Looking at the various ways of network security attacks, the DDOS class's attack will cause greater harm to your network system. Therefore, understand DDOS, understand its working principle and preventive measures, is one of the contents of computer network security technicians should repair. I. DDOS concept To understand the concept of DDOS, we must first introduce DOS (refusal), DOS's English is Denial of Service, which means "refusing service". From the various methods and destruction of the network attack, the DOS is a very simple but very effective offensive method. Its purpose is to reject your service access, destroy the normal operation of the organization, and ultimately it will make your partial Internet connection and network system fail. There are many ways to attack the DOS. The most basic DOS attack is to use reasonable service requests to take up much service resources, so that legitimate users cannot receive services. The principle of the DOS attack is shown in Figure 1. From Figure 1 We can see the basic process of the DOS attack: First, the attacker sends many requests with false addresses. After the server sends a reply information, waits for the return information, because the address is forged, so the server has been can't wait The return of the message, the resource assigned to this request is never released. When the server waits for a certain period of time, the connection will be cut off due to timeout, and the attacker will transmit a new batch of requests, and the server resources will eventually be exhausted in this repeatedly sending a counterfeit address request. DDOS (Distributed Refused Service), its English is a full name of Distributed Denial of Service. It is a DOS-based special form of denial of service attack. It is a distributed, collaborative mass attack, mainly aimed at a relatively large site. , Like commercial companies, search engines and government departments. From Figure 1, we can see that DOS attacks can be achieved as long as a single machine and a modem can be achieved, and the DDoS attack is to use a batch of controlled machines to attack a machine, so that the rapid attack is difficult. Preparation, therefore has greater destructive. The attack principle of DDOS is shown in Figure 2. As can be seen from Figure 2, DDoS attack is divided into 3 layers: an attacker, master end, agency, and the three play different roles in the attack. 1. Attacker: The computer used by the attacker is an attack main control station, which can be any host on the network, and can even be an active portable. Attacker manipulating the entire attack process, which sends an attack command to the master. 2. Master: The master is some hosts that attackers illegally invaded and control, and these hosts also control a large number of proxy hosts. The main controller has a specific program, so they can accept special instructions from the attacker and can send these commands to the proxy host. 3, the agent: The agent is also a batch of hosts that an attacker invaded and controlled, and they run the aggressor program, accept and run the commands sent by the master. The agent host is an executor of the attack and truly sends an attack to the victim host. The first step in the attacker launches DDOS attack, which is to find a host with a vulnerability on the Internet. After entering the system, install the latte programs on it, the more the attacker invades the host, the more he attacked. The second step is installed on the intrusion host, some of which act as an attack on the main control of the attack, and some host acts as an attacking agent. Finally, each part of the host has an attack on the attack object under the field of attacks in the attacker. Since the attacker is manipulated behind the scene, it is not easy to be discovered when the attack is attacked. Second, the common tool DDoS attack used by DDoS attacks is implemented, which requires attackers to have the ability to invade others.
But unfortunately some fool-style hacker programs have completed the installation of intrusion and attack programs in a few seconds, so that the DDoS attack becomes a light and easy. Let's take a look at these common hacker programs. 1, Trinoo Trinoo's attack method is to issue a total 4-byte UDP package to the random port of the attack target host. During the process of processing these spam bars, the network performance of the attack host is constantly declining. Until the normal service or even collapse. It does not make a fake on the IP address, the communication port adopted is: an attacker host to the main control host: 27665 / TCP master host to the agent host: 27444 / UDP proxy host to the main server host: 31335 / UDP 2 The TFN TFN consists of two parts: the main control terminal program and the proxy server. Its main attack method is: SYN Storm, PING Storm, UDP Bomb and Smurf, with the ability to falsify packets. 3, TFN2K TFN2K is developed by TFN, on the characteristics of TFN, TFN2K add some characteristics, its main control and agent network communication is encrypted, and many false data may be mixed in the middle. The package, and the TFN has no encryption to the communication of ICMP. The attack method adds MIX and Targa3. And the TFN2K configurable proxy process port. 4, StacheLDraht StacheLDraht is also derived from TFN, so it has TFN features. In addition, it increases the encrypted communication capabilities of the main control and the agent, which makes the command source, and can prevent some RFC2267 filtration of the router. STACHELDRAH has an embedded agent upgrade module that automatically downloads and installs the latest agent. Third, DDOS monitoring is now increasing attackers with DDOS methods to attack, and we only find out that they are attacked to avoid suffering of heavy losses. The main method of detecting DDoS attacks has the following: 1. According to an abnormal situation, when the network's communication suddenly grows sharply, when you exceed the usual limit, you must be vigilant and test the communication at this time; When a particular service always fails, you should also pay attention to it; when it is found that there is a large ICP and UDP packets pass or packet content, they must stay. In short, when your machine has an abnormal situation, you'd better analyze these situations and prevent it. 2. When the attacker wants to attack the conspiracy when the attacker wants to attack the conspiracy, he must first scan the system vulnerability. Some network intrusion detection systems on the market can eliminate the scanning behavior of the attacker. In addition, some scanner tools can discover an attacker implant the system's agent and can delete it from the system. Fourth, DDOS attack defense strategy Since DDoS attack has concealed, we have not found a valid solution to DDoS attacks so far. Therefore, we must strengthen security awareness and improve the security of network systems. The safety defense measures that can be taken have the following: 1. Early detection of attack vulnerabilities in the system, and install the system patches in time. Establish and improve backup mechanisms for some important information (such as system configuration information). Cautious settings for some privileged accounts (such as administrator accounts). Through such a series of initiatives, it can minimize the motorful machine of the attacker. 2. In terms of network management, you should regularly check the physical environment of the system and prohibit unnecessary network services. Establish a boundary security limit to ensure that the package is affected correctly. Test system configuration information often, and pay attention to view daily security logs. 3. Use network security equipment (for example: a firewall) to reinforce the security of the network, configure their safety rules, filter out all possible forged packets.
