Attack popular science: DDoS

One .DDoS What exactly is the attack ？

DDoS attack , The full name is Distributed Denial of Service, Distributed denial of service .

Generally speaking, it refers to the use of “ chicken ” Make a large number of requests to the target website in a short time , Large scale consumption of the host resources of the target website , Make it out of service . Online games 、 Internet Finance and other fields are DDoS The high incidence of attacks .

for example ： I've opened a shop with Fifty seats Chongqing hotpot restaurant , Because of the superior materials , Neither the old nor the young will be cheated . It's very popular , Business is booming , But the hotpot shop of Er Gou's house opposite is not visited . In order to deal with me , Think of a way , Yes Fifty people Come to my hot pot restaurant and sit without ordering , Make it impossible for other guests to eat .

Two .DDoS How many attacks G What does that mean? ？

It's often said , Being attacked , Yes 50G Traffic , How much is that G What do you mean ？

G It refers to bandwidth and traffic . For example, you visit Baidu , Baidu needs to send its page to you , This page may be just a few hundred bytes , But if you keep visiting , Baidu needs to send hundreds of bytes of pages to you all the time .

A broiler ,10M bandwidth , It can be accessed continuously until the bandwidth is full , That will consume Baidu servers 10M Downstream traffic . Like a general server, it has external 100M bandwidth ,10 A broiler can fill the bandwidth of the website , Normal access cannot be accessed .

image IDC Just query the traffic of the exit bandwidth . If it is Linux The server , Use ifconfig Command to query the upstream and downstream traffic .

3、 ... and .DDoS Types of attacks

ICMP Flood

ICMP（Internet Control message protocol ） Used in IP host 、 Routing control messages between routers , Control message means that the network is not accessible 、 Whether the host can reach 、 Whether the route is available and so on , Although it does not transmit user data , But it plays an important role in the transmission of user data .

Send massive data packets to the target system , You can paralyze the target host , If you send a lot, it will become a flood attack .

UDP Flood

UDP Protocol is a connectionless service , stay UDP Flood in , Attackers usually send a large number of forged sources IP Small address UDP Package Impact DNS Server or Radius Authentication server 、 Streaming video server .

100k bps Of UDP Flood Often break down the backbone equipment on the line, such as firewall , Cause the paralysis of the whole network segment . The above traditional traffic attack methods have low technical content , Hurt a thousand people and lose eight hundred , The attack effect usually depends on the network performance of the controlled host itself , And it's easy to find the source of the attack , It is not common to use it alone . therefore , The reflective amplification attack with the effect of pulling out a thousand catties by four Liang appears .

NTP Flood

NTP Is standard based on UDP Network time synchronization protocol for protocol transmission , because UDP No connectivity of protocol , Easy to forge the source address . Attackers use special packets , That is to say IP The address points to the server as the reflector , Source IP The address is forged to attack the target IP, When the reflector receives the packet, it is cheated , The response data will be sent to the target , Deplete the bandwidth resources of the target network .

General NTP Servers have a lot of bandwidth , An attacker may only need 1Mbps The upload bandwidth spoofing NTP The server , It can bring hundreds of thousands to the target server Mbps Attack traffic . therefore ,“ ask - answer ” All kinds of protocols can be used by reflective attacks , Forge the address of the challenge packet as the address of the attack target , The data packets of the reply will be sent to the target , Once the protocol has a recursive effect , The flow is significantly amplified , It's a kind of “ murder a person with a borrowed knife ” Traffic type attack .

SYN Flood

It's a use of TCP Protocol defect , Send a lot of fake TCP Connection request , Thus, the resources of the attacked party will be exhausted （CPU Full load or out of memory ） How to attack .

establish TCP Connect , It takes three handshakes —— The client sends SYN message , The server receives the request and returns a message to accept it , The client also returns a confirmation , Complete the connection .SYN Flood It means that the user suddenly crashes or drops the line after sending a message to the server , Then the server cannot receive the confirmation message from the client after sending the response message （ The third handshake can't be done ）, At this time, the server will generally try again and wait for a period of time before discarding the unfinished connection .

