1. Home > Web_defense >

Some common ddos ​​attacks and defense principles

△syn flood

After a user sends a syn message to the server, if the server fails to receive the client ack message after sending a sys+ack message, the server will generally retry in this case ( Send syn+ack to the client again, and wait for a period of time to discard the unfinished connection. The length of this period of time is called syn timeout. Generally speaking, this time is on the order of minutes (about 30 seconds-2 minutes) ). It is not a big problem that a thread of the server waits for 1 minute due to a user exception, but if a malicious attacker simulates this situation a lot, the server will consume a lot of money to maintain a very large semi-connected list. More resources. Even simple saving and traversal will consume a lot of CPU time and memory, not to mention the continuous syn+ack retry of the IP in this list. Defense principle: By default, the system will syn proxy the access of new clients. Until the client successfully establishes a TCP connection with the anti-refusal device, the anti-refusal device will then proxy the client to make a TCP connection with the protection host, and subsequent communications will not Acting again. △ACK flood1. End system processing ACK message When the end system receives an ACK message, if the destination port is not open, then the end system will directly send an RST message to the source IP. If the relevant port of the end system is open to the outside world, when it receives an ACK message, it will first check whether the ACK message belongs to an existing connection in the TCP connection table (this process will affect the CPU resources of the end system host). Certain consumption), if it is, it will be processed normally. If it does not belong to any existing connection, the end system will send an RST message to the source IP. 2. The router that processes the ACK flood packet by the intermediate system: only based on the network layer information (destination IP, source IP, etc.), so when the router processes the ACK packet, it does not matter whether it is an ACK packet or not. Care about its destination address. If the destination host of the ACK flood attack is fixed, the router actually only needs to use CPU resources to implement routing and forwarding when it receives the first ACK flood attack packet. The subsequent ACK flood domestic and international packets have a fixed destination host. Yes, it does not even need to call CPU resources, and can directly use the fast forwarding table to forward the ACK flood message. Firewall: Whether the ACK message belongs to the existing connection in the connection state table, if it is, the firewall forwards the ACK message, and if it misses any existing connection, the firewall will discard the ACK message. Defense principle: Track the TCP session of the IP to form a connection tracking table. After the TCP connection is established, look up the connection tracking table for subsequent ACK messages and match the corresponding TCP session flow. If there is no match, it is abnormal or not before. Connected ACK packet. This kind of message will enter the ACK flood defense mode when it reaches the starting parameters. At this time, the anti-rejection device will only release the correct ACK, for example, set a threshold of 10000 messages per second. △UDP flood attack: Use a large number of UDP packets to attack DNS server or Radius authentication server, streaming media video server. The attacker sends a large number of small UDP packets with forged source IP addresses. Because it is a connectionless protocol, as long as a UDP port is opened to provide related services, then the related services can be attacked. Defense principle: When the UDP packets received by the defense host every second reaches the set threshold, it enters the UDP flood defense state. At this time, the anti-rejection device will discard all subsequent UDP packets to the defense host’s IP, unless the UDP port is in The rule or UDP port is set to pass, set the threshold, such as 1000 packets/sec. UDP port protection can be set for the corresponding port protection. a. Open port: open this port after selection, if not selected, close this port; b. Synchronous connection: After selecting this option, when a UDP connection is established on this port, there must already be a TCP connection, otherwise the connection is rejected; c. Delay Submit: Mainly for DNS, the anti-rejection system will delay the response to the client's query; d. Verify TTL: Check the TTL value in the UDP packet. If the TTL frequency of a certain value is too high, it will be blocked. △DNS Query flood: Send a large number of domain name resolution requests to the attacked server. The domain name requested by the attacker is randomly generated or a domain name that does not exist in the network world. The attacked DNS server needs frequent characters. For string matching, since the corresponding result cannot be found locally, the server must use recursive query to submit a resolution request to the upper-level domain name server, which causes a chain reaction and thus brings a greater load to the DNS server. Defense principle: 1. Forced to open the plug-in 2. Automatically open 3. Delayed submission, verification TTL△ICMP flood: a DDOS attack, by sending a large number of large packets to the target, windows can send a maximum of 65500 packets, Linux is 65007 Defense principle: set a threshold, such as 100 packets/second △frag flood: The link layer MTU limits the maximum length of data frames, and different network types have an upper limit. The Ethernet MTU is 1500, you can check it with the netstat -i command. If there is a data packet to be transmitted at the IP layer and the length of the data packet exceeds the MTU, the IP layer will fragment the data packet so that the length of each fragment is less than or equal to the MTU. There are two bytes in the IP header to indicate the size of the data packet, so the longest IP data packet can only be 0xFFFF, which is 65535 bytes. If IP fragments with a total length of more than 65535 bytes are sent, some old system kernels will have problems in processing, leading to crashes or denial of service. If the offset between shards is carefully constructed, some systems cannot handle it. Defense principle: set a threshold, such as 100 packets/sec. △Connected attack: Use a large number of puppet machines to connect to the server frequently, forming false client requests, exhausting server resources, and denying service. Common attacks: CC attacks, HTTP attacks, Get flood attacks, game dummy attacks, etc. HTTP attacks: http get flood, http post flood, get and post are just different ways of receiving queries from the server. Single-client attacks are not harmful, but using a large number of proxies or broilers to attack will cause server resources to be exhausted, which is CC attack. Defense principle: web plugin

This article is published by www.internetweblist.com and does not represent the position of www.internetweblist.com/:http://www.internetweblist.com/Web_defense/28672.html

Contact Us

Online consultation:click here to give a message