IMCAFS

 Home

summary of ddos attacks

Posted by tetley at 2020-03-17
all

This article belongs to the original cash reward plan of safe pulse. It is forbidden to reprint without permission.

I have been studying DDoS attack recently, and have read through the book "king of destruction - DDoS attack and prevention". In the book, I write a very detailed description of DDoS attack and prevention, which is recommended to read, and summarize the DDoS attack methods in this book.

1. Attack network broadband resources

1.1 direct attack

A large number of controlled hosts are used to send a large number of network packets to the attacked target, so as to cover the broadband of the attacked target, consume the network data processing capacity of servers and network devices, and achieve the purpose of denial of service.

The main methods of direct attack are ICMP / IGMP flood attack and UDP flood attack.

1.1.1 ICMP / UDP flood attack

Network control message protocol (ICMP) is one of the core protocols of TCP / IP protocol family. It is used to send control messages in TCP / IP network and provide feedback of various problems that may occur in the communication environment. Through these messages, managers can diagnose the problems and take appropriate measures.

Internet Group Management Protocol (IGMP) is a communication protocol used to manage multicast group members of internet protocol. IP hosts and neighboring routers use IGMP to establish multicast group members.

The attacker uses the controlled host to send a large number of ICMP / IGMP messages to the target, and carries out flood attack to consume the broadband resources of the target. This type of attack occurs very early, and it can be easily launched by using hping and other tools. But now there are few attacks launched by this method. The attacked target can directly filter and discard ICMP / IGMP packets at its network boundary to make the attack invalid.

1.1.2 UDP flood attack

User packet protocol (UDP) is a transport layer protocol for connectionless, the main users do not require the transmission of packet arrival in sequence, and provide a simple unreliable information transmission service for real transactions.

Using UDP datagram, attackers can also send flood attack. The principle of UDP flood attack and ICMP / IGMP flood attack is basically the same. Generally, attackers can use two ways to attack: small packet and large packet.

Packet refers to a 64 byte packet, which is the minimum value of data frames transmitted over Ethernet. Under the same traffic, the smaller the volume of a single packet, the more packets there are. Because the switch, router and other network devices need to check and verify every packet, UDP packet attack can effectively increase the pressure of network devices to process packets, resulting in slow processing speed, transmission delay and other denial of service attacks.

Large packets refer to packets with more than 1500 bytes, whose size exceeds the largest transmission unit of Ethernet. Using UDP large packet attack, it can effectively occupy the transmission broadband of network interface, and force the attacked target to carry out fragment reorganization when receiving UDP data, resulting in network congestion and slow response of server.

UDP flood attack is also a kind of denial of service attack, which is easy to launch. There are many tools that can launch UDP flood attack, such as hping, Loic, etc. but UDP flood attack depends on the network performance of the controlled host, so the consumption of broadband resources is not too large. https://www.secpulse.com/archives/64088.html

1.2 launch and amplify attacks

The attacker can use ICMP / IGMP flood attack and UDP flood attack to directly launch a distributed denial of service attack that consumes the broadband resources of the network, but this attack mode is not only low, but also easy to find the source of the attack. Although the attacker can use the forged source IP address to hide, the better way is to use the reflection attack technology Surgery.

Launch attack, also known as DRDOS (distributed reflection denial of service) attack, refers to a distributed denial of service attack technology that uses routers, servers and other facilities to respond to requests, thus reflecting attack traffic and hiding attack sources.

In the reflection attack, the attacker uses the controlled host to send a large number of packets. The special feature of these packets is that the destination IP address points to the server, router and other facilities as the reflector, while the source IP address is forged as the IP address of the attacked target. When the reflector receives the packets, it will think whether the packets are sent by the attacked target Therefore, the corresponding data will be sent to the attacked target. When a large number of response packets flow to the attacked target, the target's network broadband resources will be exhausted, resulting in a denial of service attack.

To launch a reflection attack, we need to find a large number of transmitters on the Internet. Some kinds of reflection attacks are not difficult to achieve. For example, for an ACK reflection attack, we only need to find a server with an open TCP port on the Internet, which is very extensive on the Internet.

A protocol without authentication or handshake is usually used to launch a reflection attack. The source IP address of the requested data needs to be pseudo created into the IP address of the target under attack. If the protocol used needs authentication or handshake, the authentication or handshake process cannot be completed and the next attack cannot be carried out. Therefore, most reflection attacks use Based on the network service of UDP protocol,

Compared with the distributed denial of service attack that directly forges the source address, the reflection attack is more difficult to trace the source of the attack due to the addition of a reflection step. However, this is not the real threat of the reflection attack, the real threat is the amplification attack using the reflection principle.

