Refusal service attack and prevention
An Meihong
(Sichuan Normal University Electronic Engineering Academy Information Security Professional Sichuan Chengdu 610068)
Summary: In recent years, with the development of the industry, such as e-commerce, e-government, information security mentioned a quite high demand, how to protect their security, this is a very important issue, especially to make They cannot be rejected, and the refusal service is a quite difficult attack in attacking cybers. Therefore, research on refusal service attacks is quite important for us.
Key words: Denger, attack, DOS, DDoS, DROS.
Related background: February 2000, Yahoo, Amazon, etc. You cannot log in to QQ.
Every year, many big websites are often refusing service attacks, and the refusal of service attack is a low technical content, but the attack method is obvious. When such an attack, the server does not provide a normal service in a long time. Make legitimate users can't get service, especially DDOS, it is more obvious, and it is difficult to find an attack source, it is difficult to propose an effective solution to a row. Although we can only take some approach passively, but also do some efforts as much as possible, otherwise, then make the results more serious. Let's take a look at what is refused to serve, I will quoting a definition in the "Information System Security Introduction" edited by Sichuan University Information Security Research Institute, refusal service attack is to make information or information systems used value or service The ability to drop or lose attacks. Of course, we are here to be implemented through cyber attacks. In fact, there is still another way to reject the service, and there are additional methods, such as power failure, hardware damage, and the damage of communication lines, but these are unrecognizable, unless they are War, this is fundamentally letting the other party denial. We are often attacked by the network.
First, the general rejection service attack and prevention
Let's take a look at the English in DOS. Some shortcomings to launch an attack, so that hackers will be easy to attack success, because the deny service attack is a low technical content, so most people can be easily mastered, generally, the attacker is using other ways to attack He is very likely to use this attack method, but the refusal service can be said to be a high-consuming method, which is an unfavorable behavior. Although the attack target does not provide a service, he will not provide service. Waste the large amount of availability. Since the attack is mainly to reduce the service capability of the server, when you find that your CPU is taken up, you must take a closer look at the log, the most common is to view the firewall record, if a common hacker attack is a Web service attack. Then you can get some harvest from your web log, which carefully analyzes what is caused by. Let me talk about the most common, and some of the earliest dejected services.
1, packet flood attack (FLOOD DOS)
This is based on the provisions of the TCP / IP protocol. When you need to complete a TCP connection, you need three handshakes. First, the client is issued a package to the server, request the service, and then the server returns an ACT response package of SYN 1. Send a confirmation package to the server after receiving the client. At this time, the client is established to establish a connection to the server, so that it is prepared for future communication. When attacking, the attacker will use only the fake bag without receiving a response (herein is not received, because IP is fake), so that the server generates a large number of "semi-open connection", due to each package server There is a certain wait response time, and when there is no response at a certain period of time, it will be reissued. Therefore, the server forms a large number of semi-open connections in the retransmission and waiting process. Thus attackers can pass multiple computers. Send a large number of false IP source addresses, resulting in a transition of the server CPU, and when a certain amount is reached, a refusal service is formed. At the same time, because of the legal user's request, most of the attack package was submerged, even if the server did not crash this, it is weak to respond to a legal user request. For this attack, we can reduce the number of servers retrans bags and wait time, such as the corresponding settings of the registry in Win2k to prevent this flood attack (for too much content, please refer to the relevant information).
2, UDP Flood Denial Service Attack
Since the UDP protocol is a connectionless service, an attacker can send a small UDP package for a large amount of source IP addresses in the UDP FLOOD attack. However, since the UDP protocol is non-connection, as long as you open a UDP port to provide relevant services, then you can attack the relevant services. If qq is based on the UDP protocol, there is a tool on the Internet to send A large amount of the goal is attacked, so that the other QQ is offline, if it is for other services, if severe points, the server may let the server crash.
For this kind of attack, it is recommended to be safe in the anti-inflammatory wall, but because you have provided related services, it is difficult to prevent it.
