DDOS attack

DOS (denial of service) The purpose of the attack is to make the service normal function unavailable. Unlike other types of attacks aimed at getting sensitive information, Dos attacks do not threaten sensitive information but allow legitimate users to not use services. Sometimes Dos in other attacks will also have a certain role, such as web application firewall denial of service, which bypasses the firewall.

DOS and DDOS difference

Dos is a denial of service attack, and DDOS is a distributed denial of service attack; Dos and DDOS are attacking the target server, a way of network services. Dos is the use of their own computer attacks on the target, but also a one-on-one relationship, and DDOS is a DoS attack based on the emergence of a new way of attack, the use of hundreds of thousands of control chickens to form a DDOS attack group, the same time Target attack.

In theory, regardless of the target server, network services, how many resources, but also bandwidth, memory, CPU how much, can not avoid Dos and DDOS attacks, so any resources and then there is a limit, for example, a server per second Processing 1000 packets, and through the DOS attack to the server to send 1001 packets, then the server can not run properly, need to expand the server. Technically, both DOS and DDOS are the bandwidth and connectivity of the target server, making the bandwidth of the target server exhausted and not working properly.

The type of DOS

Dos is a denial of service attack, and DDOS is a distributed denial of service attack; Dos and DDOS are attacking the target server, a way of network services. Dos is the use of their own computer attacks on the target, but also a one-on-one relationship, and DDOS is a DoS attack based on the emergence of a new way of attack, the use of hundreds of thousands of control zoomies to form a DDOS attack group.

In theory, regardless of the target server, network services, how many resources, but also bandwidth, memory, CPU how much, can not avoid Dos and DDOS attacks, so any resources and then there is a limit, for example, a server per second Processing 1000 packets, and through the DOS attack to the server to send 1001 packets, then the server can not run properly, need to expand the server. Technically, both DOS and DDOS are the bandwidth and connectivity of the target server, making the bandwidth of the target server exhausted and not working properly.

Network and transport layer attacks

This attack is usually sent to the server malicious traffic, as much as possible to consume the server’s resources to achieve the purpose of denial of service.

TCP SYN floods

SYN flood attacks in the transport layer, in order to better understand this type of attack, we need to first understand the TCP three times the handshake.

The first handshake: establish a connection. The client sends the connection request segment, the SYN bit is set to 1, the Sequence Number is x; then the client enters the SYN_SEND state, waiting for the server to confirm;

The second handshake: The server receives the SYN segment. The server receives the SYN segment of the client and needs to confirm the SYN segment. Set the Acknowledgment Number to x + 1 (Sequence Number + 1). At the same time, send the SYN request message and set the SYN bit to 1, The Sequence Number is y; the server sends all the above information to a message segment (that is, SYN + ACK segment), and sends it to the client. At this time, the server enters SYN_RECV state;

Third handshake: The client receives the SYN + ACK segment of the server. Then set the Acknowledgment Number to y + 1 to send the ACK message segment to the server. After this segment is sent, both the client and the server enter the ESTABLISHED state to complete the TCP three-way handshake. Completed three times the handshake, the client, and the server can start sending data.

If the attacker sends enough SYN packets because the server has a limited number of concurrent TCP connections, the server will not have more resources available. If the server reaches the limit, a new connection can not be made before the existing connection in the SYN-RCVD state times out, resulting in a denial of service attack.

SYN flood attack test tool, we can use hping3, download address: http://www.hping.org/hping3.html

Command:

hping3 -S --flood -V -p TARGET_PORT TARGET_SITE

hping3 -c 20000 -d 120 -S -w 64 -p TARGET_PORT --flood --rand-source TARGET_SITE

UDP floods

The UDP protocol is a connectionless transport layer protocol that provides transaction-oriented, simple unreliable messaging services.

As the UDP protocol is no connectivity, so as long as a UDP port provides related services, then you can attack the relevant services. The principle of this attack is through the fake IP to the target server to send a large number of UDP packets, the server can not handle each request after receiving the request, and by sending ICMP “destination unreachable” to the server to consume its bandwidth.

Command

hping3 --flood --rand-source --udp -p TARGET_PORT TARGET_IP



https://sourceforge.net/projects/loic/

TCP FIN Flood

This FIM flag packet will only be accepted after TCP connection. If no TCP connection is established, the packet will be deleted.

