DDoS

1.What is DDoS attack?

DDoS is short for Distributed Denial of Service. Let's first understand the predecessor of DDoS, DoS (Denial of Service). The most basic DoS attack is that the attacker utilizes a large number of reasonable service requests to occupy too many service resources of the attack target,anti DDOS so that legitimate users can not get a timely response to improve the service.DoS attack capability is generally used in a one-to-one manner, when the attack on the main target of the various performance indicators are not high (for example, CPU speed is low, the memory is small or the network bandwidth is small, etc.), its effect is obvious.

With the development of computer and network technology, computer processing power and network bandwidth are growing rapidly. This makes DOS attacks more difficult because the target's ability to "digest" these malicious service requests has increased dramatically. Since an attacker cannot "deny service" to a target, it is necessary for multiple attackers to launch a distributed attack at the same time,virtual Machine cloud which will result in a DDoS attack. DDoS attack refers to an attacker controlling a large number of zombie hosts in a botnet to send a large amount of data to the target to exhaust the resources of the target's system, so that it is unable to respond to the normal service requests. service request.

2. Three main motives for DDoS attacks

Everything has a motive. To crack a DDoS attack, you must first understand their motives. Political differences, malicious competition, extortion and economic crimes are the main motives for DDoS attacks.

Politically motivated attacks are accustomed to large-scale cyberattacks, usually targeting bank and government websites or DNS servers, with a wide range of impacts, and are prone to cause widespread panic among the public.vpshosting They can be called the "nuclear weapons" of network attacks.

Malicious market competition and extortion belong to the precision attack on specific economic business management system, and the attack behavior is more and more like "special forces".

The economic environment is mostly a crime of "smoke and mirrors", with a large flow of attacks to divert the attention of security personnel, to cover up the real purpose of the data can be stolen. Currently more popular practice is that hackers can attract attention through high-flow DDoS attacks, cover the latent APT attacks to complete their final data theft.

3.DDoS attack classification

DDoS attacks are divided by attack behavior: flood attacks (Flood), malformation and message information attacks (Malformation), scanning technology to detect class attacks (Scan & Probe).

Flood attack, also known as Flood attack, is that the attacker can be through a botnet, proxy or directly to the target of the attack behavior to send a large number of disguised requests for people service management messages, and ultimately we exhaust the resources of their own attack target. The large number of data messages sent can be TCP SYN and ACK messages, UDP messages, ICMP messages, DNS messages, HTTP/HTTPS messages and so on.

In recent years, flooding attacks have been studied again as a form with advanced management, which we can call reflection attacks. As the name suggests, the reflection attack behavior is not not directly to the attack capability target to launch a large number of service requests, but the attacker is able to control the zombie network in the sea of zombie hosts disguised as the main target of the attack, are in the capacity of the target of the attack method to the servers in the network to launch a large number of social services, as well as requests. The servers in the network will respond to these requests that require a large number of service work and send start a large number of answer messages to the target of the attack activity, thus affecting to cause this attack strategy target detection performance exhaustion. Most of the reflection attack methods come from UDP Flood variants that reflect UDP messages such as NTP, DNS, SSDP, SMTP, Chargen, etc. Why UDP is selected? Because the UDP response (Reponse) message size is larger than the request (request) message, so for the attacker to achieve the amplification of the attack traffic. NTP messages, for example, NTP's Monlist command is used to improve the query host all recent and server communication between the records, the server will return time up to 600 communication technology records, so that the design of the traffic has been amplified hundreds of times. If the attacker can not control thousands of puppet machine disguised as an attack on the organization target market a large number of use to send this command to the NTP server, then reflected to the attack on the education of the target traffic can be imagined!

Malformed or special data message attack usually refers to the attacker can send a large number of defective or special management control needs to play an important role in the message, thus causing the impact of hosts or servers in the processing of such messages for the system to crash. Malformed message attacks such as Smurf, Land, Fraggle, Teardrop, and WinNuke attacks. Special risk control network message attacks mainly include oversized ICMP messages, ICMP redirect messages, ICMP unreachable messages and various IP message attacks with options.

Scanning and probing attack is a kind of attack with potential, and does not need to have can directly damage the social behavior, usually is the attacker to launch the real attack before the network information probing behavior, such as IP address scanning and port scanning and so on.

DDoS attacks are divided by TCP/IP protocol layered structure: network layer attacks, transport layer attacks, application layer attacks.