet, first appeared around 1999, Yahoo was the most famous victims. SYN Flood attack uses the TCP three-way handshake defects can make the cost of a smaller target server can not respond to, and difficult to trace.
    The standard TCP three-way handshake process is as follows:
    The client sends a TCP packet containing the SYN flag, SYN is synchronized, and the synchronization packet indicates the port used by the client and the initial sequence number of the TCP connection.
    After receiving the SYN packet from the client, the server will return a SYN ACK message indicating that the client’s request is accepted and the TCP initial sequence number is automatically incremented.
    The client also returns a confirmation ACK to the server, the same TCP sequence number is added one.
    After these three steps, the TCP connection is established. TCP protocol In order to achieve reliable transmission, in the process of three handshake set up some exception handling mechanism. In step 3, if the server does not receive the final ACK from the client, it will remain in the SYN_RECV state, add the client IP to the waiting list, and resend the SYN ACK message in the second step. The retransmission is generally done 3-5 times, about 30 seconds interval polling wait list all retry all clients. On the other hand, when the server sends a SYN ACK packet, it pre-allocates resources to prepare for the TCP connection to be created. This resource is reserved during the retry period. More importantly, the server resources are limited, you can maintain the SYN_RECV state beyond the limit no longer accept the new SYN packet, which is to reject the new TCP connection is established.
    SYN Flood is the use of the above TCP protocol settings, to attack the purpose. The attacker spoofs a large number of IP addresses to send the SYN packets to the server. Since the spoofed IP addresses are almost impossible to exist, almost no devices will return any response to the server. Therefore, the server will maintain a large wait list, keep sending a SYN ACK message retry, while taking up a lot of resources can not be released. More critical is that the attacked server SYN_RECV queue is filled with malicious packets, no longer accept the new SYN request, the legitimate user can not complete the three-way handshake to establish a TCP connection. In other words, this server was SYN Flood denial of service.
    SYN Flood interested can look at here, this is the author in 2006 to write the code, and later made several changes, modify the bug, and reduce the attack, pure test to do.DNS Query Flood
    As the core of the most basic Internet services, DNS DDoS attack is naturally one of the important goals. Break down the DNS service can be an indirect blow to a company’s entire business, or to defeat a region of network services. Some time ago the thunder Masamori hacking anonymous organizations have also announced to attack the global Internet 13 root DNS server, but ultimately did not succeed.
    UDP attack is the easiest way to launch massive traffic attacks, and source IP random forgery is difficult to trace. However, filtering is easier because most IPs do not provide UDP services and drop UDP traffic directly. So now pure UDP traffic attacks are relatively rare, replaced by UDP protocol carrying the DNS Query Flood attack. Simply put, the higher the agreement launched on the DDoS attacks more difficult to defend, because the agreement the upper, the greater the correlation with the business, the defense system facing the situation more complex.
    DNS Query Flood is the attacker to manipulate a large number of puppet machines, the target launched a massive domain name query request. In order to prevent ACL-based filtering, it is necessary to improve the randomness of packets. The common practice is that the UDP layer randomly falsifies the source IP address, randomly forges the source port, and so on. In the DNS protocol layer, random forged query ID and domain name to be resolved. Randomly forged to be resolved domain name In addition to preventing filtering, you can also reduce the possibility of hit DNS cache, as much as possible the consumption of DNS server CPU resources.
    About DNS Query
    Flood code, the author in July 2011 in order to test the server performance has written a code, see here. Similarly, this code artificially reduces the attack, only for testing purposes.HTTP Flood
    The SYN described above
    Flood, DNS Query Flood at this stage has been able to do effective defense, and the other major manufacturers and Internet companies headache is the HTTP Flood attack. HTTP Flood is for Web services in the seventh layer protocol initiated attacks, it is a major hazard in three major areas, easy to launch; filtering difficulties; far-reaching impact.
    SYN Flood and DNS Query Flood require an attacker to root privileges control large quantities of puppet machine, a large number of root privileges to collect the puppet machine is a very time-consuming thing, but also in the attack process puppet opportunity due to traffic anomalies by the administrator Found that the attacker’s rapid depletion of resources and slow to add, resulting in significantly reduced attack strength and not long-term sustainability. HTTP Flood attack is different, the attacker does not need to control a large number of puppet machine, instead of through the port scanner on the Internet looking for anonymous HTTP proxy or SOCKS proxy, the attacker through the anonymous proxy to attack the target HTTP request. Anonymous proxy is a relatively rich resource, take a few days to get the morning agent is not difficult, so easy to attack and can be sustained long-term high-intensity.
    On the other hand, HTTP
    Flood attack in the HTTP layer initiated, strongly imitate the normal user’s Web page request behavior, and the website business closely related, security manufacturers is difficult to provide a common and does not affect the user experience program. A good rule of thumb for working in one place, for a scene can bring a lot of manslaughter.
    Finally, HTTP flood attacks can cause serious chain reactions, not only directly lead to the slow response to the front end of the attack, but also indirect attacks to the back-end JAVA and other business logic and more back-end database services, increasing their pressure, Impact on the day to the storage server.
    Interestingly, HTTP
    Flood also has a history of nickname called CC attack. CC is the abbreviation of Challenge Collapsar, Collapsar is a well-known domestic security company’s DDoS defense equipment. From the current situation, not just Collapsar, all the hardware defense equipment are still being challenged, the risk has not been lifted.
  • slow connection attack
    A mention of attacks, the first reaction is the mass flow, mass of the message. But there is an attack but the opposite, to slow that, so that some of the targets were killed do not know how to die, this is the slow connection attack, the most representative is rsnake invented SlowLoris .