If the attacker only floods the server without a TCP connection, the FIN packet will be discarded, but the server will still allocate some resources to view the packet to prevent redundancy.

This attack is easy to implement.

hping3 --flood --rand-source -F -p TARGET_PORT TARGET_IP

TCP RST Flood

The RST packet in TCP means that the connection is immediately disconnected and is useful when the connection error needs to be stopped.

If the attacker can view the traffic from the source to the destination in some way, you can send RST packets (source IP, destination IP, source port, destination port, serial number, etc.) with the appropriate value. The TCP connection between open source and destination. This is also a way of denial of service.

hping3 --flood --rand-source -R -p TARGET_PORT TARGET_IP

PUSH and ACK Flood

Through a large number of PUSH and ACK flooding, the server can stop responding to requests from normal users.

hping3 --flood --rand-source -PA -p TARGET_PORT TARGET_IP

ICMP and IGMP Floods

ICMP (Internet Control Message Protocol-Internet Control Message Protocol) and IGMP (Internet Group Management Protocol-Internet Group Management Protocol) are protocols similar to UDP at the network layer. ICMP delivery status messages, error reporting, answering certain requests, reporting routing information, and commonly used to test network connectivity and troubleshooting issues. IGMP is a protocol on the IP network and adjacent routes used to establish and maintain multicast group membership.

ICMP and IGMP Floods are similar to UDP without any loopholes, and only need to send a large number of ICMP or IGMP packets, when the processing of each packet when the depletion of resources led to the denial of service.

hping3 --flood --rand-source -1 -p TARGET_PORT TARGET_IP

Zoom in attack

The response packet is directed to the target of the attack by using the source IP address of the request packet for the request packet with the reply packet. For example, an attacker forged source IP is the target IP and then sends a message to multiple IPs using a routed broadcast IP address, and these devices respond to the destination IP.

Want to use a zoom attack must use a connectionless protocol that does not require a source IP, such as DNS, ICMP (Smurf attack), UDP (Fraggle attack), and so on.

Smurf Attack

The attacker will select some intermediate sites as amplifiers and then send a huge number of ICMP (ping) requests to these intermediate sites for broadcast IP. In this way, all source IPs are changed to the target IP addresses, which broadcast these packets to the hosts of all subnets. Finally, all host responses are sent back to the target.

hping3 --icmp --spoof TARGET_IP BROADCAST_IP

DNS Amplification

Many DNS servers currently support EDNS. EDNS is a set of DNS expansion mechanisms, RFC 2671 to introduce this. Some options allow DNS to reply more than 512 bytes and still use UDP if the requester indicates that it can handle such a large DNS query. Attackers have used this method to generate a lot of communication. By sending a 60-byte query to get a record of about 4000 bytes, the attacker can zoom in on 66 times the traffic. Some of this nature of the attack has produced a lot of GB per second of traffic, for some of the target attacks even more than 10GB per second traffic.

Now look at the two graphs, the normal query:

The following is a diagram of the zoom attack

Compared to the above chart, hair under the attack after a large number of data query response packets returned to the victim’s machine, which resulted in the victim’s denial of service attacks.

Fraggle Attack

The attacker sends a large amount of spoofing UDP to the UDP endpoint to make these ports respond to the target.

Application layer attack

Application layer attacks are also called Layer 7 attacks, can implement DoS and DDoS attacks, this type of attack is based on imitation of human behavior.

The protocols that may be used include HTTP, HTTPS, DNS, SMTP, FTP, VOIP, and other application protocols

HTTP flooding

HTTP flooding is the most common attack in application-layer attacks.

This type of attack can attempt to make a request to the server using HTTP GET or POST. In general, multiple computers are required to make requests at the same time.

DNS flooding

DNS flooding Like other flood attacks, the purpose of DNS flooding attacks is to send a large number of DNS requests to DNS applications. The DNS server is overwhelmed and can not handle all legitimate requests from other users.

Low and Slow attacks

This attack is not like other flood attacks, he does not need a lot of data traffic. This type of attack is for application and server resources. This approach is difficult to detect because its traffic is no different from normal traffic.