• DDos

DDoS Attack Introduction

Distributed Denial of Service (DDoS) combines multiple computers as an attack platform to launch DDoS attacks on one or more targets through remote connections using malicious programs to consume the performance of the target server or network bandwidth, thus causing the server to fail to provide services normally.

Attack Principle

Usually, the attacker uses an illegal account to install the DDoS master program on one computer and install the proxy program on multiple computers on the network. Within a set period, the master program communicates with a large number of proxy programs, and when the proxy programs receive instructions to launch an attack on the target, the master program can even activate hundreds or thousands of proxy program runs in a few seconds.

The harm of DDoS attack

DDoS attacks can cause the following hazards to your business.

1. Significant financial loss

After a DDoS attack, your source server may not be able to provide services, resulting in users not being able to access your business, thus causing huge economic losses and brand losses.

For example, when an e-commerce platform is under DDoS attack, the website cannot be accessed normally or even shut down for a short period, resulting in legitimate users not being able to place orders for goods, etc.

2. Data leakage

Hackers may take the opportunity to steal the core data of your business during DDoS attacks on your server.

3. Malicious competition

Some industries have vicious competition, competitors may maliciously attack your service through a DDoS attack, to gain an advantage in the industry competition.

For example, a game business suffered a DDoS attack and the number of game players dropped drastically, causing the game business to go offline completely and quickly within a few days.

Common types of DDoS attacks

1. Malformed message

Malformed messages mainly include Frag Flood, Smurf, Stream Flood, Land Flood, IP malformed messages, TCP malformed messages, UDP malformed messages, etc.

The malformed message attack refers to the attack purpose of the denial of service by sending a defective IP message to the target system, which makes the target system crash when processing such a message.

2. Transport layer DDoS attack The transport layer DDoS attack mainly includes Syn Flood, Ack Flood, UDP Flood, ICMP Flood, RstFlood, and so on.

Take the Syn Flood attack as an example, it uses the three handshake mechanism of TCP protocol, when the server-side receives a Syn request, the server-side must use a listening queue to keep the connection for a certain time. Thus, the server's resources are consumed by constantly sending Syn requests to the server, but not responding to Syn+Ack messages. When the listening queue is full, the server will not be able to respond to normal user requests, achieving the purpose of denial-of-service attacks.

3. DNS DDoS Attack

DNS DDoS attacks mainly include DNS Request Flood, DNS Response Flood, False Source + Real Source DNS Query Flood, Authoritative Server Attack, and Local Server Attack.

Take the DNS Query Flood attack as an example, it essentially performs a real Query request, which is a normal business behavior. However, if multiple puppet machines launch a huge number of domain name query requests at the same time, the server cannot respond to normal Query requests, which leads to denial of service.

4. Connection-based DDoS attack

Connection-based DDoS attack mainly refers to TCP slow connection attack, connection exhaustion attack, Loic, Heroic, Slowloris, Pyloris, Xoic, and other slow attacks.

Take the Slowloris attack as an example, the target of the attack is the concurrency limit of the Web server. When the number of concurrent connections to the Web server reaches the upper limit, the Web service cannot accept new requests. when the Web service receives a new HTTP request, it establishes a new connection to process the request and closes the connection after processing is complete. If the connection is always connected, a new connection needs to be established when a new HTTP request is received for processing. And when all connections are connected, the Web will not be able to process any new requests.

Slowloris attack uses the characteristics of the HTTP protocol to achieve the purpose of the attack. HTTP requests with \r\n\r\n mark the end of Headers, if the Web server only received \r\n, it is considered that the HTTP Headers part is not finished, will keep the connection and wait for the subsequent request content.

5. Web application layer DDoS attack

Web application layer attacks mainly refer to HTTP Get Flood, HTTP Post Flood, CC, and other attacks.

Usually, application-layer attacks completely simulate user requests, similar to various search engines and crawlers, these attacks and normal business do not have a strict boundary, it is difficult to distinguish.

Some resource-consuming transactions and pages in Web services. For example, the paging and table splitting in Web applications, if the parameters of the control page are too large, frequent page turns will take up more Web service resources. Especially in the case of high concurrency and frequent calls, transactions like this become the target of early CC attacks.

Since most of the attacks nowadays are hybrid, frequent operations that simulate user behavior can be considered CC attacks. For example, the access to websites by various vote swiping software is, in a way, a CC attack.

CC attacks target the back-end business of Web applications, which will directly affect the functionality and performance of Web applications, including Web response time, database services, disk read/write, etc., in addition to causing a denial of service.

How to determine whether the business has been subject to a DDoS attack?

Your business may have been subject to a DDoS attack when the following conditions occur.

1. When the network and equipment are normal, the server suddenly has disconnection, access lag, user dropout, etc.

2. There is a significant increase in server CPU or memory usage.

There is a significant increase in traffic in the outbound or inbound direction of the network.

3. Your business website or application suddenly experiences a large number of unknown accesses.

4. Login to the server fails or is too slow.