DDoS attack methods
Most of the content of this paper draws lessons from the in-depth analysis of DDoS attack and prevention of the king of destruction. Interested students can read this book, which is very helpful to me as an introductory book.
DDoS (Distributed Denial of Service), the first denial of service attack, dates back to 1996. Why is it still so popular and efficient today? DDoS attacks are very much like wars in reality. It is often not necessary to annihilate the enemy, cut off the enemy's logistics line and occupy the command center. At present, there is a close relationship between network services and various module components. If a module fails, the whole business may be affected. This makes DDoS only need to invest a relatively small cost. Focusing on one point of the target can destroy the whole service of the target, and the attacked party often has to pay multiple costs to deal with this small "enemy". Of course, with the enhancement of network security protection ability, attacks with low traffic and simple logic often have no impact on the target, and the cost of DDoS attacks is getting higher and higher. However, compared with other attack methods, they are almost the best choice in terms of cost, benefit and difficulty.
DDoS involves a wide range of knowledge. I am also a beginner. This article only briefly introduces some common methods of DDoS attacks. With the evolution of technology, there are more and more attack methods. An article certainly can not cover all attack methods, but the idea of attack comes down in one continuous line, but the attack methods are different.
The main purpose of DDoS is to make the target service unavailable. There should be many methods to achieve this goal, but the difficulty is different. DDoS can be said to choose the simplest method. It doesn't care how strong the architecture you design and the quality of your code. It only does one thing. I use it when you provide services, but others can't. If you have many servers that can support many concurrent connections, and the computing performance of the server is also very high, well, I will use more. If you support 10000 concurrent connections, I will account for all these 10000 connections.
What is used to occupy these services is not the concern of this paper (Botnet, controlling high-performance servers, etc.), but how to occupy these services. At present, some mainstream attack methods are divided into three categories: attack on network bandwidth, attack on system resources and attack on application resources.
1, Network bandwidth resources
This kind of attack literally means to occupy the bandwidth of the attacker and consume the network data processing capacity of the server and network equipment, so as to affect other normal requests and achieve the purpose of denial of service.
1.1 direct attack
-
ICMP/IGMP flood attack
The core idea is hair ICMP/IGMP Message, this method is relatively early, and now it is basically not used because it is used The attack target can directly filter and discard such packets at its network boundary. Therefore, there is no more introduction.
-
UDP flood attack
utilize UDP Send a large number of messages to the target host UDP For packets, attackers generally use small packets (64 bytes) and large packets (1500). Because the switch and router will verify the packet, the packet can effectively increase the pressure of network equipment to process the packet; Large packets can effectively occupy the transmission bandwidth of the network interface and force the attacked target to receive UDP The data is fragmented and reorganized, resulting in network congestion and slow server response. However, this attack method requires high performance of the attacker's machine network. You can hit 50 G You need to send 50 G of UDP Bag.
1.2 reflection amplification attack
Direct attack requires high network performance of the attacking host. It is often how much traffic you send to fight against less traffic. Amplification attack is to solve this problem. At the same time, after reflection, it can also achieve the purpose of hiding the attack source ip
Reflection amplification attack has two characteristics: amplification & & hiding. Amplification requires finding the asymmetry of request and response data in the network protocol.
-
ACK reflection attack
utilize TCP Handshake, send SYN The source address is forged into the address of the attack target when the packet is sent, so that the returned ACK The packet is sent to the attack target host, and the attacker's can be forged ip,But there's no magnification. It's not interesting.
-
DNS Amplification Attack
DNS The response package is often larger than the query package. You can zoom in to 2-10 Times. In no EDNS0 Before, DNS The packet size is limited to 512 bytes. stay EDNS0 After that, the client can customize the maximum value that can process messages, DNS The response data message will be generated according to this value. This can increase the magnification to more than 50 times. But note that what can be used DNS The server must support recursive queries DNS The server. This method can not only hide attackers, but also amplify traffic, which is commonly used.
-
NTP amplification attack
And DNS The attack is similar, but this way uses NTP agreement. In this way, with appropriate means, the attack multiple can be enlarged to more than 700 times. Mainly used monlist One of the features of, interested can understand. When public NTP Server pair monlist If the characteristics of are limited, the effect of this attack will become very poor, because the magnification will drop sharply
-
SNMP amplification attack
Simple Network Management Protocol agreement. In this way, the magnification can reach more than 25 times. Due to the good effect of this protocol, many network devices use this protocol, and there are many machines available. However, after scanning these devices, you still need to guess the default string they use, which is difficult and the magnification is not ideal
1.3 attack link
The target of this attack is not the server bandwidth resources of the endpoint on the Internet, but the link bandwidth resources of the backbone network. This attack needs to control a widely distributed Botnet, and then divide it into two parts to make use of it A Host in B Send data to the host in. This attack is difficult to prevent because it seems to be real communication data
2, Attack system resources
This part mainly attacks the session resources of the system. Occupy the session and prevent the establishment of normal connection, so as to achieve the purpose of denial of service.
There is a misunderstanding here, that is, DDOS is an attack that consumes network bandwidth resources. In fact, this kind of attack is an attack on system resources, and the attack that consumes system resources such as SYN attack is more harmful than the attack that consumes bandwidth such as UDP attack.