Amplification attack is a kind of special reflection attack. Its special feature is that the reflector can amplify the network traffic. Therefore, we can also turn this kind of reflector into an amplifier. The way of amplification attack is basically the same as the way of reflection attack. What's not used is that the network service provided by the reflector (amplifier) needs to meet certain conditions.

In the network service protocol provided by the reflector, there needs to be an asymmetry between the amount of request and the amount of response data. The amount of response data needs to be greater than the amount of request data. The larger the ratio of the amount of response data to the amount of request data is, the larger the magnification of the amplifier is, and the more obvious the effect of consuming broadband resources by the amplification attack is.

The extensive deployment of network services used by amplifiers determines the scale and severity of the amplification attack. If there are some network services that do not need to be authenticated and the amplification effect is very good, but the number of network services deployed on the Internet is very small, then the use of the network services for amplification can not achieve a large amount of traffic and can not effectively consume broadband resources Therefore, this kind of network service can not be used as the main attack traffic amplification, but only as an auxiliary means.

1.2.1 ack reflex attack

We know that when establishing a connection in the transmission control protocol, TCP three-time handshake will be carried out first. In this project, when the server receives the syn connection request from the client, it will respond to the request with ack. Using the ACK response of TCP handshake, an ACK reflection attack can be carried out.

If the attacker fakes the source IP address of syn to the IP address of the attacked target, the server's response will also be directly sent to the attacked target. Because services using TCP protocol are widely available on the Internet, the attacker can send syn requests with forged source IP address to a large number of different servers through the controlled host, so that a large number of ACK response data of the server will flow To the attacked target, the target's network broadband resources are occupied and the service is refused.

In order to launch the ACK reflection attack, it is necessary to scan first to obtain a large number of reflector addresses, and send syn request data of forged source addresses to these reflectors respectively. Therefore, compared with the direct attack, this method is more complex. The main advantage of ACK reflection attack is that it can effectively hide the source of the attack.

1.2.2 DNS amplification attack

Domain name system is a core service of the Internet. As a distributed database that can map domain name and IP address, it can make people access the Internet more easily without remembering those hard to remember IP addresses. The port numbers of TCP and UDP used by DNS are 53, mainly UDP protocol.

Generally, the corresponding packet of DNS is larger than the query packet, so the attacker can launch amplification attack by using ordinary DNS query request and enlarge the attack traffic by 2-10 times, but the more effective way is to use the DNS extension mechanism edns0 defined in rfc2671.

****EDNS0

Before edns0, the response packet to DNS query was limited to 512 bytes. When the packet to be answered exceeds 512 bytes, according to the different implementation of DNS server, the part exceeding 512 bytes may be discarded, or the connection may be established and re sent using TCP protocol. No matter which station mode, it is not conducive to DNS amplification attack.

In edns0, the results of DNS packets are extended and the opt RR field is added. In the opt RR field, the maximum UDP message size that can be processed by the client is included. When the server responds to DNS requests, it resolves and records the maximum UDP message size that can be processed by the client, and generates the response message according to the size.

The attacker can use dig and edns0 to carry out efficient DNS amplification attack. The attacker sends dig query command to the widely existing open DNS resolver, sets the UDP message size in the opt RR field to a large value, and pseudo creates the IP address of the attacked target by the requested source IP address. After the DNS resolver receives the query request, it will send the resolution result to the attacked target. When a large number of resolution results flow to the target, it will cause the target network congestion and slow, resulting in denial of service attack.

The packet size of the DNS query request sent by the attacker is generally about 60 bytes, while the packet size of the query return result is usually more than 300 bytes. Therefore, the amplification effect can be more than 50 times of the amplification effect by using this method. The attack effect generated by this amplification effect is very amazing, as long as the initiator of the attack can send 2GBIT / s broadband, It can generate 100Gbit / s Broadband consumption at the target network. In March 2013, in spamhaus distributed denial of service attack, DNS amplification attack technology was mainly used to make the attack traffic reach the unprecedented 300gbit / s, and the setting slowed down the response speed of local Internet.