    HTTP agreement, HTTP Request to rnrn concluded that the client sends the end, the server began to deal with. So what if rnrn is never sent? SlowLoris is to use this to do DDoS attacks. The attacker in the HTTP request header will be set to Keep-Alive Connection, Web Server to maintain TCP connections do not disconnect, then slow every few minutes to send a key value format data to the server, such as a: brn, resulting in services The end thinks that the HTTP header is not received and waits. If an attacker uses multiple threads or puppet machine to do the same operation, the server WEB container was soon filled by an attacker no longer accepting new TCP connection requests.
    Soon, SlowLoris began to appear in a variety of variants. Such as the POST method to submit data to the WEB Server, filled with a large Content-Length but a slow one byte POST real data content and so on. Regarding the SlowLoris attack, rsnake also gives a test code here.2. DDoS advanced attack
  • Mixed attack
    Above, I describes several basic attack methods, any of which can be used to attack the network.But these are not all, different levels of attackers can launch a completely different DDoS attacks, the use of the wonderful, almost united.
    Advanced attackers never use a single means to attack, but according to the target environment, flexible combination. Common SYN floods are easily filtered by traffic detection through reverse detection, SYN Cookie, etc. However, if SYN SYN packets are mixed in SYN Flood, each forged SYN packet has a counterfeit The source port, the destination IP, the destination port, the TCP window size, the TTL, and so on, all conform to the same TCP Flow feature of the same host. The reverse detection of the traffic cleaning device And SYN Cookie performance pressure will be significantly increased. In fact, SYN data packets with a variety of other Peugeot bit, have a special attack effect, not one by one here.
    For DNS Query
    Flood, there are unique skills. DNS can be divided into ordinary DNS domain DNS and authorization, attack ordinary DNS, IP addresses require random forgery, and indicates the server asked to do recursive resolution. But the attack authorization domain DNS, forged source IP address should not be purely random, but should be collected in advance around the world the ISP’s DNS address, so as to achieve the maximum attack effect, traffic cleaning equipment will be added IP blacklist and Do not add IP blacklist embarrassing situation. Add will lead to a large number of manslaughter, do not add a blacklist is the need for each packet to increase the performance of reverse detection pressure.
    On the other hand, the above mentioned in order to increase the cleaning equipment, the pressure does not hit the cache and the need to randomize the request of the domain name, but to note that the domain name to be resolved must be forged with a certain regularity, for example, only forged domain names Of a part of the curing part of the cleaning equipment used to break through the white list. The reason is very simple, Tencent server can only resolve Tencent domain name, completely random domain name may be discarded directly, the need for curing. But if completely fixed, it is easy to be directly discarded, so they need to forge part.
    Second, the attack on the DNS should not only focus on UDP ports, according to the DNS protocol, TCP port is the standard service. Attack, UDP and TCP attacks can be carried out at the same time.
    HTTP Flood focus is to break through the front of the cache, through the HTTP header field settings directly to the WEB Server itself. In addition, HTTP Flood on the target selection is also very critical, the general attacker will choose to search the need to do a lot of data query page as the target of the attack, which is very correct, you can consume the server as much as possible resources. But this kind of attack is easy to be cleans the equipment to recognize through the man-machine recognition way, so how solves this question? Very simple, try to choose the normal user through the APP to access the page, in general, is a variety of WEB API. Normal users and malicious traffic are derived from the APP, human-machine difference is very small, the basic integration is difficult to distinguish.
    SlowLoris like slow attacks, is clever means to occupy the connection is not released to attack the purpose, but this is a double-edged sword, each TCP connection exists in the server side also exists in itself, also need to consume resources to maintain TCP State so the connection can not be kept too much. If you can solve this, the attack will be greatly enhanced, that is SlowLoris can be launched through the stateless attack, sniffing the client to capture TCP serial number and confirm the maintenance of TCP connections, the system kernel without concern TCP State change, a laptop can produce much 65,535 TCP connections.
    All of the above describes the technical level of attack enhancement. On the human side, there can be some other means. If SYN Flood sent a large number of packets frontal storm, then complemented by SlowLoris slow connection, how many people can find the secret? Even if the server down may only find a SYN attack to strengthen TCP layer cleaning and ignore the application layer behavior. All kinds of attacks, can cooperate with each other, to achieve the maximum effect. Attack time choice, but also a key, for example, choose maintenance staff to eat lunch, maintenance staff get off work blocking the road or in the subway wireless network card when there is no signal, or target companies in the large-scale activities, traffic soaring Time, and so on.
    This is purely offensive behavior, so do not provide code, do not do in-depth description.
  • attacks from P2P networks
    In front of the attack, more or less need some puppet machine, even HTTP Flood also need to search a large number of anonymous proxy. If there is an attack, only need to issue some instructions, there is automatic implementation of the machine is the perfect solution. This kind of attack has already appeared, it is the attack from P2P network.
    As we all know, the Internet P2P users and traffic is a very large number. If they go to a designated place to download data, thousands of real IP address to connect, no one can support equipment to live. Take BT download, forged some popular video seed, published to the search engine, enough to fool many users and traffic, but this is only the basis of the attack.
    Advanced P2P attacks, is a direct deception resource management server. Such as Thunder client will find their own resources uploaded to the resource management server, and then pushed to other users need to download the same resources, so that a link to publish out. Through the protocol reverse, the attacker forged a large number of popular hot resource information distributed through the Resource Management Center, and instantly can spread throughout the P2P network. Even more frightening is that this attack can not be stopped, even if the attacker can not stop the attack itself, the attack continued until the official discovery of P2P update server and download the user to restart the download software so far.