2.1 attack TCP connection
-
TCP connection flood attack
Use botnet host and attack target host to establish a complete TCP Connect, thus taking up the of the attack host tcp The connection table has reached the purpose of rejecting normal requests. Note that there are three complete handshakes
-
SYN Flooding Attack
Botnets send only SYN Message that does not respond to the request of the target host ACK Message is not a complete connection, but it can also occupy the connection table of the target host, resulting in denial of service. This attack is very popular and simple. At the same time, it can be found that since there is no need to establish a complete connection, the attacker can forge syn Source of message ip,The purpose of hiding the attack source has been achieved.
-
PSH+ACK flood attack
stay TCP During transmission, you can set PSH Flag bit to indicate that the current data transmission is over and the server has received the setting PSH+ACK This data will be delivered to the service process and the acceptance buffer will be emptied after the message marked, without waiting to judge whether additional data arrives. In this way, the attacker can use this flag bit to send a large number of messages to the target host PSH+ACK Data packet. The attacked target will consume a lot of system resources and constantly empty the receiving buffer, resulting in denial of service
-
RST flood attack
Unable to complete TCP When you wave your hand four times, you will use it RST Forced disconnection is also an attack method, but there is a difficulty. You need to know the real client ip Port, and you also need to let RST The serial number of the message is in the receiving window of the server. Usually use rst Blind beating combined with some deception and sniffing methods. Often used in online games or competitions, LOL The feeling of dropping the line is to use this way.
-
Sockstress attack
This attack does not need to send a large amount of attack traffic in a short time. It is a slow attack. This attack method mainly uses the setting of the size of the receiving buffer. The attacker sets this value to 0. When the target host needs to send data to the attacker, it will stop sending data and send window detection packets all the time when it finds that the size of the receiving window is 0. So as to occupy resources and refuse service
2.2 attacking SSL connections
The Secure Socket Layer encrypts the network connection at the transport layer. However, a lot of system resources will be consumed in the process of encryption and decryption.
If the RSA4096 algorithm is used, in extreme cases, the resource consumed by the server is 25 times that of the client
-
THC SSL DoS attack
Generally SSL Before data transmission, both sides of the communication only need to conduct one communication SSL Shake hands, but through Renegotiation Option, you can renegotiate the key to establish a new key connection. The attacker uses this parameter to constantly renegotiate the key and consume the server computing resources. Even if the server does not support this parameter, an attacker can open a new one ssl The connection achieves a similar attack effect.
-
SSL flood attack
Server in progress SSL In the handshake process, the validity of the data needs to be verified, which requires data decryption to know the validity. Attackers can use this feature to send a large number of messages fake ssl handshake Request to modify the target SSL Flood attack
3, Attack application resources
3.1 attack DNS Service
An attack against DNS public services will have a large impact.
-
DNS QUERY flood attack
Pass on DNS Send a large number of query requests to achieve the effect of denial of service. DNS Understand the principle of. In the query process, different domain names are sent continuously, so DNS The server will constantly refresh the cache and make new parsing requests unable to hit the cache, which will cause DNS The server makes multiple additional queries, increases the consumption of computing and network resources, and finally achieves the purpose of denial of service.
-
DNS NXDOMAIN flood attack
yes DNS QUERY A variant of the attack, the difference is DNS QUERY Every time it is the real domain name sent, and DNS NXDOMAIN Sent a false domain name. If the cache is not hit, DNS If you don't know whether the domain name is true or false, you will also perform recursive or iterative queries.
3.2 attacking WEB Services
-
HTTP flood attack
Literally, right web The service uses a controlled zombie host to send a large number of malicious messages http Request, consuming the resources of the target host. because http Utilization of layer 7 protocol TCP A handshake is required, which cannot hide the attack ip. At this time, attackers generally use http The proxy server can continue to attack even if it is hacked. however web The service also has a caching mechanism. Attackers need to be different every request in order to consume the computing and storage resources of the target host io Resources, otherwise only bandwidth can be consumed. If the server supports HTTPS,So use HTTPS The attack is more effective because there will be additional encryption and decryption.
-
Slowloris attack
A slow attack, HTTP According to the agreement, header Zhongyi\r\n\r\n As a sign of the end, the attacker can construct get Send useless messages slowly on request header Field, never send\r\n\r\n End flag to occupy web The thread that handles the request, web The number of concurrent requests processed by the service is limited, so the purpose of denial of service can be achieved
-
Slow POST request attack
similar Slowloris Attack, handled this time body Field, in request header Lieutenant general Content-Length Set to a large value, and then BODY Send data byte by byte at a very slow speed, occupying the server's request connection
-
Data processing attack
By constructing the content of malicious requests, the resource consumption in the data processing process is significantly increased. For example, regular expression denial of service attacks ReDDoS,Hash conflicts, denial of service attacks, etc.
4, Mixed attack
This kind of attack is to combine the above attacks to achieve better attack effect.
For example, the combination of slowloris attack and slow POST request attack is used to drown the slow attack request with a large number of attacks, so that the defender can not locate the cause of the real denial of service attack
Finally, the existing attack methods are shown from other different classification angles
| Attack classification | Flood attack | Slow attack |
|---|---|---|
| network attack | ICMP/IGMP attack | |
| Transport layer attack | UDP flood attack TCP connection attack SYN Flooding Attack PSH+ACK flood attack ACK reflection attack RST flood attack SSL flood attack | Sockstress attack THC SSL DoS attack |
| Application layer attack | DNS QUERY attack DNS NCDOMAIN flood attack DNS Amplification Attack HTTP flood attack SNMP amplification attack NTP amplification attack | slowloris attack Slow POST request attack Data processing attack |