Similar to ack reflection attacks, DNS amplification attacks need to be scanned first to obtain a large number of open DNS resolver addresses, and send query commands to these open DNS resolvers to forge source addresses to amplify attack traffic.

1.2.3 NTP amplification attack

Network time protocol is a protocol used to synchronize the calculator time. It can synchronize the computer with the clock source and provide high-precision time correction. NTP uses udp123 port for communication.

In the server implementation of NTP protocol, a series of mode7 debugging interfaces are usually implemented, and the monlist request in the interface can obtain the IP address and other information of the last 600 clients synchronized by the target NTP server. This means that only a small request packet needs to be sent to trigger a large number of consecutive UDP response packets containing IP address information and other data.

In fact, the amount of data returned by the monlist request is related to the amount of client data that interacts with the NTP server in a period of time. Since the NTP service uses UDP single packet communication, the attacker can send the UDP request packet that forges the source IP address to the NTP amplifier, forges the interaction between the client and the NTP server, and increases the "number of clients interacting with the NTP server", so as to To increase the amount of response data of monlist request and the amplification factor of NTP amplifier, as long as 600 request packets (about 40KB data) of no more than 64 bytes are sent to NTP amplifier, the amplification factor of NTP amplifier can be quickly increased to more than 700 times, and the amplification factor can be maintained until the NTP service of the server is shut down or restarted.

The packet size of the monlist request sent by the attacker does not exceed 64 bytes, and the result returned by the request will contain 100 482 bytes of UDP response data, so the amplification effect can be more than 700 times by using this method.

Similar to ack reflection attack and DNS amplification attack, to launch NTP amplification attack, network scanning is also required to obtain a large number of NTP servers, and send requests to these NTP servers to forge source addresses to amplify attack traffic. Compared with DNS amplification attack, NTP amplification attack has a larger magnification, so its harm is more serious. In the large-scale division for spamhaus In the event of cloth denial of service attack, if the attacker uses NTP amplification attack instead of DNS amplification attack, the attack traffic will be more than 2tbit / s.

1.2.4 SNMP amplification attack

Simple network management protocol is the most widely used network management protocol in the current network. It provides a management framework to monitor and maintain Internet devices. SNMP protocol uses udp161 port for communication.

By using the default communication string and getbulk request in SNMP protocol, an attacker can carry out an effective SNMP amplification attack.

Due to the good effect of SNMP, network hardware manufacturers began to add SNMP to every device they made, which led to the default SNMP services enabled on all kinds of network devices, from switches to routers, from firewalls to network printers, without exception. At the same time, many manufacturers installed SNMP using the default communication strings, these communication strings It is necessary for programs to obtain device information and modify configuration. The most common default communication strings are public and private. In addition, there are many manufacturers' private default communication strings. Almost all network devices running SNMP can find some form of default communication strings.

The get request defined in SNMPv1 can try to get multiple MIB objects at one time, but the size of the corresponding message is limited by the processing capacity of the device. If the device cannot return the response of all the requests, it will return an error message. In SNMPv2, a getbulk request is added, which notifies the device to return as much data as possible, which enables the manager to obtain a large amount of retrieval information by sending a request.

The attacker sends getbulk request to the network devices which widely exist and open SNMP service, uses the default communication string as the authentication credentials, and pseudo creates the IP address of the attack target by the source IP address. After receiving the getbulk request, the device will send the response result to the attack target. When a large number of response results flow to the attack target, it will lead to the attack target network congestion and Slow, causing a denial of service attack.

The getbulk request packet sent by the attacker is about 60 bytes, and the response data of the request can reach more than 1500 bytes. Therefore, the amplification attack with this method can achieve more than 25 times of the amplification effect, which is also an obvious and effective amplification attack method.

When launching an SNMP amplification attack, network scanning is also required to find the network social security with the open SNMP protocol. Although there are many network devices with the open SNMP protocol, it is necessary to guess the default string they use after scanning these devices. Therefore, compared with the DNS amplification attack, whether it is the influence of simplicity or magnification, SNMP amplification Big attacks are a bit inferior, but on the whole, SNMP amplification attack is still a very effective way to consume broadband resources.

1.3 attack link

The attack link is different from several attack methods introduced before. The target of attack is not the broadband resource of the server as the Internet breakpoint, but the broadband resource of the link on the backbone network. A typical way to attack the link is CoreMelt attack.

CoreMelt is a distributed denial of service attack against links proposed by security researchers in 2009. Attackers need to control a botnet that is widely distributed enough to launch CoreMelt attacks.

