What is DDOS attack? Is there any way defense?
DDOS is an acronym of Distributed Denial of Service . And what is the denial of service ? Can be understood, all can lead to legitimate users don't access the normal behavior of network services are considered denial of service attacks. The purpose of denial of service attack is very clear, that is normal to prevent legitimate users access to network resources, so as to achieve the attacker's ulterior motives. It is also a denial of service attack, DDOS and DOS is different, DDOS attack strategies focused on by many zombie hosts (the host the attacker hacked or indirect use of )sends to the victim host a large number of seemingly legitimate network packets, resulting in network congestion or server resource exhaustion denial of service, distributed denial of service attack, once implemented, will attack like a flood of network packets flock to the victim host, thus bring the legitimate users of network packet flooding, leading to legal user can not access the network resources on severs. Therefore, denial of service attack has been called the "flood attacks," there is a common means of DDOS attacks SYN Flood, ACK Flood, UDP Flood, ICMP Flood, TCP Flood, Connections Flood, Script Flood, Proxy Flood, etc.; and DOS will focus on attack through the specific vulnerabilities lead to failure of the host network stack , system crash, crash the host network can not provide normal services, resulting in a denial of service, DOS attacks are common TearDrop , Land, Jolt, IGMP Nuker, Boink, Smurf, Bonk, OOB and so on. Denial of service attacks on these two terms, mainly against the larger DDOS attack, because it is difficult to prevent, as DOS attacks, through to the host server patch or install a good firewall software can prevent, will be detailed later describes how to deal with DDOS attacks.
There are currently three popular DDOS attacks:
1.SYN / ACK Flood Attack: This attack is most effective DDOS classical method can kill a variety of systems through web services, mainly through the victim host sends a large number of forged source IP and source port of the SYN or ACK packet, lead host cache resources are exhausted or busy sending packets caused by denial of service response, because the forged source is more difficult to track, there is a certain drawback is the difficulty to implement, requiring a high bandwidth zombie hosts support. A small amount of this attack will lead to host server can not access, but it can Ping the pass, on the server using Netstat-na command to Observe that there are a lot of SYN_RECEIVED state, a large number of such attacks will lead to Ping fails, TCP / IP stack failure, and the system will be freezing phenomenon that does not respond to keyboard and mouse. Most common firewall such attacks can not resist.
2.TCP full-connect attack: This attack is to bypass the firewall inspection routine designed, under normal circumstances, most conventional firewall with filtering TearDrop, Land and other DOS attacks, but for normal TCP connection is let pass , does not know a lot of network service (such as: IIS, Apache Web server, etc.) can accept a limited number of TCP connections, once a large number of TCP connections, even normal, can lead to very slow or unable to access the site access, TCP all connected through a number of zombie hosts attack is continuous with the host server to establish a large number of affected TCP connections until the server's memory and other resources are exhausted and are drag you down to cause a denial of service.Attack is characterized by a general firewall bypass protection to achieve the attack purpose disadvantage is the need to find a lot of zombie hosts, and because the zombie host's IP is exposed, so easily traced.
3. Brush Script scripting attack: This attack is mainly directed against the existence ASP, JSP, PHP, CGI and other scripts, and call MSSQLServer, MySQLServer, Oracle and other database systems and web site design.Features and server establish a normal TCP connection and constantly submit queries to the script, the list takes a lot of database resources such calls. In general, submit a GET or POST command to the client's cost and bandwidth usage is almost negligible, while the server processes the request, but may have to go on a million records to identify a record, this process cost of resources is great, very few common database server can support hundreds of simultaneous query command, which is for the client, it is easy, so the attacker simply by Proxy proxy server to host a large number of submitted query command, only a few minutes to server resources will be consumed and cause denial of service, a common phenomenon is the site slow as a snail, ASP program failure, PHP connect to the database fails, the database main CPU-high. This attack can be characterized completely bypass the normal firewall protection, you can easily find some Proxy agent attack, only drawback is that static page site to deal with the effect will be greatly reduced, and some of Proxy will be exposed to the attacker's IP address.
There are currently three popular DDOS attacks:
1.SYN / ACK Flood Attack: This attack is most effective DDOS classical method can kill a variety of systems through web services, mainly through the victim host sends a large number of forged source IP and source port of the SYN or ACK packet, lead host cache resources are exhausted or busy sending packets caused by denial of service response, because the forged source is more difficult to track, there is a certain drawback is the difficulty to implement, requiring a high bandwidth zombie hosts support. A small amount of this attack will lead to host server can not access, but it can Ping the pass, on the server using Netstat-na command to Observe that there are a lot of SYN_RECEIVED state, a large number of such attacks will lead to Ping fails, TCP / IP stack failure, and the system will be freezing phenomenon that does not respond to keyboard and mouse. Most common firewall such attacks can not resist.
2.TCP full-connect attack: This attack is to bypass the firewall inspection routine designed, under normal circumstances, most conventional firewall with filtering TearDrop, Land and other DOS attacks, but for normal TCP connection is let pass , does not know a lot of network service (such as: IIS, Apache Web server, etc.) can accept a limited number of TCP connections, once a large number of TCP connections, even normal, can lead to very slow or unable to access the site access, TCP all connected through a number of zombie hosts attack is continuous with the host server to establish a large number of affected TCP connections until the server's memory and other resources are exhausted and are drag you down to cause a denial of service.Attack is characterized by a general firewall bypass protection to achieve the attack purpose disadvantage is the need to find a lot of zombie hosts, and because the zombie host's IP is exposed, so easily traced.
3. Brush Script scripting attack: This attack is mainly directed against the existence ASP, JSP, PHP, CGI and other scripts, and call MSSQLServer, MySQLServer, Oracle and other database systems and web site design.Features and server establish a normal TCP connection and constantly submit queries to the script, the list takes a lot of database resources such calls. In general, submit a GET or POST command to the client's cost and bandwidth usage is almost negligible, while the server processes the request, but may have to go on a million records to identify a record, this process cost of resources is great, very few common database server can support hundreds of simultaneous query command, which is for the client, it is easy, so the attacker simply by Proxy proxy server to host a large number of submitted query command, only a few minutes to server resources will be consumed and cause denial of service, a common phenomenon is the site slow as a snail, ASP program failure, PHP connect to the database fails, the database main CPU-high. This attack can be characterized completely bypass the normal firewall protection, you can easily find some Proxy agent attack, only drawback is that static page site to deal with the effect will be greatly reduced, and some of Proxy will be exposed to the attacker's IP address.
This article address is http://www.computerites.com/internet-skills/2011/12/what-is-ddos-attack-20.html
