What are the ddos ??methods?
Ddos attacks mainly include the following three methods.
High-traffic attacks
High-traffic attacks saturate the network's bandwidth and infrastructure through massive traffic, consuming them all, thus achieving the purpose of flooding the network. Once traffic exceeds the capacity of the network, or the network's ability to connect to the rest of the Internet, the network becomes inaccessible. Examples of high-traffic attacks include ICMP, fragmentation, and UDP flooding.
TCP State Exhaustion Attacks
TCP State Exhaustion attacks attempt to consume the connection state tables present in many infrastructure components, such as load balancers, firewalls, and the application server itself. For example, the firewall must analyze each packet to determine whether the packet is a discrete connection, a continuation of an existing connection, or the completion of an existing connection. Likewise, intrusion prevention systems must track state to implement signature-based packet inspection and stateful protocol analysis. These devices and other stateful devices—including those responsible for the balancer—are frequently compromised by session flooding or connection attacks. For example, a Sockstress attack can quickly flood a firewall's state table by opening sockets to populate the connection table.
Application layer attacks
Application layer attacks use more sophisticated mechanisms to achieve the hacker's goals. Rather than flooding the network with traffic or sessions, an application layer attack targets a specific application/service and slowly exhausts resources on the application layer. Application layer attacks are very effective at low traffic rates, and the traffic involved in the attack may be legitimate from a protocol perspective. This makes application layer attacks more difficult to detect than other types of DDoS attacks. HTTP floods, DNS dictionaries, Slowloris, etc. are all examples of application layer attacks.
What does DDoS attack use?
DDoS attacks use intermediate proxies to carry out attacks.
The most commonly used attack method is SYN (flood attack), which exploits a flaw in the implementation of the TCP protocol. By sending a large number of attack messages with forged source addresses to the port where the network service is located, it is possible to This causes the half-open connection queue in the target server to be full, thereby preventing other legitimate users from accessing. Basically all common DDoS attacks currently use this principle to attack.
What is a DDOS attack? How does it work? What is its purpose? The more detailed the better! Thanks?
The biggest headache for a website is being attacked. Common server attack methods mainly include the following: port penetration, port penetration, password cracking, and DDOS attacks. Among them, DDOS is currently the most powerful and one of the most difficult to defend attacks.
So what is a DDOS attack?
The attacker forges a large number of legitimate requests to the server, occupying a large amount of network bandwidth, causing the website to be paralyzed and inaccessible. Its characteristic is that the cost of defense is far higher than the cost of attack. A hacker can easily launch a 10G or 100G attack, but the cost of defending against 10G or 100G is very high.
DDOS attacks were originally called DOS (Denial of Service) attacks. Its attack principle is: you have a server, I have a personal computer, and I will use my personal computer to send a large number of messages to your server. Spam information congests your network, increases your data processing burden, and reduces the efficiency of the server CPU and memory.
However, with the advancement of technology, one-to-one attacks like DOS are easy to defend, so DDOS-distributed denial of service attack was born. The principle is the same as DOS, but the difference is that DDOS attacks are many-to-one attacks, and even tens of thousands of personal computers can attack a server using DOS attacks at the same time, eventually causing the attacked server to become paralyzed.
Three common DDOS attack methods
SYN/ACKFlood attack: The most classic and effective DDOS attack method, which can kill network services of various systems. Mainly by sending a large number of SYN or ACK packets with forged source IPs and source ports to the victim host, causing the host's cache resources to be exhausted or busy sending response packets, causing a denial of service. Since the sources are all forged, it is difficult to track. The disadvantage is that it is difficult to implement and requires high-bandwidth zombie host support.
TCP full connection attack: This attack is designed to bypass the inspection of conventional firewalls. Under normal circumstances, most conventional firewalls have the ability to filter DOS attacks such as TearDrop and Land, but for normal TCP Connections are let go. However, many network service programs (such as IIS, Apache and other web servers) can accept a limited number of TCP connections. Once there are a large number of TCP connections, even if they are normal, website access will be very slow. Even inaccessible. A TCP full connection attack uses many zombie hosts to continuously establish a large number of TCP connections with the victim server until the server's memory and other resources are exhausted and dragged across, thus causing a denial of service. The characteristics of this attack are that it can The disadvantage of bypassing the protection of general firewalls to achieve the purpose of attack is that you need to find many zombie hosts, and because the IPs of zombie hosts are exposed, this type of DDOS attack method is easy to be tracked.
Script attack: This attack is mainly designed for website systems that have script programs such as ASP, JSP, PHP, CGI, etc., and call databases such as MSSQLServer, MySQLServer, Oracle, etc., and are characterized by server Establish a normal TCP connection and continuously submit queries, lists and other calls that consume a large number of database resources to the script program. This is a typical attack method that uses a small amount to make a big impact.
How to defend against DDOS attacks?
In general, you can start from three aspects: hardware, a single host, and the entire server system.
1. Hardware
1. Increase bandwidth
Bandwidth directly determines the ability to withstand attacks. Increasing bandwidth hard protection is the theoretical optimal solution. As long as the bandwidth is greater than There is no need to worry about attack traffic, but the cost is very high.
2. Improve the hardware configuration
On the premise of ensuring network bandwidth, try to improve the configuration of CPU, memory, hard disk, network card, router, switch and other hardware facilities, and choose well-known , products with good reputation.
3. Hardware firewall
Place the server in a computer room with a DDoS hardware firewall. Professional-grade firewalls usually have the function of cleaning and filtering abnormal traffic, and can fight against SYN/ACK attacks, TCP full connection attacks, script attacks and other traffic-based DDoS attacks
2. Single host
1. Repair system vulnerabilities in a timely manner and upgrade security patches.
2. Close unnecessary services and ports, reduce unnecessary system add-ons and self-starting items, minimize the number of processes executing in the server, and change the working mode
3. iptables
4. Strictly control account permissions, prohibit root login, password login, and modify the default ports of commonly used services
3. The entire server system
1 .Load balancing
Use load balancing to evenly distribute requests to various servers, reducing the burden on a single server.
2. CDN
CDN is a content distribution network built on the Internet. It relies on edge servers deployed in various places and uses the distribution, scheduling and other functional modules of the central platform to enable users to Obtain the required content nearby, reduce network congestion, and improve user access response speed and hit rate. Therefore, CDN acceleration also uses load balancing technology.
Compared with high-defense hardware firewalls, which cannot withstand unlimited traffic restrictions, CDNs are more rational and share penetration traffic with multiple nodes. Currently, most CDN nodes have a 200G traffic protection function. Coupled with hard defense protection, it can be said that It can cope with most DDoS attacks.
3. Distributed cluster defense
The characteristic of distributed cluster defense is that multiple IP addresses are configured on each node server, and each node can withstand DDoS of no less than 10G Attack, if a node is attacked and cannot provide services, the system will automatically switch to another node according to the priority setting, and return all the attacker's data packets to the sending point, paralyzing the attack source.
What is a DDOS attack?
I believe everyone has heard of DoS attacks, DDoS attacks and DRDoS attacks! DoS is the abbreviation of DenialofService, which means denial of service, and DDoS is the abbreviation of DistributedDenialofService, which is distributed denial of service, and DRDoS is the abbreviation of DistributedReflectionDenialofService. In short, this is what Distributed Reflective Denial of Service means