First, the attacker judges the location relationship between each zombie host and the link to be attacked through traceroute and other means, and divides the zombie host into two parts according to the results. Then, the attacker controls the zombie host to communicate with each zombie host on the other side of the link and send and receive a large amount of data. In this way, a large number of network packets will pass through the backbone The occupied links on the Internet cause network congestion and delay.

From the perspective of the backbone network, the packets sent and received by these zombie hosts are real communication data. There is no way to effectively distinguish these communication data from the real legitimate communication data, so this kind of attack is more difficult to protect and mitigate.

2. Attack system resources

Misunderstanding: DDoS attacks are all attacks that consume broadband resources.

Many times, when it comes to DDoS attacks in news reports, the statement "attack traffic reaches ****" will be used to describe the severity of the attacks. This statement that broadband attack traffic is used as a description indicator of the damage degree of DDoS attacks, usually makes people mistakenly think that DDoS attacks are attacks that consume broadband resources of the network.

In fact, in addition to network broadband resources, DDoS attacks also have attack methods that consume system resources and application resources. The size of attack traffic only determines the degree of attack damage. For the same kind of attacks, the larger the attack traffic is, the greater the damage will be. If the same attack traffic is, the harm and shadow caused by different attack methods will be greater The sound is different.

Sometimes, people mistakenly think that SYN Flood attack is a DDoS attack that consumes the broadband resources of the network. In fact, the main harm of this kind of attack is to exhaust the link table resources of the system. SYN Flood attack with the same attack traffic will do more harm than UDP flood attack.

2.1 attack TCP connection

TCP is a connection oriented, reliable, byte stream based transport layer communication protocol. The application layers of different hosts often need reliable, pipeline like connections, but the IP layer cannot provide such a flow mechanism. In the real Internet, this connection is usually realized through TCP protocol.

TCP connection consists of three stages: connection creation, data transmission and connection termination. Due to the fact that the design process of the protocol only focuses on the availability of the protocol, but not on the security of the protocol, there are many security flaws and security problems in TCP protocol.

The three stages of TCP connection are vulnerable to denial of service attacks. We will introduce these attacks here.

2.1.1 flood attack of TCP connection

TCP connection flood attack attacks TCP resources in the connection creation phase.

In the process of three handshakes, the server will create and save the TCP connection information, which is usually saved in the connection table structure. However, the size of the connection table is limited. Once the number of connections received by the server exceeds the number that the connection table can store, the server cannot create a new TCP connection.

The attacker can use a large number of controlled hosts to quickly establish a large number of malicious TCP connections to occupy the connection table of the attacked target, so that the target can not accept new TCP connection requests, so as to achieve the purpose of denial of service attack.

Flood attack of TCP connection is the most basic method to attack TCP connection. When a large number of controlled hosts attack, its effect is very obvious.

2.1.2 SYN Flood Attack

SYN Flood attack is one of the most classic denial of service attacks, which appeared before 2000 and is still widely used by attackers. In recent years, SYN Flood attack still accounts for more than one third of all distributed denial of service attacks.

TCP half open connection:

In the process of establishing a TCP connection, if the client fails to confirm the syn + ACK message after the server returns it for some reason, the server needs to retransmit the syn + ACK message and wait for the client's confirmation message until the TCP connection times out. This connection state waiting for the client's confirmation is usually called half open connection

Before the connection time-out, the half open connection will always be saved in the connection table of the server.

Because the size of the connection table is limited, if a large number of semi open connections are generated in a short period of time, and these connections can not be ended quickly, the connection table will be filled up quickly, resulting in the new connection TCP connection can not be established.

SYN Flood attack is that the attacker uses the controlled host to send a large number of TCP syn messages, which makes the server open a large number of half open connections and occupy the connection table of the server, thus affecting the normal user to establish a session with the server and causing a denial of service.

Attacker sending TCP When receiving the syn + ACK message returned by the server, the last ACK message can be skipped to make the connection in a half open state. However, this will obviously expose the IP address of the SYN Flood attack, and the corresponding message will occupy the attacker's broadband resources as the reflection traffic. Therefore, the better way is for the attacker to randomly forge the source IP address of the syn message The IP address of other host or nonexistent IP address, so the attack target will reply to the forged IP address, thus occupying the connection resources and hiding the attack source.

