What is a denial of service attack?

So, what exactly is DoS? Comrades who came into contact with PC earlier will directly think of DOS-disk operating system of Microsoft disk operating system? Oh, no, no,no. I don't think Gates is the boss of hackers! This DOS is either DoS or DoS, which is the abbreviation of denial of service. DoS refers to deliberately attacking the defects in the implementation of network protocols or directly using brutal means to brutally exhaust the resources of the attacked object, with the purpose of making the target computer or network unable to provide normal services or resource access, and making the target system service system stop responding or even crash, and this attack does not include invading the target server or target network equipment. These service resources include network bandwidth, file system space capacity, open processes or allowed connections. This kind of attack will lead to the lack of resources. No matter how fast the computer's processing speed, memory capacity and network bandwidth are, the consequences of this attack are inevitable. You should know that everything has a limit, and you can always find ways to make the requested value greater than the limit, which will deliberately cause the lack of service resources, as if the service resources can't meet the demand. So don't think that just because you have a wide enough bandwidth and a fast enough server, you will have a high-performance website that is not afraid of DoS attacks. Denial of service attacks can make all resources very small.

Actually, let's make an image metaphor to understand DoS. Restaurants in the street provide catering services to the public. If a group of hooligans want a DoS restaurant, there will be many means, such as occupying the dining table without paying the bill, blocking the door of the restaurant to make way, harassing the waiter or chef of the restaurant to go to work, or even worse ... the corresponding computer and network system provide Internet resources for Internet users. If hackers want to carry out DoS attacks, it is conceivable that there are many means! Nowadays, the most common DoS attacks are bandwidth attacks and connection attacks on computer networks. Bandwidth attack refers to the impact of huge traffic on the network, which makes all available network resources exhausted and eventually leads to the failure of legitimate user requests. Connectivity attack means that a large number of connection requests impact the computer, so that all available operating system resources are exhausted, and finally the computer can no longer handle legitimate users' requests. What is DDoS?

Traditionally, the main problem faced by attackers is network bandwidth. Due to the limitation of small network scale and slow network speed, attackers cannot make too many requests. Although an attack type like "ping of Death" can destroy an unpatched UNIX system with only a few packets, most DoS attacks still require considerable bandwidth, and it is difficult for individual hackers to use high-bandwidth resources. In order to overcome this shortcoming, DoS attackers developed distributed attacks. Attackers only use tools to collect a large amount of network bandwidth, and at the same time launch a large number of attack requests for the same target, which is DDoS attack.

DDoS (Distributed Denial of Service) has made DoS a big step forward. This distributed denial of service attack is that hackers install a large number of DOS service programs on different high-bandwidth hosts (possibly hundreds or even thousands) that have been invaded and controlled, and wait for the command from the central attack control center. The central attack control center starts the DoS service process of all controlled hosts in time, so that they can send as many network access requests as possible to specific targets, forming a DoS torrent to impact the target system and violently attack the same website. Under the strength of being outnumbered, the attacked website will quickly lose its response, unable to handle normal access or even crash the system in time. It can be seen that the biggest difference between DDoS and DoS is that many hands make light work. DoS is the target of machine attack, while DDoS is the target of multiple machines controlled by the central attack center with its high bandwidth, which makes the target website easier to be captured. In addition, the DDoS attack mode is more automated, and the attacker can install his program on multiple machines in the network. This attack method is difficult to be detected by the target, and these machines will not attack at the same time until the attacker issues a unified attack command. It can be said that DDoS attack is a group of DoS attacks launched by hackers under centralized control. Now it is considered as the most effective form of attack, which is difficult to resist.

Whether it is a DoS attack or a DDoS attack, it is simply a way for hackers to destroy network services. Although the specific implementation methods are ever-changing, they all have one thing in common, that is, their fundamental purpose is to make the victim host or network unable to receive and process external requests in time, or unable to respond to external requests in time. Its specific performance is as follows:

1. produces a lot of useless data, which causes network congestion to the attacked host and prevents the attacked host from communicating with the outside world normally.

2. Taking advantage of the defect that the attacked host provides services or handles repeated connections in the transmission protocol, the attacked host repeatedly sends out aggressive repeated service requests at high frequency, so that the attacked host cannot handle other normal requests in time.

3. Using the defects of the service program or transmission protocol provided by the attacked host, the abnormal attack data is repeatedly sent, which leads to the system misallocation of a large number of system resources, making the host in a suspended state or even crashing.

Common DoS attacks

Denial of service attack is a malicious attack, which is extremely harmful to the network. Typical DoS attacks today include Ping of Death, TearDrop, UDP flood, SYN flood, Land attack, IP spoofing DoS and so on. Let's see how they are realized.

Ping of death: ICMP (Internet Control Message Protocol) is used for error handling and transmission of control information on the Internet. One of its functions is to contact the host and see if the host is "alive" by sending a "response request" packet. The most common ping program is this function. However, in the RFC document of TCP/IP, there are strict restrictions on the maximum size of data packets. The TCP/IP protocol stack of many operating systems stipulates that the size of ICMP packet is 64KB. After reading the header of the packet, a buffer should be generated for the payload according to the information contained in the header. "Death Ping" is a malformed test Ping(Packet Internet Groper) packet, which claims that its size exceeds the upper limit of ICMP, that is, the loaded size exceeds the upper limit of 64KB, resulting in the memory allocation error of unprotected network system, leading to the collapse of TCP/IP protocol stack, and finally the receiver hangs up.

