What Is a DoS Attack?
DoS is the abbreviation of Denial of Service, which means denial of service. The DoS attack is called a DoS attack, and its purpose is to make the computer or network unable to provide normal services. The most common DoS attacks are computer network broadband attacks and connectivity attacks. 
- DoS attacks have been around since the birth of the Internet, and have continued to develop and upgrade with the development of the Internet. It is worth mentioning that it is not difficult to find DoS tools. The hacker community has a tradition of sharing hacker software and will share their experience in attacking together. You can easily obtain these tools from the Internet. DoS attack software like the ones mentioned above can be freely accessed from the Internet
- dos attack
- To prevent the system from being attacked by DoS, from the first two points, the network administrator must actively and carefully maintain the system to ensure that there are no hidden dangers and vulnerabilities. The malicious attack method against the third point requires the installation of security devices such as firewalls to filter DoS attacks. At the same time, it is strongly recommended that network administrators should regularly check the logs of security devices and timely discover security threats to the system.
- Internet support tools are one of the main solutions, including SuperStack3Firewall, WebCache, and ServerLoadBalancer. Not only does the 3ComSuperStack3 firewall as a security gateway device detect and prevent DoS and DDoS hacking attacks under the default pre-configuration, it protects your network and protects you from Unauthorized access and other external threats and attacks from the Internet; and 3ComSuperStack3ServerLoadBalancer protects all servers from denial of service (DoS) attacks while providing hardware wire-speed Layer 4-7 load balancing for multiple servers ; Similarly, 3ComSuperStack3WebCache can provide enterprises with efficient local caching, but also can protect themselves from "denial of service" (DoS) attacks.
- Common attacks and prevention
SYN Flood dos attack SYN Flood attack
The problem lies in the three-way handshake of the TCP connection. Suppose a user suddenly hangs or goes offline after sending a SYN message to the server. Then the server cannot receive the client's ACK message after sending a SYN + ACK response message ( The third handshake could not be completed). In this case, the server will generally retry (send SYN + ACK to the client again) and wait for a period of time to discard the incomplete connection. The length of this period is called SYN Timeout. In general, this time is on the order of minutes (approximately 30 seconds to 2 minutes); a user exception causes a thread of the server to wait for 1 minute is not a big problem, but if a malicious attacker simulates a lot In this case, the server will consume a lot of resources in order to maintain a very large list of semi-connections-tens of thousands of semi-connections, even simple save and traverse will consume a lot of CPU time and Memory, not to mention the SYN + ACK retry on the IPs in this list. In fact, if the server's TCP / IP stack is not strong enough, the end result is often a stack overflow crash. Even if the server-side system is strong enough, the server-side will be busy processing fake TCP connection requests by attackers and will have no time to ignore normal client requests (After all, the client's normal request ratio is very small.) At this time, from the perspective of the normal client, the server is not responding. This situation is called: the server has suffered a SYN Flood attack (SYN flood attack).
The first method is to shorten the SYN Timeout time. The second method is to set a SYN cookie, which is to assign a cookie to each IP address requesting a connection. If repeated SYN packets of an IP are continuously received within a short period of time, it is considered to be affected In the event of an attack, packets from this IP address will be discarded in the future.
> netstat -n -p tcp> result.txt
Smurf dos attack Smurf attack:
Send a masqueraded ICMP packet with the destination address set to the broadcast address of a certain network and the source address set to the destination host to be attacked, so that all hosts receiving this ICMP packet will send a response to the destination host, making the attacked The host receives tens of thousands of data packets within a certain period of time. <br /> Precautions :
Configure the following on the cisco router to prevent the packet from being passed to the broadcast address:
Router (config-if) # no ip directed-broadcast
Ping of Death dos attack Ping of Death
The "ping of death" attack is what we often call "death ping"
This attack crashes the operating system by sending ICMP packets larger than 65536 bytes; it is usually impossible to send ICMP packets larger than 65536 bytes, but it can split the message into fragments and then reassemble on the target host; eventually it will be The attack target buffer overflowed, causing a denial of service attack. Sometimes the telne and http services are stopped, and sometimes the router is restarted.
dos attack teardrop attack
For some large IP data packets, they often need to be split and transmitted. This is to meet the requirements of the link-layer MTU (Maximum Transmission Unit). For example, when a 6 000 byte IP packet is transmitted on a link with an MTU of 2 000, it needs to be divided into 3 IP packets. There is an offset field and a split flag (MF) in the IP header. If the MF flag is set to 1, it indicates that this IP packet is a fragment of a large IP packet, where the offset field indicates the position of this fragment in the entire IP packet. For example, if a 6 000 byte IP packet is split (the MTU is 2 000), the values of the offset field in the 3 fragments are 0, 2 000, 4 000 in turn. In this way, after the receiving end has completely received the IP data packets, it can reassemble the several divided IP packets received in several times according to the information. There is a security hole that can be exploited here, that is, if hackers set the offset field to an incorrect value after intercepting the IP data packet, so that the receiving end cannot The value of the offset field in the data packet correctly combines these split data packets, but the receiver will keep trying, which may cause the target computer operating system to crash due to exhaustion of resources.