SYN Flood attack is easy to launch and has obvious effect. There are a large number of attack tools that can launch this kind of attack, and it is still one of the most favorite attack methods of attackers.

2.1.3 PSH + ack flood attack

In the process of TCP data transmission, the PSH flag can be set to indicate the end of the current data transmission, which needs to be processed by the server.

In the normal TCP transmission process, if the data to be sent will clear the transmission buffer, the TCP / IP protocol stack of the operating system will automatically set the PSH flag for the packet. Similarly, when the server receives a message with the PSH + ack flag, it means that the current data transmission has ended, so it needs to immediately deliver the data to the service process and Clear the receive buffer without waiting for additional data to arrive.

Because the TCP packet with PSH flag bit will force the receiver to clear the receiving buffer and submit the data to the application service for processing, when the attacker sends a large number of PSH + ACK packets to the target by using the controlled host, the target will consume a large number of system resources to continuously clear the receiving buffer, resulting in the failure of normal processing Data, resulting in a denial of service.

The impact of using PSH + ack flood attack alone on the server is not very obvious. The more effective way is to combine SYN Flood attack and ACK flood attack, which can bypass some protective equipment and enhance the effect of attack.

2.1.4 RST flood attack

In the termination stage of TCP connection, the TCP connection between the client and the server is usually cut off by four interactions (TCP four handshakes) with the fin flag message. However, if one of the clients or the server has an abnormal condition and cannot complete the TCP four handshakes normally to terminate the connection, RST message will be used to forcibly interrupt the connection.

TCP RST attack:

In TCP connection, RST means reset, which is used to close the connection in case of abnormality. When sending RST message to close the connection, the sender does not need to wait for all the data messages in the buffer to be sent, but directly discards the data in the buffer and sends RST message. Similarly, after receiving RST message, the receiver will clear the buffer and close the connection without sending ACK message OK confirm.

The attacker can use this feature of RST message to send forged TCP message with RST flag bit and forcibly interrupt the TCP connection between the client and the server. In the process of forging RST message, the IP address and port number of the server are known. The attacker also needs to try to obtain the IP address and port number of the client and make the serial number of RST message in the receiving of the server In the window, if the attacker and the attacked client or server are in the same intranet, these information can be obtained by means of spoofing and sniffing.

The principle of TCP RST attack is shown in the figure

In many cases, the attacker will not be on the same intranet as the attacked client or server, which will cause TCP to be launched When RST Attacks, it is difficult to obtain the port and serial number. In this case, the attacker can use a large number of controlled hosts to guess the port and serial number, carry out blind hit and send RST flood attack. As long as one of the huge RST messages has the same port number as the target and the serial number falls in the receiving window of the target, the terminal can be connected.

The principle of RST flood attack is shown in the figure

Strictly speaking, TCP RST attack and RST flood attack are denial attacks against users, which are usually used to attack users of online games or competitions, so as to affect the results of competitions and obtain certain economic benefits.

2.1.5 sockstress attack

Sockstress attack is a method proposed by researchers in 2008 to attack TCP connection. Different from the previous attacks, sockstress attack does not need to send a large amount of attack traffic in a short time, so it is not a flood attack, but a slow attack.

When TCP transmits data, it is not to directly submit the data to the application program for processing, but to temporarily store it in the receiving buffer. The size of the receiving buffer is represented by the TCP window. If the size of the TCP window is 0, it means that the receiving buffer has been filled, and the sending end should stop sending data until the receiving end's window is updated, so the sockstress attack will occur This principle is used to maintain TCP connection for a long time to achieve the purpose of denial of service attack.

The sockstress attack first completes the TCP triple handshake to establish a TCP connection, but in the last ack response of the triple handshake, the attacker sets its TCP window size to 0, and then A data request is made. When the attack target transmits data, it finds that the TCP window size of the receiving end is 0, it stops transmitting data, and sends out a TCP window detection packet to ask whether the attacker's TCP window has been updated. Because the attacker has not changed the size of the TCP window, the attacked target will always maintain the TCP connection and wait for the data to be sent, and constantly detect the window update , if the attacker uses a large number of controlled hosts for sockstress attack, the attacked target will maintain a large number of TCP connections and carry out a large number of window update detection, and its TCP connection table will gradually run out, unable to connect to new connections, resulting in a denial of service.

