Definition of DDOS
Distributed Denial of Service (DDoS: Distributed Denial of Service) attack refers to the use of client/server technology to combine multiple computers as an attack platform to launch DDoS attacks on one or more targets, thereby multiplying the risk of denial of service attacks. power. Usually, the attack method utilizes the defect of the target system’s network service function or directly consumes its system resources, so that the target system cannot provide normal services.
way of attack
Network layer DDos attack
(1) SYN flood attack
The SYN flood attack mainly uses the bug in the TCP three-way handshake process. We know that the TCP three-way handshake process is to send SYN, SYN+ACK, ACK data packets to both parties to establish a connection, and when the attacker arbitrarily constructs the source ip to send the SYN packet , the SYN+ACK returned by the server cannot be answered (because the ip is arbitrarily constructed), at this time the server will try to resend, and there will be a waiting time of at least 30s, resulting in resource saturation services unavailable, this attack belongs to the slow type dos attack.
(2) UDP flood attack
Since udp is a connectionless protocol, an attacker can forge a large number of source IP addresses to send udp packets, which is a large-traffic attack. Under normal application conditions, the two-way traffic of UDP packets will be basically equal, so when consuming the resources of the other party, it also consumes its own resources.
(3) ICMP flood attack
This attack is a large-traffic attack. The principle is to continuously send abnormal ICMP packets (the so-called abnormality means that the content of the ICMP packet is large), which causes the target bandwidth to be occupied, but its own resources will also be consumed. And at present, many servers are banned from ping (icmp packets can be blocked in the firewall), so this method is outdated.
Application layer DDos attack
(1) CC Attack (Challenge Collapasar)
The principle of CC attack is to continuously initiate abnormal requests for pages that consume a lot of resources, resulting in resource exhaustion. Therefore, before sending a CC attack, we need to find pages that load slowly and consume more resources, such as pages that need to query the database, read and write hard disk files, etc. Through cc attack, use crawlers to initiate http requests to certain pages that require a lot of resources to load.
(2) HTTP POST DOS
The principle is to specify a very large Content-Length value when sending HTTP POST packets, and then send packets at a very low speed to keep the connection continuous, resulting in service saturation and unavailability.
DDoS attacks occupy a large number of network resources through a large number of requests to achieve the purpose of paralyzing the network. Attack methods can be divided into the following types:
Interfere with or even block normal network communication by overloading the network;
overload the server by submitting a large number of requests to the server;
Block a user from accessing the server;
Block a service from communicating with a specific system or individual.
phenomenon of attack
When a DDOS attack occurs, it often has the following characteristics:
There are a large number of TCP connections waiting on the attacked host;
The network is flooded with a large number of useless packets;
The source address is fake high-traffic useless data, causing network congestion and making the victim host unable to communicate with the outside world normally;
Using the flaws in the transport protocol provided by the victim host to repeatedly send out specific service requests at high speed, so that the host cannot process all normal requests;
In severe cases, the system will crash.
The dangers of Ddos attacks
The attack method adopted by DDOS is a distributed attack method. The attack mode changes the traditional point-to-point attack mode, making the attack method irregular. Moreover, when the attack is carried out, common protocols and service, so it is difficult to distinguish the attack from just the protocol and the type of service.
During the attack, the attack packets are disguised, and the source IP
The address is also forged, so it is difficult to determine the address of the attack, and it is also difficult to find it. As a result, the distributed denial of service attack is very difficult to do in the inspection method.
Load the latest patches to the system as much as possible, and take effective compliance configuration to reduce the risk of vulnerability exploitation;
Adopt appropriate security domain division, configure firewall, intrusion detection and prevention system, and slow down attacks;
Reliability measures such as distributed networking, load balancing, and system capacity enhancement are adopted to enhance overall service capabilities.
The main source of attacks for launching DDOS attacks is botnets distributed around the world.
A botnet is a group of computers on the Internet that are centrally controlled by hackers, and are often used by hackers to launch large-scale network attacks, such as distributed denial of service (DDoS) attacks and massive spam.
When an attack needs to be launched, the attacker sends pre-defined control commands through the central server to let the infected host perform malicious actions, such as launching DDos attacks, stealing sensitive host information, and updating and upgrading malicious programs.
Types of Botnets
Botnet can have many kinds of classification according to different classification standards.
By program type:
Agobot/Phatbot/Forbot/XtremBot. This is probably the most famous bot. Antivirus vendor Spphos lists more than 500 known versions of Agobot (Sophos Virus Analysis) , and this number is steadily growing. The bot itself is written in cross-platform C++.
The latest available version of Agobot has clear code and a good abstract design, combined in a modular way, adding commands or other vulnerability scanners and attack functions is very simple, and provides rootkits like file and process hiding.
The ability to hide itself in a compromised host. Reverse-engineering this sample after obtaining it is more difficult because it includes the ability to monitor debuggers (Softice and O11Dbg) and virtual machines (VMware and Virtual PC) .
SDBot/RBot/UrBot/SpyBot/. This family of malware is currently the most active bot program software, SDBot written in C language. It provides the same features as Agobot, but with a less large command set and less complex implementation. It is a type of bot program based on the IRC protocol.
GT-Bots is based on the current popular IRC client program mIRC, GT is the abbreviation of (GlobalThreat) . These bots use scripts and other binaries to start an mIRC chat client, but hide the original mIRC window. Connect to the specified server channel by executing the mIRC script and wait for malicious commands. Since this type of bot program is bundled with the mIRC program, the volume will be relatively large, often larger than 1MB.