DRDOS dos attack DRDOS
During the attack, the attacker cleverly used the bounce server group to bounce flood packets to the target host. The bounce service means that some servers will generate a response datagram after receiving a request datagram. All web servers, DNS servers, and routers are rebound servers. They respond to SYNACKs or RST packets to SYN packets or other TCP packets, and respond to ICMP datagram timeouts or destination unreachable messages to some IP packets. Datagram. Any web server licensed for general purpose TCP connections can be used as a packet reflection server
- Configure routers, firewalls, and intrusion detection systems to defend against common DDoS attacks
- Determine if you have become an attack platform: monitor packets that are not from your internal network; monitor large-volume echo requests and echo response packets.
- Avoid being used as an attack platform: Disable IP broadcast on all routers; filter out packets that are not from the internal network.
- Mitigating the harm of the attack: filtering and discarding echo reply packets at the border router; for Cisco routers, CAR is used to specify the maximum bandwidth that echo reply packets can use.
- Determine if you are an attack platform: The communication between the master program and the agent program uses the UDP protocol, so the use of UDP
- dos attack
- Avoid being used as an attack platform: Filter out packets that are not from your internal network.
- · Mitigating the harm of the attack: In theory, it is possible to filter UDP packet sequences with the same source IP address, same destination IP address, same source port, and unreachable destination port, and discard them.
- Determine if you are an attack platform: Monitor packets that are not coming from the internal network.
- · Avoid being used as an attack platform: ICMP echo and echo response packets are not allowed to your network. Of course, this will affect all Internet programs that use these functions; filter out packets that are not from the internal network.
- Determine if you are an attack platform: Filter ICMP echo response packets that contain the value 666 in the ID field, the string "skillz" in the data field, or the value 667 in the ID field, and the string "ficken" in the data field ; Filter the data stream containing the string "spoofworks" in the ICMP packet and ICMP packet data fields with the source address "184.108.40.206".
- · Manual protection
- Generally speaking, there are two main forms of DDOS protection:
- System optimization-mainly by optimizing the core parameters of the attacked system to improve the system's response to DDoS attacks. But this approach can only protect against small-scale DDOS.
- Network tracing-The first reaction of the management personnel of the system under DDoS attack is generally to ask the upper-level network operator. This may be ISP, IDC, etc. The purpose is to find out the source of the attack.
dos attack concession strategy
- In order to resist DDOS attacks, DengKelen customers may purchase hardware to improve the system's ability to resist DDOS. However, the effect of this concession strategy is not good. On the one hand, because the cost-effectiveness of this method is too low, on the other hand, after hackers increase the supply flow, this method often fails, so it cannot prevent DDoS attacks in a fundamental sense.
dos attack firewall
- The firewall is almost the most commonly used security product, but the design principle of the firewall does not consider the protection against DDOS attacks. In some cases, the firewall has even become the target of DDOS attacks and has caused denial of service for the entire network.
- The first is that firewalls lack the ability to detect DDOS attacks. Generally, a firewall is deployed in the network as a Layer 3 packet forwarding device. On the one hand, while protecting the internal network, it also provides a path for devices that need to provide external Internet services internally. If DDOS attacks use legal protocol pairs allowed by these servers, The internal system is attacking, and the firewall cannot do anything about it. It cannot accurately distinguish the attack traffic from the background traffic. Although some firewalls have built-in modules to detect attacks, these detection mechanisms are generally based on signature rules. As long as the DDOS attacker changes the attack packet slightly, the firewall cannot respond. The detection of DDOS attacks must rely on Algorithms for behavior patterns.
- The second reason is the limitation of the computing capacity of traditional firewalls. Traditional firewalls are at the cost of high-intensity inspection. The higher the inspection intensity, the greater the computational cost. However, the massive traffic in DDOS attacks will cause the firewall performance to drop sharply, and it cannot effectively complete the task of packet forwarding. The best deployment location of the firewall also affects its ability to protect against DDOS attacks. Traditional firewalls are generally deployed at the entrance of the network. Although all resources inside the network are protected in a certain sense, they are often the target of DDOS attacks. Once an attacker launches a DDOS attack, it often causes the overall performance of the network to decline, resulting in The user's normal request was rejected.