3, LAND attack.
This is the use of TCP / IP vulnerabilities to perform the same packets as the destination address, resulting in the server to resolve the LAND package occupying a large amount of processing resources. When the package is reached to a certain degree, the rejection service will be formed. attack.
The prevention of such attacks can be solved by the firewall. When you receive this package, take the initiative to throw it, do not work, this is the simple firewall package filtering function, and the latest patch.
4, smurf attack.
The enlargement effect is a way to use hacker, which will make the network's effect is incremented by many times, so the effect is also quite good, the attacker disguised becomes an attacker to send a broadcast device on the network, and then broadcast equipment Request to send multiple devices on the network, so that multiple devices respond to this attacker, if the response device on the network is enough, it is to let the attacker receive a lot of packages, thus being denied service attack.
For this attack, I think some isolation equipment can be taken. Can't broadcast it. Multiple divisions of the network, form a plurality of small "local area networks" to solve such an attack. The main idea is to prevent the computer from responding to IP broadcast requests.
5, dead ping.
Ping is to determine whether the host survived by sending ICMP packets. We can use this command to launch an attack. When sending a super-large such package, it is also a buffer over over 65535 bytes of the package that causes the server to restructuring, so that the server crashes to reject the service.
The prevention of such attacks is more likely, such as usually installing the firewall will respond to the ping command, it will be set to the system in the system, such as Win2K can set a handle in the IP security policy. The ICMP package is filtered, which is solved. In addition, you have to patch. Second, distributed refusal service attack and prevention
Let's first take a look at its English, English is full name is Distributed Denial of Service, in this attack
There are four roles, hackers, master, attack terms, and attack targets. Their number is generally the following:
Hacker (more than one) -> master end (more) -> attack terminal (many) -> Attack targets (one)
In the early stage of the attack, the hacker will spend a lot of time to find a large amount of meat to act as the main control and attack, and prepare for the attack, that is, install various rejection service lattice procedures, such as our domestic Dessert, it is similar to Trojans and is divided into client and server. A large amount of implantable server must be implanted in order to launch an attack. (I have also written "Hand-removal of the rear door of the servant" before this, you can refer to it, don't let your computer act as a tool for the attacker) in this attack, hacker is When the large target attacks, multi-party can take multi-party, which is to use the general dejected service attacks, so that the attack effect can be obvious, and let the attack target fall into a state in the state of the attacked target as soon as possible. Why is these main controls? Mainly hackers, when attacking, the target may make the attack source, so that it can be better hidden, and in general, hackers use false IP source addresses to control the main control, hackers will not let the Lord The control is returned to the response. Communication control between the same master and the attacker is also taken such a way, which greatly reduces the possibility of exposure to hackers.
It is difficult to prevent such attacks. Here is not only attackers, but also have all computers in the network to always pay attention, sometimes your computer is inadvertently acting as an attacker's role, so you To hit the latest patch as much as possible, check your computer's vulnerability, don't let hackers implant the attack programs in your computer. For example, the server will open an 8535 port waiting to be a connection, which is always in the standby attack, and when the attack action occurs, if your computer acts as an attack, you will obviously feel that you are handling additional work. The speed suddenly slows down, I saw it under the Window operating system, the CPU utilization will reach 100%, so it is quite serious. However, some attack programs do not have a client. In this case, hackers usually have already planned to attack a target, and they have already prepared attack programs, only attacking specific goals. For attackers, when they are attacked, the firewall should be adjusted in time. To do communication with the backbone network operator, each operator performs the verification of the source IP address on their own exit router. If there is no route to this data package source IP in its own routing table, you will lose this package. This method can prevent hackers from using the forged source IP to perform DDoS attacks. However, doing so will reduce the efficiency of the router, which is also a problem that the backbone operator is very concerned, so this kind of practice is really difficult. In addition, you should contact ISP and request it.
Third, reflective distribution refused service attack.