4, better defense measures are to work with your network service provider, let them help you achieve route access control and limit on bandwidth. 5. When you find that you are suffering from DDOS attacks, you should launch your destination policy, track the attack package as quickly as possible, and contact ISP and related emergency organizations, analyze the affected systems, and identify other nodes involved. Thereby blocking traffic from known attack nodes. 6. When you are a potential DDo attack victim, you find that your computer is used by an attacker to use the main control and the agent, you can't fall lightly because your system is temporarily not damaged, the attacker has discovered your system Vulnerabilities, this is a big threat to your system. So once the tool software in the system is discovered, it should be cleared in time to avoid posting. So far, preventing DOS, especially DDoS attacks, is still more difficult, but can still take some measures to reduce the hazards. For small and medium-sized websites, it is possible to prevent: Host Settings: That is, the reinforcement operating system, setting various operating system parameters to enhance the system's stability. Rebate or set up certain parameters in the operating system kernels of various BSD systems, Solaris, and Windows, to a certain extent, to a certain extent. For example, for a typical type -Syn FLOOD for a DOS attack, it uses TCP / IP protocol vulnerabilities to send a large amount of forged TCP connection requests to cause networks that cannot connect to user services or make operating systems. The attack process involves some parameters of the system: the number of links to the data packets and the length of time waiting for the packet. Therefore, it is possible to set the following: * Unnecessary service; * Modify the connection number of packets from the default value 128 or 512 to 2048 or more to extend the length of each processing packet queue to ease and digest More data packets; * Set the connection timeout to ensure the connection of the normal packet, block the illegal attack package; * update the system, install the patch in a timely manner. Firewall setting: still use SYN FLOOD as an example, can be made on the firewall: * Disable access to the host non-open service; * Limit the maximum number of packets that open at the same time; * Restrict access to a specific IP address; * Enable firewall The properties of anti-DDoS; * Strictly limit outward access to the open server to prevent its own server from being treated with tools. In addition, the following methods can be taken: * Random DROP algorithm. When the flow reaches a certain threshold, follow the subsequent packets in accordance with the algorithm rule to keep the host's processing power. It is not enough to lose normal packets, especially under the attack of large flow packets, normal packets are like nine bulls, which is easy to reject online with illegal data packages; * SYN cookie algorithm, using 6 handshake technology Reduce the attack rate. Its insufficient is based on the list, when the traffic increases, the list is sharply expanded, and the amount of calculation is increased, and it is easy to delay the response or even the system. Due to many types of DOS attacks, the firewall can only resist a limited number. Router Settings: Take the Cisco Router as an example: * Cisco Express Forwarding (CEF); * Using Unicast Reverse-Path; * Access Control List (ACL) filtering; * Setting the packet traffic rate; * Upgrade version is too low IOS; * establishes log server for the router.
Among them, pay special attention when using CEF and UNICAST settings, improper use, which causes the router's working efficiency to decrease. Upgrading iOS should also be cautious. The router is the core device of the network, it needs to be cautious, it is best to modify, do not save it first. There are two configurations of the Cisco router, and Startup config and running config. When modified, the Running Config is changed, allowing this configuration to run for a while, think that it is feasible to save the configuration to startup config; if not satisfied, want to return to the original configuration , Use the Copy Start RUN. Regardless of the firewall or router, it is an external interface device. While performing anti-DDOS settings, it is necessary to weigh the cost of normal business that may sacrifice, cautious. Load balancing technology: It is to distribute application services to several different servers, even different locations. Using a cyclic DNS service or hardware router technology, the request for entering the system is divided into multiple servers. This method requires a relatively large investment, and the corresponding maintenance cost is also high, and the medium-sized website can be considered if there is condition. The above method is still very effective for DOS attacks on traffic, strong stereotropic, and simple structure. For DDOS attacks, it is necessary to cope with high-flow prevention measures and techniques, need to be able to integrate multiple algorithms, integration techniques for multiple network equipment functions. In recent years, there have been some products that use such integration technologies, such as Captus IPS 4000, Mazu Enforcer, Top Layer Attack Mitigator, and Domestic Green League Black Hole, Oriental Longma Terminator, etc., can effectively resist SYN FLOOD, UDP FLOOD, ICMP FLOOD and STREAM FLOOD, etc. Attack, individuals with routing and switching network features. For those who have the ability to use these products, these products are directly used to prevent DDoS attacks more convenient methods. However, regardless of foreign products, the reliability, availability of technology applications remains to be further improved, such as increasing the high availability, processing rate and efficiency of the equipment, and integration of function. Finally, introduce two emergency methods for fast recovery services after the website suffer from DOS attacks: * If there is a surplus IP resource, you can replace a new IP address, point the website domain name to the new IP; * Disable 80 Port, use the HTTP service using such as 81 or other port, pointing the site domain name to IP: 81. From siyizhuhtp: //siyizhu.126.com