The principle of sockstress attack is shown in the figure

Another way of sockstress attack is to set the TCP window to a very small value, such as 4 bytes. In this way, the target will have to cut the data to be sent into a large number of 4-byte pieces, which will greatly consume the target's memory and processor resources, resulting in slow system response and denial of service.

2.2 attack SSL connection

The secure socket layer is a kind of security protocol that provides security and data integrity for network communication. SSL can encrypt the network connection in the transmission layer, so as to prevent the transmitted data from being monitored and intercepted.

However, in the process of encryption, decryption and key negotiation of SSL protocol, a lot of system resources will be consumed, which will seriously reduce the performance of the machine. Therefore, SSL protocol is usually used to transmit confidential information such as passwords.

An attacker can use the resource consuming feature of SSL protocol to conduct a denial of service attack.

2.2.1 thc SSL DoS attack

Before SSL data transmission, the two sides of communication should first carry out SSL handshake to exchange encryption secret key with negotiation encryption algorithm for authentication. Usually, such SSL handshake process only needs to be carried out once, but there is a renegotiation option in SSL protocol, through which the secret key can be renegotiated to establish a new secret key.

   THC SSL DOS attack is a denial of service attack method for SSL proposed by security researchers in 2011. This method uses the renegotiation option to cause the target resources exhausted. After SSL connection and handshake, the attacker repeatedly renegotiates the secret key, which requires the server to invest 15 times more CPU computing than the client Resource, an attacker only needs a normal desktop to slow down a high-performance server, and if there are a large number of hosts attacking at the same time, the server will be busy negotiating the secret key and completely stop responding.

The principle of THC SSL DoS attack is shown in the figure

In addition, even if the server does not support renegotiation, attackers can create similar attack effects by opening a new SSL connection.

2.2.2 SSL flood attack

In the process of SSL handshake, the server will consume more CPU computing resources for encryption and decryption, and check the validity of the data. For the data sent by the client, the server needs to spend a lot of computing resources for decryption before checking the validity of the data. It is important that the server must first check whether the data is valid or not Only decryption can be checked, and attackers can use this feature for SSL flood attack.

In flood attack, one point is that the attacker needs to be able to send out a large number of attack requests on the client, which requires the client to carry out as little calculation as possible. For SSL flood attack, the better way is to launch the attack in the process of SSL handshake before data transmission. The attacker does not need to complete SSL handshake and secret key exchange, but only needs to complete SSL handshake and secret key exchange In this process, the server can decrypt and verify, which can consume a lot of computing resources of the server. Therefore, the attacker can easily construct the request data in the process of secret key exchange to reduce the client computing.

The principle of SSL flood attack is shown in the figure

Attackers can use tools such as SSL squeeze to launch SSL flood attacks.

3. Attack application resources

In recent years, distributed denial of service attacks that consume application resources are gradually becoming one of the main means of denial of service attacks. Because of the universality and importance of DNS and web services, these two services have become the main targets of distributed denial of service attacks that consume application resources.

3.1 attack DNS Service

DNS service is a core service of the Internet. By using DNS, people do not need to remember their IP address when they visit the network, but only need to enter their domain name. In IPv6 network environment, because the IP address expands from the original 32-bit to 128 bit, it becomes more difficult to remember, DNS service becomes more important. When the availability of DNS service is threatened, the Internet A large number of devices will be affected or even unable to operate normally. There have been many attacks against DNS in history, which have caused great impact.

There are two main attack methods for DNS Service: DNS query flood attack and DNS nxdomain flood attack

3.1.1 DNS query flood attack

DNS query and resolution process:

When the client queries a domain name from the DNS server, the DNS server will first check whether there is a record of the domain name in its local cache. If there is a record of the domain name in the cache (i.e., a hit), the IP address recorded in the cache will be directly returned to the client as a non authoritative response. If no record of the domain name is found in the cache, an iterative query will be performed from the root The domain name starts to be resolved level by level until the complete domain name is resolved. After that, the server will send the domain name resolution result to the client as a response, and generate a resolution record to save in the cache.

The DNS query and resolution process is as shown in the figure:

In the process of DNS resolution, the client initiates a query request, and the DNS server may need to conduct additional multiple queries to complete the resolution process and give a response. In this process, certain computing and network resources will be consumed. If the attacker uses a large number of controlled hosts to continuously send resolution requests for different domain names, then the cache of the DNS server will be continuously brushed New, and a large number of resolution requests can not hit the cache, which leads to the DNS server must consume additional resources for iterative query, which will greatly increase the resource consumption of the DNS server, resulting in slow DNS response or even complete denial of service.