It's not a big problem that a user's exception causes a thread on the server to wait for a while , But malicious attackers simulate this situation a lot , The server consumes a lot of resources in order to maintain tens of thousands of semi connections , The result is often no time to pay attention to the customer's normal request , Even collapse . From a normal customer's point of view , The site lost its response , cannot access .

CC attack

CC Attack is one of the main means of application layer attack , Generate a legal request to the target system with the help of a proxy server , Realize camouflage and DDoS.

We all have this experience , Visit a static page , Even if there are many people, it doesn't take long , But if you visit the forum during rush hours 、 Post it and so on , That would be slow , Because the server system needs to go to the database to determine whether the visitor has read the post 、 Authority to speak, etc . The more people you visit , The more pages there are in the Forum , The more pressure on the database , The higher the frequency of being interviewed , The system resources occupied are considerable .

CC Attacks take full advantage of this feature , Simulate multiple normal users to constantly visit pages that require a lot of data operations, such as forums , A waste of server resources ,CPU For a long time 100%, There are always endless requests , Network congestion , Normal access aborted . This kind of attack is highly technical , There's no real source IP, We don't see very large abnormal traffic , But the server just can't connect properly .

The reason for choosing a proxy server is that a proxy can effectively hide its identity , You can also bypass the firewall , Because basically all firewalls detect concurrency TCP/IP Number of connections , Beyond a certain number, a certain frequency is considered to be Connection-Flood.

Of course, you can also use broilers to start CC attack , Use by attackers CC Attack software controls a large number of broilers to launch attacks , The broiler can simulate the request of normal users to visit the website and fake the legitimate data packets , More difficult to defend than the former .CC The attack is against Web Service attacks on layer 7 protocol , Launch on the upper layer agreement DDoS The harder an attack is to defend , The upper layer agreement is more closely related to the business , The situation facing the defense system will also be more complex .

such as CC One of the most important ways to attack HTTP Flood, Not only will it directly lead to being attacked Web Front end response is slow , It will have a fatal impact on the hosted business , It may also cause a chain reaction , Indirect attack to the backend Java Business layer logic and more back-end database services .

because CC Low attack cost 、 Powerful , Know that Chuangyu safety expert group found 80% Of DDoS Attacks are all CC attack . Bandwidth resources are seriously consumed , Website paralysis ;CPU、 Memory utilization soared , The host computer is down ; Instant quick strike , Unable to respond quickly .

DNS Query Flood

DNS As one of the core services of the Internet , Naturally also DDoS One of the main targets of the attack .

DNS Query Flood The method used is to manipulate a large number of puppet machines , Send a large number of domain name resolution requests to the target server . When the server receives a domain name resolution request , First, it will find out whether there is a corresponding cache on the server , If it cannot be found and the domain name cannot be resolved directly , To the top DNS The server recursively queries the domain name information .

Usually , The domain name that the attacker requests to resolve is randomly generated or does not exist on the network , The corresponding results cannot be found locally , The server must use recursive query to submit resolution request to the upper domain name server , Cause a chain reaction . The parsing process puts a lot of load on the server , A certain number of domain name resolution requests per second will cause DNS Server domain name resolution timeout .

According to Microsoft Statistics , a DNS The upper limit of dynamic domain name query that the server can bear is per second 9000 A request . And one P3 Of PC It can easily construct tens of thousands of domain name resolution requests per second , Enough to make a very high hardware configuration DNS The server is down , thus it can be seen DNS The vulnerability of the server .

Mixed attack

In practice , The attacker only wants to defeat the other party , Up to now , Advanced attackers are no longer inclined to fight with a single attack , But according to the specific environment of the target system , Launch a variety of attacks , It has a huge amount of traffic , Again using protocol 、 Defects in the system , Attack as hard as you can . For the target , You have to deal with different protocols 、 Distributed attacks on different resources , analysis 、 The cost of response and processing increases significantly .