Similarly, its English is Distributed Reflection Denial of Service. This is a deformation of DDoS attack. It is different from DDOS that DRDOS does not need to occupy a lot of 傀儡 machine before actual attack. Such an attack is also carried out in the case of forgeting a data package source address, as in this point, as the Smurf attack, and DRDOS can be performed on a wide area. "R" in its name means reflection, which is the biggest feature of this attack behavior. Hackers use special contractors to first send the SYN connection request package for the source address to those who are deceived, according to the rules of the TCP three handshakes, these calculations send SYN ACK or RST packages to the source IP This request. Like a smurf attack, the source IP address of the request package sent by the hacker is the address of the victim, so that the deceived computer will send the response to the victim, resulting in the host busy to handle these responses and rejected the service attack. It is difficult to prevent this attack, because the IP of this package is not true, but it is legal.
Fourth, the new DOS (forged TCP connection DOS) attack.
Here is an article written in LuionD8 in the Chongqing Network Security Engineer Club, which is mainly to establish TCP connections primarily in it, and then launch an attack. Let's take a look at the process:
A is an attacker, C is attacker: a SYN -> C A SYN, ACK <- C A ACK -> C A Send Data -> C A ACK <- C A Send Data -> C A ACK <- C
------------
Reference The results in the original text: It is quite effective for the 1025 port comparison for the general temporary port. Memory continues to rise
Later, the computer can cause a computer because there is no response, and the crash is dead. 20 minutes can drag a web bar server. For the maximum number of 80 ports, the effect is not very obvious, and the 40M memory is consumed to be repeated, leaving a large amount of Fin_Wait_1 status and ESTABLISHED state. As for the specific content, please refer to the original "new DOS (DOS for DOS for DOS)" "" on the website www.xfocus.net. This attack is an attack method that is further developed on the basis of NAPTHA.
As long as this attack is filtered out in the IP join filter rules, of course, if there is IDS in the boundary, when this type of attack is found, it can be alarm at the same time, while connecting to the firewall, because the IP of this attack is Fixed, so it is also relatively easy to analyze and prevent.
5. The new zoom in refused service attack.
This attack is primarily to attack the principles of data amplification on the network. It is mainly to deny service attacks throughout the network, destroying a network, here is quoted: Everyone knows that proxy is divided into SOCKS and HTTP here is two major protocols, and there is a lot of online. The SOCKS agent can connect directly to a proxy chain. HTTP proxy has some to simulate a SOCKS agent through his Connect mode (this mode For SSL login, you can see RFC documentation, some servers allow connection to any port, some have restrictions At 443, I am not restricted), so we can use the HTTP proxy CONNECT and SOCKS proxy to do such a proxy chain J-A-A-J-A-J-A ... (j means Japanese agent, A represents the US agent), then we connect him hundreds of times, then the last directive is going to Microsoft to download its Windows XP SP2, then what mean? I will describe the specific situation. In the connection process, we found that the response speed is getting slower and slower, because we have doubled the network node double, the network length of the data is also increased, corresponding The speed is also slow, but when you start downloading, you will be surprised to find the speed is not slow. How much is it? If you don't slow down because of the number of agents, it is like a long team. , Will not slow down because the car is slow (speed), only because the route is long, running more (response time) Haha, it is a single line data to zoom in, and the G point is the root from J country. Optical cable.
If we downloaded the speed of 100kb / s, then zoom in 10000kb / s, 10MB / s, then take up 100Mbit to the international line of the K, the international line of the A country. This is just the effect of my personal 1mbit bandwidth ADSL. If I am a broadband, if I have a number of friends, if I take it like this, I will take advantage of the bandwidth of the J country and other countries, then J countries become a network island country (author special Note: This example is the "New Definition from BBS to Agent - Denial Service Attack" in the original text. There is also an example in the original text to choose Tsinghua, Peking University and other colleges and universities, the readers can refer to the original Details). This attack is only a separate node for two networks, which enables the data to simultaneously pass the node on both localities, causing a large amount of data crowded at the node, resulting in a busy service of the network. This attack is quite effective to attack the star topology. If the attack can construct a looped data communication, and through the node multiple times, the consequences of the attack are more serious. For this kind of attack, we should try to reduce the situation of single exit when the network is set, and there is some cases of data amplification. For example, for the network of the star type, if the attacker launches this If the attack is attacked, the effect will be quite obvious, so these situations should be taken into account when placing the network.
