Ddos commonly used attack tools DDOS attack tool copywriting

What is a DDOS attack? How does it work? What is its purpose? The more detailed the better! Thanks?

The biggest headache for a website is being attacked. Common server attack methods mainly include the following: port penetration, port penetration, password cracking, and DDOS attacks. Among them, DDOS is currently the most powerful and one of the most difficult to defend attacks.

So what is a DDOS attack?

The attacker forges a large number of legitimate requests to the server, occupying a large amount of network bandwidth, causing the website to be paralyzed and inaccessible. Its characteristic is that the cost of defense is far higher than the cost of attack. A hacker can easily launch a 10G or 100G attack, but the cost of defending against 10G or 100G is very high.

DDOS attacks were originally called DOS (Denial of Service) attacks. Its attack principle is: you have a server, I have a personal computer, and I will use my personal computer to send a large number of messages to your server. Spam information congests your network, increases your data processing burden, and reduces the efficiency of the server CPU and memory.

However, with the advancement of technology, one-to-one attacks like DOS are easy to defend, so DDOS-distributed denial of service attack was born. The principle is the same as DOS, but the difference is that DDOS attacks are many-to-one attacks, and even tens of thousands of personal computers can attack a server using DOS attacks at the same time, eventually causing the attacked server to become paralyzed.

Three common DDOS attack methods

SYN/ACKFlood attack: The most classic and effective DDOS attack method, which can kill network services of various systems. Mainly by sending a large number of SYN or ACK packets with forged source IPs and source ports to the victim host, causing the host's cache resources to be exhausted or busy sending response packets, causing a denial of service. Since the sources are all forged, it is difficult to track. The disadvantage is that it is difficult to implement and requires high-bandwidth zombie host support.

TCP full connection attack: This attack is designed to bypass the inspection of conventional firewalls. Under normal circumstances, most conventional firewalls have the ability to filter DOS attacks such as TearDrop and Land, but for normal TCP Connections are let go. However, many network service programs (such as IIS, Apache and other web servers) can accept a limited number of TCP connections. Once there are a large number of TCP connections, even if they are normal, website access will be very slow. Even inaccessible. A TCP full connection attack uses many zombie hosts to continuously establish a large number of TCP connections with the victim server until the server's memory and other resources are exhausted and dragged across, thus causing a denial of service. The characteristics of this attack are that it can The disadvantage of bypassing the protection of general firewalls to achieve the purpose of attack is that you need to find many zombie hosts, and since the IPs of zombie hosts are exposed, this type of DDOS attack method is easy to be tracked.

Script attack: This attack is mainly designed for website systems that have script programs such as ASP, JSP, PHP, CGI, etc., and call databases such as MSSQLServer, MySQLServer, Oracle, etc., and are characterized by server Establish a normal TCP connection, and continuously submit queries, lists, and other calls that consume a large number of database resources to the script program. This is a typical attack method that uses a small amount to make a big impact.

How to defend against DDOS attacks?

In general, you can start from three aspects: hardware, a single host, and the entire server system.

1. Hardware

1. Increase bandwidth

Bandwidth directly determines the ability to withstand attacks. Increasing bandwidth hard protection is the theoretical optimal solution. As long as the bandwidth is greater than There is no need to worry about attack traffic, but the cost is very high.

2. Improve hardware configuration

On the premise of ensuring network bandwidth, try to improve the configuration of CPU, memory, hard disk, network card, router, switch and other hardware facilities, and choose well-known , products with good reputation.

3. Hardware firewall

Place the server in a computer room with a DDoS hardware firewall.

Professional-grade firewalls usually have the function of cleaning and filtering abnormal traffic, and can fight against traffic-based DDoS attacks such as SYN/ACK attacks, TCP full connection attacks, script attacks, etc.

2. Single host

< p>1. Repair system vulnerabilities in a timely manner and upgrade security patches.

2. Close unnecessary services and ports, reduce unnecessary system add-ons and self-starting items, minimize the number of processes executing in the server, and change the working mode

3. iptables

4. Strictly control account permissions, prohibit root login, password login, and modify the default ports of commonly used services

3. The entire server system

1 .Load balancing

Use load balancing to evenly distribute requests to various servers, reducing the burden on a single server.

2. CDN

CDN is a content distribution network built on the Internet. It relies on edge servers deployed in various places and uses the distribution, scheduling and other functional modules of the central platform to enable users to Get the required content nearby, reduce network congestion, and improve user access response speed and hit rate. Therefore, CDN acceleration also uses load balancing technology. Compared with high-defense hardware firewalls, which cannot withstand unlimited traffic restrictions, CDNs are more rational and share penetration traffic with multiple nodes. Currently, most CDN nodes have a 200G traffic protection function. Coupled with hard defense protection, it can be said that It can cope with most DDoS attacks.

3. Distributed cluster defense

The characteristic of distributed cluster defense is that multiple IP addresses are configured on each node server, and each node can withstand DDoS of no less than 10G Attack, if a node is attacked and cannot provide services, the system will automatically switch to another node according to the priority setting, and return all the attacker's data packets to the sending point, paralyzing the attack source.