There are three main ways to attack ddos.

High traffic attack

Large-traffic attacks saturate the bandwidth and infrastructure of the network through massive traffic, and completely consume them, thus achieving the purpose of network flooding. Once the traffic exceeds the capacity of the network or the connection ability between the network and other parts of the Internet, the network will be inaccessible. Examples of high-traffic attacks include ICMP, fragmentation and UDP flooding.

TCP state exhaustion attack

TCP state exhaustion attacks attempt to consume connection state tables that exist in many infrastructure components, such as load balancers, firewalls and application servers themselves. For example, a firewall must analyze each packet to determine whether the packet is a discrete connection, the existence of an existing connection, or the end of an existing connection. Similarly, the intrusion prevention system must track the state to realize signature-based packet detection and state protocol analysis. These devices and other stateful devices, including those responsible for equalizers, are often harmed by session flooding or connection attacks. For example, the Sockstress attack can fill the connection table by opening a socket, thus quickly flooding the state table of the firewall.

Application layer attack

Application layer attacks use more complex mechanisms to achieve hackers' goals. Application layer attacks do not flood the network with traffic or sessions, but slowly exhaust the application layer resources of specific applications/services. Application layer attack is very effective at low traffic rate, and the traffic involved in the attack may be legal from the protocol point of view. This makes application layer attacks more difficult to detect than other types of DDoS attacks. HTTP flooding, DNS dictionary, Slowloris, etc. Are examples of application layer attacks.

What does ddos attack use to attack?

Ddos attacks are carried out through intermediary agents.

SYN is the most commonly used attack method, which takes advantage of a defect in the implementation of TCP protocol. By sending a large number of attack messages with forged source addresses to the port where the network service is located, the semi-open connection queue in the target server may be filled, thus preventing other legitimate users from accessing. Basically, the common DDoS attacks at present all use this principle to attack.

What are the anti-DDOS attack softwares under linux and how to use them?

Some common methods to prevent DDOS attacks are as follows:

1. Adding hardware firewalls and hardware devices to carry and resist DDOS attacks is the most basic method, but the cost is relatively high.

2. Modify SYN settings to resist SYN attack: SYN attack uses the three-way handshake principle of TCP/IP protocol to send a large number of network packets to establish a connection, but it doesn't actually establish a connection, which eventually leads to the full network queue of the attacked server and the normal users can't access it. The Linux kernel provides several SYN-related settings using the command sysctl-a|grepsyn.

3. install iptables to block specific ip. A. install kernel-SMP kernel-SMP-modules-connlimit bb. configure corresponding iptables rules.

4. Install DDOSdeflate to automatically defend against DDoS attacks: DDoS Deflate is a free script that can defend against and mitigate DDoS attacks. It monitors and tracks the IP addresses of a large number of network connections created through netstat. When it detects that a node exceeds the preset limit, the program will ban or block these IP addresses through APF or IPTABLES.