It refers to Botnets whose control and communication methods use the IRC protocol. The main bot programs that form such Botnets are spybot, GTbot and SDbot. At present, most Botnets belong to this category.
Similar to IRCBot, AOL provides an instant messaging service for America Online. This type of Botnet is established based on the network formed by this instant messaging service. The infected host logs on to a fixed server to receive control commands. AIM-Canbot and Fizzer use AOL Instant Messager to control Bot.
The bot program used in this type of Botnet itself includes a P2P client, which can connect to a server using Gnutella technology (an open source file sharing technology), and communicate with each other using the WASTE file sharing protocol. Due to the distributed connection of this protocol, each zombie host can easily find other zombie hosts and communicate with them, and when some bots are killed, it will not affect the survival of Botnet, so this The Botnet class has the characteristics that there is no single point of failure but the implementation is relatively complex. Agobot and Phatbot take a P2P approach.
Major historical events
There have been many famous DDOS attacks in history, involving various industries including politics, economy, military and other industries. Here are some famous DDOS incidents in 2016.
Blizzard DDoS attack
The LizardSquad organization launched a DDoS attack on Blizzard’s Battle.net server. Important game works including “StarCraft 2”, “World of Warcraft”, and “Diablo 3” were offline and offline, and players could not log in. A hacker group called “Poodle Corp” has also launched multiple DDoS attacks against Blizzard.
The attack not only caused the Battle.net server to go offline, but also affected many games on the platform, including “Overwatch”, “World of Warcraft”, “Diablo 3” and “Hearthstone”, etc. Even players on the console platform encountered difficulties logging in The problem.
Jewelry store hit by botnet of 25,000 cameras
An ordinary jewelry online sales website was attacked by hackers. When the US security company Sucuri investigated the incident, it found that the jewelry store’s sales website was flooded at the time, after 35,000 HTTP requests per second ( spam requests), the site can no longer provide normal services.
At the time, Sucuri’s security researchers tried to thwart the attack, but the botnet further increased the frequency of spam requests, which then sent more than 50,000 spam HTTP requests per second to the store’s sales website. .
After analyzing the source of the data packets in this attack, security researchers found that these junk requests all came from networked surveillance cameras, and 25,000 cameras formed a botnet to launch a DDoS attack, becoming the largest known CCTV (closed-circuit television camera) bot. network.
“Operation OpIcarus” attack by Anonymous
Anonymous ‘s BannedOffline, Ghost Squad Hackers and other hacker groups launched short-term cyber attacks on many bank websites around the world. Anonymous called this attack: “Operation OpIcarus “.
The selected attack targets include the National Bank of Jordan, the National Bank of Korea, the Central Bank of Monaco, and some corporate banking websites established in Monaco, etc., and then hackers carried out a series of DDoS attacks on them. The attack caused the network systems of central banks such as Jordan, South Korea and Monaco to be paralyzed for half an hour, preventing them from working properly, while the network systems of the National Bank of Montenegro were forced to shut down and stop services.
Precise NS1 attack
DNS and traffic management provider NS1 (ns1.com) suffered a 10-day targeted massive DDoS attack that blocked most of the attack traffic by performing upstream traffic filtering and using behavior-based rules.
Instead of using the popular DNS amplification attack, the attackers sent programmatically generated DNS query requests to NS1’s domain name servers. The attack traffic reached 50 to 60 million packets per second, and the packets appeared to be genuine query requests. , but it wants to resolve hostnames that don’t exist on the NS1 customer network. Attack sources also rotate among different botnets in Eastern Europe, Russia, China, and the United States.
Five Russian banks hit by DDoS attacks
Five major Russian banks suffered a two-day DDoS attack. The botnet composed of 24,000 computers from 30 countries continues to launch powerful DDOS attacks without interruption.
Analysis provided by Kaspersky Lab shows that more than 50% of the botnets are located in Israel, Taiwan, India and the United States. Each wave of attacks lasts at least an hour, with the longest uninterrupted lasting more than 12 hours. The intensity of the attack reached 660,000 requests per second. Kaspersky Lab also noted that some banks have been repeatedly attacked.
Mirai botnet attacks KrebsonSecurity
Mirai is a botnet of the order of 100,000, consisting of IoT devices (webcams, etc.) on the Internet, which started construction in August and climaxed in September. Attackers control the system by guessing the default user name and password of the device, incorporating it into the Botnet, and performing various malicious operations when needed, including launching DDoS attacks, posing a huge threat to the Internet.
Security research firm KrebsonSecurity also suffered from the Mirai attack, which at the time was considered one of the largest cyberattacks ever. However, it didn’t take long for the French hosting service provider OVH to be attacked twice, and the culprit was still Mirai. It is reported that when KrebsonSecurity was attacked, the traffic reached 665GB, while the total traffic when OVH was attacked exceeded 1TB.
Most of the Internet offline events in the United States
Speaking of DDOS attacks, we have to mention the Dyn incident. On October 21, Dyn, which provides dynamic DNS services
DNS was hit by a massive DDoS attack that primarily affected its services located in the eastern region of the United States.
The attack caused access issues to many websites using the DynDNS service, including GitHub, Twitter, Airbnb, Reddit, Freshbooks, Heroku, SoundCloud, Spotify and Shopify. The attack caused these websites to be paralyzed for a time, and Twitter even had zero access for nearly 24 hours.
ThinkMo CCNA Dump exam information exchange group：
CCNA/CCNP/CCIE telegram study group：https://t.me/ccie_ei_lab
ThinkMo CCNA 200-301 Tutorial VIP Exclusive：
The complete EVE_NG file, free learning PDF and PPT that can be used directly, as well as video explaining the technical points are all here!