Teardrop attack: Teardrop attack uses the information contained in the packet header in TCP/IP protocol stack to realize its own attack. An IP fragment contains information indicating which fragment of the original data packet the fragment contains. Some TCP/IP protocol stacks (such as NT before service pack 4) will crash when they receive forged fragments with overlapping offsets. Udpflow: UDP (User Packet Protocol) is widely used on the Internet. Many devices that provide services such as WWW and Mail usually use Unix servers, and by default, some UDP services that are maliciously exploited by hackers are turned on. For example, the echo service will display every received data packet, while the chargen service, originally as a test function, will randomly feed back some characters when receiving each data packet. UDP flood impersonation attack is a malicious attack that exploits the vulnerabilities of these two simple TCP/IP services. By forging a UDP connection with the host's Chargen service, the reply address points to the host that opened the Echo service. By pointing the Chargen and Echo services to each other and transmitting useless junk data back and forth, enough useless data streams are generated between the two hosts. This denial of service attack will soon lead to the exhaustion of available bandwidth of the network. SYN flood: We know that when users make standard TCP (Transmission Control Protocol) connections, there will be a three-way handshake process. First, request the service provider to send a SYN (Synchronous Serial Number) message. After receiving SYN, the service provider will send back a SYN-ACK to the requester for confirmation. When the requester receives SYN-ACK, it will send an ACK message to the service provider again, thus successfully establishing TCP connection. "SYN Flooding" is a DoS attack aimed at the TCP protocol stack to initiate a connection handshake between two hosts. Only the first two steps are carried out in the implementation process: when the server receives the SYN-ack confirmation message from the requester, the requester cannot receive the ack response due to source address spoofing and other means, so the server will be in a state of waiting to receive the ACK message from the requester for a certain period of time. For servers, available TCP connections are limited because they only have a limited memory buffer to create connections. If the buffer is full of initial information about the wrong connection, the server will stop responding to the next connection until the connection attempt in the buffer times out. If malicious attackers send such connection requests quickly and continuously, the available TCP connection queue of the server will be blocked quickly, the available resources of the system will be drastically reduced, and the available bandwidth of the network will be rapidly reduced. In this way, the server will not be able to provide users with normal legal services, except for a few lucky users, whose requests can be answered in a large number of false requests.

Land (Land attack) attack: In the land attack, hackers use a special SYN package-set their original address and target address as a server address to attack. This will cause the receiving server to send a SYN-ACK message to its own address. Therefore, the address will send back an ack message and create an empty connection. Every such connection will be held until it times out. Under land attack, many UNIX will crash and NT will become extremely slow (lasting about five minutes).

IP spoofing DOS attack: This attack is realized by using the RST bit of TCP protocol stack. Using IP spoofing to force the server to reset the connection of legitimate users, thus affecting the connection of legitimate users. Suppose a legitimate user (100.100.100.100) has established a normal connection with the server, and the attacker constructs the attacked TCP data. Pretend that your IP is100.100.100.105.6438. After the server receives these data, it is considered that the server is a legitimate user100.100./kloc.

Common DDoS attacks

Smurf, Fraggle attack, Trinoo, Tribe Flood Network(TFN), TFN2k and Stacheldraht are common DDoS attack programs. Let's take a look at their principles. Their attack ideas are basically similar. Smurf attack: Smurf is a simple but effective DDoS attack technology. Smurf still uses ping program to directly broadcast the source IP impersonation to attack. The information broadcast on the Internet can be sent to the machines of the whole network by certain means (by broadcast address or other mechanisms). When a machine sends an ICMP echo request packet using a broadcast address (such as Ping), some systems will respond to the ICMP echo response packet, so sending a packet will receive many response packets. Smurf attacks use this principle and also need a fake source address. That is to say, Smurf sends an ICMP echo request packet, which contains the source address of the attacked host and the destination address of the broadcast address in the network, so that multiple systems can respond at the same time and send a lot of information to the attacked host (because his address is impersonated by the attacker). Smurf is to ping one or more computer networks continuously with a forged source address, so that the host address that causes all computers to respond is not the attacking computer that actually sent this packet. This forged source address is actually the target of the attack, and it will be overwhelmed by massive response information. The computer network that responded to this forged data packet inadvertently became an accomplice to the attack. A simple smurf attack will eventually lead to network blocking and the collapse of the third party, which is one or two orders of magnitude higher than the ping traffic of the death flood. This way of sending data packets and triggering a large number of responses by using the network is also called Smurf "amplification".

Fraggle attack: Fraggle attack simply modifies Smurf attack and replaces ICMP with UDP reply message.