The principle of DNS query flood attack is shown in the figure

The main point of DNS query flood attack is that each DNS resolution requires that the domain name to be queried should be different, which can effectively avoid the resolution records in the NDS server cache and achieve better resource consumption effect.

3.1.2 DNS nxdomain flood attack

DNS nxdomain flood attack is a variant of DNS query flood attack. The difference is that the latter queries the DNS server for a real domain name, while the former queries the DNS server for a nonexistent domain name.

During the DNS nxdomain flood attack, the DNS server will perform multiple domain name queries, and its cache will be filled with a large number of nxdomain records, resulting in slower response to DNS resolution requests from normal users, which is similar to DNS The effect of query flood attack is similar. In addition, when some DNS servers fail to get the resolution result of domain name, they will recursively query again, send resolution request to the DNS server at the next higher level and wait for response, which further increases the resource consumption of DNS server. Therefore, the DNS nxdomain flood attack is usually better than DNS Query flood attack is more effective.

The principle of DNS nxdomain flood attack is as follows

3.2 attack Web Services

In recent years, the development of web technology is very rapid. People can use web services through browser to obtain the needed information easily and conveniently. Many important information and key businesses of institutions and enterprises are also provided through web services. Once web services are attacked by solution services, it will have a fatal impact on the businesses it carries.

3.2.1 HTTP flood attack

Web services usually use hypertext transfer protocol to transfer request and response data.

There are two kinds of common HTTP requests: get request and post request. Usually get request is used to get data and resources from web server, such as requesting page, getting pictures and documents, etc.; post request is used to submit data and resources to web server, such as sending user name / password, uploading files, etc. In the process of processing these HTTP requests, the web server usually needs to parse the request, process and execute the server-side script, verify the user rights and access the database many times, which will consume a lot of computing resources and IO access resources.

If the attacker uses a large number of controlled hosts to send a large number of malicious HTTP requests to the web server, and requires the web server to process them, it will completely occupy the resources of the server, resulting in the slow processing of other normal users' web access requests that cannot be processed, resulting in a denial of service, which is the HTTP flood attack.

Because the HTTP protocol is based on the TCP protocol, it needs to complete three handshakes to establish a TCP connection to start HTTP communication. Therefore, when carrying out an HTTP flood attack, it is impossible to use the way of forging the source IP address to launch an attack. At this time, the attacker usually uses the HTTP proxy server, which widely exists on the Internet. By using the HTTP proxy server, not only can the HTTP communication be started Hiding the source to avoid being traced can also improve the efficiency of the attack -- after the attacker connects to the proxy server and sends the request, he can directly cut off the connection with the proxy server and start to connect to the next proxy server. At this time, the HTTP connection between the proxy server and the target web server is still maintained, and the web server needs to continue to receive data and process HTTP requests.

The principle of HTTP flood attack is shown in the figure

Similar to DNS service, web service also has caching mechanism. If a large number of requests of attackers hit the server cache, the main role of this attack is only reflected in how to consume the broadband resources of the network, and the consumption of computing and IO resources is very limited. Therefore, efficient HTTP flood attack should continuously send out HTTP requests for different resources and pages, and try to It can request resources that cannot be cached, thus increasing the burden on the server and enhancing the attack effect.

In addition, if the web server supports HTTPS, So the HTTPS flood attack is a more effective way of attack. On the one hand, the web server needs to consume more resources for authentication and encryption and decryption during HTTPS communication. On the other hand, some of the protection devices can not deal with the HTTPS communication data flow, which will also cause the attack flow to bypass the protection devices and directly attack the web server.

HTTP flood attack is one of the most threatening attacks to web services. There are a large number of attack tools to support HTTP flood attack, which is easy to launch and has obvious effect, and has become one of the main attack methods used by attackers.

3.2.2 slowloris attack

Slowloris attack is a slow HTTP attack against web servers, which was proposed by security researchers in 2009.

In the HTTP protocol, the HTTP header uses the continuous "\ R \ n \ R \ n" as the end flag. Many web servers will wait for the end of header transmission before processing the header information of HTTP requests. Therefore, if the web server does not receive the continuous "\ R \ n \ R \ n", it will always accept the data and maintain the connection with the client. Using this feature, attackers can Can keep in touch with web server for a long time, and gradually deplete the connection resources of web server.

