Take you through the principles of cracking DDOS attacks
Introduction to DDOS
DDOS is also called distributed denial of service, and its full name is Distributed Denial of Service. DDOS originally uses reasonable requests to cause resource overload, resulting in service unavailability, causing the server to refuse normal traffic services. Just like there is a fixed number of rooms in a hotel. For example, a hotel has 50 rooms. When all 50 rooms are full, if a new user wants to move in, they must wait for the previous users to leave first. . If the checked-in users never go out, the hotel will not be able to welcome new users, causing the hotel to be overloaded. This situation is called "denial of service." If you want to continue to provide resources, then the hotel should increase its resource capacity, and the same is true for the server.
Basic concepts of denial of service attacks
**Denial of service: **Denial of service refers to a state in which the application system cannot provide services to the outside world normally, such as network congestion, system downtime, slow response, etc., which are all manifestations of denial of service.
Denial of Service Attack (DOS) : Denial of Service Attack is an attack that causes the target system to enter a denial of service state through various technical means. Common means include exploiting vulnerabilities, consuming application system performance and consuming application system bandwidth.
Distributed Denial of Service Attack (DDOS) : Distributed Denial of Service Attack is an advanced means of denial of service attack. It uses botnets distributed around the world to launch attacks and can produce large-scale denial of service attacks.
DDOS attack classification
(1) Vulnerability type (attack based on specific vulnerabilities): It is only effective against targets with specific vulnerabilities. Usually, sending specific data packets or a small number of data packets can achieve the attack effect.
(2) Business type (mainly consuming business system performance): highly related to the business type. Corresponding attack methods need to be adopted according to the application type of the business system to achieve the effect. Usually, the traffic required for business type attacks to achieve the effect is much lower than the traffic flow. type.
(3) Traffic type (mainly consuming bandwidth resources): It mainly consumes the bandwidth resources of the target business system as an attack method, which usually causes network congestion and thus affects normal business.
Denial of service attack handling process
(1) Phenomenon analysis: Preliminarily determine whether there is a denial of service attack based on the discovered phenomenon, network equipment and service conditions.
(2) Packet capture analysis: Learn more about the attack methods and characteristics through packet capture analysis.
(3) Launch countermeasures: Finally, launch countermeasures to counter attacks. Measures such as resource enhancement, security reinforcement, and security protection can be carried out.
DDOS traffic packet analysis
SYN Flood attack
Under normal circumstances, the TCP three-way handshake process is as follows
The client sends a SYN request packet to the server, including the port number used by the client and the initial sequence number x.
After receiving the SYN request packet sent by the client, the server knows that the client wants to establish a connection, so it sends a SYN request packet and ACK response packet to the client, including the confirmation number x+1 and the server's initial sequence number y.
After receiving the SYN request packet and ACK response packet returned by the server, the client returns an ACK request packet with confirmation number y+1 and sequence number x+1 to the server. The three-way handshake is completed and the TCP connection is successfully established.
SYN Flood attack principle:
First, the client sends a SYN request packet to the server. After accepting it, the server sends a SYN+ACK packet in response to the client. Finally, the client returns an ACK packet to the server to complete a complete TCP connection. Syn flood attack is to prevent the client from returning the last ACK packet, which forms a half-open connection. A TCP half-open connection refers to the state of sending or accepting a TCP connection request and waiting for the other party to respond. The half-open connection state requires system resources. By waiting for the other party to respond, the number of half-open connections reaches the upper limit and new connections cannot be established, resulting in a denial of service attack.
Traffic packet analysis of victim target machine
Use wireshark software to capture data packets, and filter out the IP addresses that send packets more frequently.
Screen 218.xxx.xxx.87, analyze the proportion of protocols, and find that tcp and http account for a relatively large proportion.
Screening the syn data packets in tcp, it is found that the proportion of syn data packets is 82.9, which can be judged to be a SYN FLOOD denial of service attack.
UDP Flood attack
UDP Flood attack principle:
Since UDP is a connectionless protocol, it consumes less system resources and is prone to generate higher traffic under the same conditions. It is the main means of traffic-based attacks. When the victim system receives a UDP packet, it determines which application is waiting on the destination port. When it finds that there is no waiting application on the port, it generates an ICMP packet whose destination address cannot be connected and sends it to the forged source address. If enough UDP packets are sent to the victim computer port, the system will cause a denial of service attack. Therefore, UDP FLOOD has become the main means of traffic-based denial of service attacks.
Traffic packet analysis of victim target machine
Use wireshark software to capture data packets, and filter out the IP addresses that send packets more frequently.
Screen the 117.xxx.xxx.0 network segment and analyze the protocol ratio. You can see that the victim machine receives more UDP packets.
You can see that the size of UDP packets is fixed at 172 bytes.
It can be seen that UDP packets are sent, and the sizes of UDP packets are the same. It can be judged that it is a UDP flood attack.
Slow denial of service attack
apt install slowhttptest -y
Install slowhttptest
Principle of slow denial of service attack:
The complete http request packet ends with \r\n\r\n. During a slow denial of service attack, only \r\n is sent. One less \r\n is sent. The server thinks that the request has not been sent yet, and the server will continue to Wait until timeout.
slowhttptest -c 5000 -H -g -o my_header_stats -i 10 -r 5000 -t GET -u "http://10.10.10.134" -x 200 -p 3
(Establish 5000 connections during testing -c; select slowloris mode -H; generate statistics for cvs and HTML files -G; generate the file name my_header_stats -o; specify the interval between sending data 10 seconds -i 5000 connections per second -t; specify url -u; specify the maximum data length sent 200 -x; specify the waiting time to confirm that the DOS attack has been successful -p)
Observe that the CPU and network traffic of the drone have increased significantly.
Traffic packet analysis of victim target machine
Attack machine ip: 10.10.10.129, target machine ip: 10.10.10.134
[PSH,ACK] is the ACK packet with data sent by the attacking machine to the target machine, and the [ACK] packet is the data packet sent by the target machine in reply to the attacking machine.
It can be seen that two consecutive \r\n are not sent, so the target machine has to wait forever.
The http protocol ratio is 36.6 and the tcp protocol ratio is 87.4
Filtering ack packets, the ratio is 98.2, which is not in line with the norm. In summary, it can be judged as a slow denial of service attack.
ICMP Flood attack
ICMP Flood attack principle:
When the large number of response requests generated by ICMP ping exceeds the system's maximum limit, so that the system consumes all resources to respond until it can no longer process valid network information flows, but since ICMP protocol messages are discarded, it does not affect the operation of most systems. So it is easy to protect.
Using hping3 to cause ICMP Flood attack
hping3 -q -n -a 1.1.1.1 –icmp -d 200 –flood 10.10.10.134
Observe that the CPU and network traffic of the drone have increased significantly.
Traffic packet analysis of victim target machine
Forged source IP: 1.1.1.1 sends a large number of icmp packets to the target IP: 10.10.10.134
It was filtered out that the same IP sent a large number of ICMP packets, and the ratio was 86.0, which was judged to be an ICMP denial of service attack.
postscript
The harm caused by denial of service attacks is relatively large, and is essentially caused by the unrestricted occupation of limited resources. Therefore, in this regard, it is necessary to limit the allocation quota of each untrusted resource, or to increase the limited resources of the system, etc. way to prevent denial of service attacks.
京公网安备 11010802033920号