"trinoo" attack: trinoo is a complex DDoS attack program and software based on UDP flood. It uses a "master" program to automatically control any number of "agent" programs that actually attack. Of course, before the attack, in order to install the software, the intruder had controlled the computer with the main program and all the computers with the agent program. The attacker connects the computer with the main program installed, starts the main program, and then according to a list of IP addresses, the main program is responsible for starting all the agent programs. Then, the agent attacks the network with UDP packets, and sends all zeros and 4 bytes of UDP packets to the random port of the attacked host. In the process of dealing with these junk packets that are beyond its processing capacity, the network performance of the attacked host is declining continuously until it can not provide normal services or even collapse. It doesn't forge IP addresses, so this attack method is not used much.

"Tribal flood network" and "TFN2K" attacks: Tribal flood network, like trinoo, uses the main program to communicate with attack agents located in multiple networks, and uses ICMP to issue commands to proxy servers, whose sources can be forged. TFN can launch many DoS attacks in parallel, with various types, and can also build data packets with disguised source IP addresses. The attacks that TFN can launch include: SYN flood, UDP flood, ICMP echo request flood and Smurf (using multiple servers to send massive data packets and implement DoS attacks). The upgraded version of TFN, TFN2k, further encrypts the command package, making the command content more difficult to query, the source of the command can be faked, and the back door controls the proxy server.

"Stackelbraht" attack: Stackelbraht is also based on the same client/server model as TFN and trinoo, in which the main program communicates with thousands of potential agents. When an attack is launched, the intruder connects with the main program. Stacheldraht has added new functions: the communication between the attacker and the main program is encrypted, the source of the command is forged, and some routers can be prevented from filtering with RFC2267. If filtering phenomenon is detected, only the last 8 digits of IP address will be forged, so that users cannot know which machine in which network segment is attacked; At the same time, rcp (Remote Replication) technology is used to update the agent automatically. Like TFN, Stacheldraht can launch numerous DoS attacks in parallel, with various types, and can also construct data packets with disguised source IP addresses. The attacks launched by Stacheldraht include UDP influence, TCP SYN influence and ICMP echo response influence.

How to prevent DoS/DdoS attacks

Almost since the birth of the Internet, DoS attacks have existed, developed and upgraded with the development of the Internet. It is worth mentioning that it is not difficult to find DoS tools. The Internet community where hackers live in groups has a tradition of sharing hacker software, and they will exchange their experience of attack together. You can easily get these tools from the Internet. These DoS attack software mentioned above are all open software that can be found at will on the Internet. Therefore, any Internet surfer may pose a potential threat to network security. DoS attacks pose a great threat to the rapid development of Internet security. However, to some extent, DoS attacks will never disappear, and there is no fundamental solution in technology.

In the face of dangerous DoS beach, how should we deal with hacker attacks at any time? Let's first summarize the technical problems that cause the threat of DoS attacks. DoS attacks can be said to be caused by the following reasons:

1. Software weaknesses are security-related system defects contained in operating systems or applications, which are mostly caused by wrong programming, careless source code review, unintentional side effects or some inappropriate binding. Because the software used depends almost entirely on the developer, the loopholes caused by the software can only be made up by patching, installing hot patches and service packages. When an application is found to have a vulnerability, the developer will immediately release an updated version to fix the vulnerability. DoS attacks caused by inherent defects of development protocols can be compensated by simple patches.

2. The wrong configuration will also become a security risk of the system. These misconfigurations usually occur in hardware devices, systems or applications, and are mostly caused by inexperienced and irresponsible employees or wrong theories. If the routers, firewalls, switches and other network connection devices in the network are configured correctly, the possibility of these errors will be reduced. If such loopholes are found, professional technicians should be consulted to fix these problems.

3. Repeated requests will lead to overload denial of service attacks. When the repeated requests for resources greatly exceed the payment ability of resources, it will lead to denial of service attacks (for example, sending too many requests to an already full-loaded Web server to overload it).

To prevent the system from being attacked by DoS, the network administrator should actively and cautiously maintain the system from the first two points to ensure that there are no security risks and loopholes; For the third malicious attack, it is necessary to install security devices such as firewalls to filter DoS attacks. At the same time, it is strongly recommended that network administrators regularly check the logs of security devices to find the security threats facing the system in time.

3Com Company is a comprehensive enterprise network solution provider, aiming at providing enterprise users with "rich, simple, flexible, affordable and cost-effective" network solutions. Internet support tools are one of the main solutions, including SuperStack 3 firewall, Web Cache and server load balancer. As a security gateway device, 3Com SuperStack 3 firewall can not only detect and prevent hacker attacks such as Denial of Service (DoS) and Distributed Denial of Service (DDoS) under default pre-configuration, but also strongly protect your network from unauthorized access from the Internet and other external threats and attacks. Moreover, the 3Com SuperStack 3 server load balancer can not only provide 4-7 layer load balancing of hardware line speed for multiple servers, but also protect all servers from denial of service (DoS) attacks. Similarly, 3Com SuperStack 3 Web Cache can not only provide efficient local cache for enterprises, but also protect itself from denial of service (DoS) attacks.

/7sky/dispbbs.asp？ boardid = 28 & ampid= 15952