Attacker sending http In get request, the useless header field is sent slowly, and the "\ R \ n \ R \ n" end flag is not sent all the time, which can take up the connection with web server for a long time and ensure that the connection is not interrupted by timeout. However, the number of concurrent connections that web server can handle is limited. If an attacker uses a large number of controlled hosts to send this incomplete http Get requests and continue to occupy these connections, will exhaust the connection resources of the web server, resulting in other users' HTTP requests can not be processed, resulting in a denial of service.

The attack principle of slowloris is shown in the figure

An attacker can simply launch a slowloris attack by using tools such as slowloris and slowhttptest. After the emergence of the slowloris attack method, some web server software such as IIS and nignx have modified the attack method, but apache.dhttpd and other web server software will still be affected by the slowloris attack.

3.2.3 slow post request attack

Slow post request attack is also a kind of slow HTTP attack against web server, which was proposed by security researchers in 2010. Unlike slowloris attack, slow post request attack uses the way of sending HTTP body slowly to occupy and exhaust the connection resources of web server.

In the HTTP header information, you can use the content length field to specify the transmission length of the HTTP message entity. When the request header received by the web server contains the content length field, the server will take the value of the field as the length of the HTTP body, continuously receive the data, and when the content length value is reached, the server will continue to receive the HTTP message The data content of body is processed. With this feature, the attacker can maintain the connection with the web server for a long time and gradually exhaust the connection resources of the web server.

When sending an HTTP post request, the attacker sets the content length to a large value in the request header, and sets http Body sends byte by byte to the web server at a very slow speed, so the web server needs to maintain the connection with the client and wait for the end of data transmission. Because content length is set to a large value, http The transmission speed of body is very slow, so the attacker can occupy the connection for a long time. By sending a single byte of HTTP body content intermittently, the attacker can ensure that the connection will not be interrupted due to timeout. If the attacker uses a large number of controlled hosts to send this slow http If post requests occupy these connections continuously, the connection resources of the web server will be exhausted, resulting in HTTP requests of other users cannot be processed, resulting in a denial of service.

The attack principle of slow post request is as follows:

An attacker can use slowhttptest and other attacks to launch a slow post request attack, which is different from the slowloris attack. Due to the design of HTTP protocol, all web server software will be affected by the slow post request attack.

3.2.4 data processing attack

After receiving the HTTP request, the web server needs to check and process the data. By maliciously constructing the content of the request data, the attacker can significantly increase the resource consumption in the data processing process, resulting in a denial of service attack.

The regular expression denial of service attack and hash conflict denial of service attack are illustrated as examples.

Regular expression denial of service attack, also known as redos, is a denial of service attack method discovered by security researchers in 2009. When processing request data, web applications usually use regular expressions to match characters. Some regular expression engines use an implementation method called non deterministic finite state automata to deal with Complex regular expressions, such as those that contain backward references or catch parentheses. However, the implementation of the regular engine also leads to the increase of its processing time, especially when determining "negative matching", the regular engine needs to test all possible matching paths. If the regular expression in the web application is not well written, the number of matching paths that need to be tested will increase exponentially with the length of the input string, using malicious constructs The attacker only needs to submit a relatively short input string to force the regular engine to process hundreds of millions of matching paths, which can take hours or even days. Only a few similar malicious regular expression matching requests can completely occupy the computing resources of the web server and cause a denial of service of the web server.

Hash conflict denial of service attack is a denial of service attack method proposed by security researchers in 2011. When web applications process post data in requests, they usually use key value pairs to store them. In PHP, python, Java and other languages, the essence of key value pairs is a hash table. Web applications obtain their corresponding hash by calculating the hash of "key" Value of. Normally, the hash conflict of this hash table is less, so the speed of searching and inserting is very fast. The hash table in normal state is as shown in the figure.

If the attacker constructs a group of malicious post data, which makes the hash values of "key" in the request all the same, then the hash table storing post data will degenerate into a linked list, and the operation rules such as lookup and insertion of the hash table will become a traversal operation of the linked list, resulting in a large number of computing resources being occupied, leading to a denial of service attack. As shown in the figure, the hash table in a large number of conflict states. (this article belongs to the original cash reward plan of safe pulse, and it is forbidden to reprint without permission. https://www.secpulse.com/archives/64088.html)

By lemon

This article is published by the author of security pulse column. Please note: https://www.secpulse.com/archives/64088.html

© 2023