Sixth, other refusal service attacks.
Other DNS distribution denial of service attacks, it also has a bit reflected, hackers send a large number of forged query requests to multiple DNS servers, query the source IP address in the request packet is the IP address of the attacked host, DNS server Send a large number of query results to the attacked host, allowing the network congestion of the attacked host or no longer serving the outside.
There is also an email denial of service attack, one is to send a large amount of spam, thus filing the user's email space, so that the user can not receive the email, the other is that there may be a hacker to violently crack the user's mailbox password. If the user may not log in to the mailbox according to the rules of the mail server.
Others also have QQ rejection services, and attackers automatically send a large amount of information to the attacker, so that users receive a lot of spam.
Alternatively, if you want to reject the service, you can use a variety of attack methods, of course, the most extreme is to physically damage, just this possibility, but not there is no possibility, such as electromagnetic radiation. If the war broke out, the enemy parties used nuclear electrical magnetic pulse to the damage of the communication line.
Therefore, when prevention, we have to test a variety of situations as much as possible, try to care about the attack technology used by hackers, so that the corresponding measures should be taken according to the attack.
Seven, some thinking about the tools of refusal service attack.
If the hacker attacks on the determined target, you can only reject the server's server, do not control the end, to attack the web server, because the configuration attack target is dominated, without specific IP ( Such as DDOS1.3 and version 1.4). At the same time, hackers may be programmed by themselves, using various vulnerabilities to implant the attack program, as long as the computer is turned on, this situation may often appear in a new vulnerability discovery. So this attack, more efforts, and put your system on the latest patch. There is also an attack program with the main control. This requirement is when communicating with the attack-end, it is also a password control when it is issued, and it is best to have a password control, and the attack should not be returned. If you want to view the attack effect, if you want to view the Web server, hackers may be opened by Open IE, if the speed is slow, or if you can't open it, you may succeed.
In addition, I personally think that the implantation of the hacker's attack program can be used to use the virus, the spread of worms, and can also use the latest discovery, can also be implanted with a computer administrator's formulation, such as empty password with SQL. , Share invasion, IPC connection, etc., which is completely possible, because now there are many hacker programs on the Internet, if you use IPC to automatically scan, when you scan your invasive computer, automatic implantation of Trojans or other backdoor programs, as a hacker It is also very possible when these techniques are used in denial of service attacks.
Finally, the denial of service attack is a fairly difficult attack. It is generally strengthened to strengthen the characteristic identification of the packet, which is usually strengthened to the package analysis, find the unreasonable package characteristics, thus dropping the packet. And with a variety of equipment to prevent prevention, but I think these prevention measures now, mostly passive, and have not fundamentally solved it, but active prevention is not good than any measures. In addition, for this attack, we must work more, often care about common vulnerabilities, use network security equipment, such as firewalls, IDS products, etc., when detecting too much connection, what is the timely identification? Cause, if it is caused by the attack of the service, then to adjust the security strategy, the cooperation in combination is solved.
(If you have any discussion, please contact angihong@sina.com)
-------------------------------------------------- -------------------------------------------------- ------------------ Reference:
1. Fang Yong, Qi Jiayong Information System Security Introduction. Beijing, Electronic Industry Press.
2, Zhou Xue Guang, Liu Yi Information Safety Beijing Machinery Industry Press.
3. LIOND8 new DOS (DOS for DOS for DBP connection) Attack in Chongqing Chongqing Net Security.
Fr.Qaker
From
BBS
To the agent
-
Refusal service attack new definition
Beijing
Hacking line
