Take you to crack the principle of DDOS attack

1.Introduction to DDOS

DDOS is also known as Distributed Distributed Denial of Service Attack or Distributed Denial of Service Attack.DDOS is an overloading of resources caused by the use of sensible requests, which results in unavailability of the service,anti DDOS which leads to the server refusing to serve normal traffic. Just as a hotel has a fixed number of rooms, for example, a hotel has 50 rooms, when 50 rooms are full and then new users wish to stay, you have to wait for the previous users to go out first. If the user doesn't check out, then the hotel can't accommodate the new user, resulting in the hotel being overloaded, which is a "distributed denial-of-service attack". If you want to continue to provide resources, then the hotel should increase its own resources, and the server is the same reason.

2. Basic Concepts of Denial of Service Attacks

Denial of service: denial of service refers to the application management system can not work properly to provide technical services to the external economy of the state, such as network congestion, system downtime, slow response,virtual Machine cloud etc. belong to the performance of denial of service.

Distributed Denial of Service Attack Attack (DOS) : Distributed Denial of Service Attack Attack Attack is a kind of attack that uses various techniques to make the target system enter into the state of Distributed Denial of Service Attack,vpshosting and the common means include the use of vulnerabilities, consumption of application system performance and consumption of application system bandwidth.

Distributed Denial of Service Attack (DDOS):Distributed Denial of Service Attack is an advanced means of denial of service attack that can utilize botnets distributed around the world to generate large-scale denial of service attacks.

3.DDOS attack classification

Vulnerability type (attack based on specific vulnerabilities) : Only effective on targets with specific vulnerabilities, usually send specific packets or a small number of packets to achieve the effect of the attack.

Business type (mainly consume the performance of business systems): highly related to the type of business, according to the type of application of the business system need to take appropriate measures to achieve the effect of the attack. Usually, the traffic required to achieve the effect of business-type attacks is much lower than that of traffic-type.

Traffic type (consuming bandwidth resources mainly): mainly consume the bandwidth resources of the target business system as a means of attack, usually leading to network blocking, thus affecting normal business.

4. Denial of Service Attack Process

Phenomenon analysis: According to the phenomenon found and the situation of network equipment and services, initially determine whether there is a denial of service attack.

Packet capture analysis: Further understand the attack mode and characteristics through packet capture analysis.

Initiate countermeasures: Finally, initiate countermeasures to combat the attack, which can be resource enhancement, security reinforcement, security protection and other measures.

5. DDOS traffic packet analysis

SYN Flood Attack

Under normal circumstances, TCP handshake three times as follows

The client sends a SYN request packet to the server, which contains the port number and initial sequence number X used by the client.

After receiving the SYN request packet from the client, the server knows that the client wants to establish a connection, so it sends the client a SYN request packet and an ACK response packet containing the acknowledgement number X + 1 and the initial server-side sequence number Y. The client can receive the data server side back.

The client can receive the SYN request packet and ACK response packet returned by the data server side, and then return an ACK request packet with confirmation number y+1 and sequence number x+1 to the server side, and the handshake is completed three times, and the TCP connection is established successfully.

SYN Flood Attack Principle: First, the client sends a SYN request packet to the server, the server receives the client and sends a SYN + ACK packet in response, and finally, the client returns an ACK packet to the server in order to establish a complete TCP connection. syn flooding attack results in a half-open connection because the client doesn't return the last ACK packet, which forms a half-open connection. A TCP half-open connection is when a TCP connection request is sent or received and waits for the other party to answer. the state of a half-open connection requires system resources to be used up waiting for the other party to answer, and the number of half-open connections reaches an upper limit, preventing new connections from being established, which leads to a denial-of-service attack.

UDP Flood Attack

Principle of Flood Attack: Since UDP is a connectionless protocol, it consumes less system resources and easily generates higher traffic under the same conditions. When the victim system receives a UDP packet, it identifies the application waiting on its destination port. When it finds no waiting applications on the port, it generates an ICMP packet that the destination address cannot connect to and sends it to the forged source address. If enough UDP packets are sent to the victim's computer port, the system can cause a distributed denial-of-service attack attack. Therefore, UDP FLOOD becomes the primary means of traffic attack.

Slow Denial of Service Attack

Slow Distributed Denial of Service Attack Attack Principle: Complete HTTP request packet to r n r n end, Slow Distributed Denial of Service Attack Attack sends only r n, one less r n, request incomplete server, server waits until timeout.

ICMP Flood Attack

Principle of ICMP Flood Attack:When ICMP ping generates a large number of response requests exceeding the maximum limit of the system, so much so that the system consumes all the resources to respond until it is no longer able to process a valid flow of information on the network, but it is easy to protect due to the fact that it discards the ICMP protocol messages, which do not affect most of the system's operation. Using hp3 to trigger an ICMP flood attack.

cloud server hk: Efficient, Reliable, Global Connectivity for Seamless Operations.