Flood is the simplest and most common way to carry out DDoS attacks. Flood - the easiest and most common way to carry out DDoS attacks Protection against udp flooding windows

The fundamental concepts of cyber security are availability, integrity and confidentiality. Attacks Denial of service (DoS) affect the availability of information resources. A denial of service is considered successful if it resulted in unavailability information resource... The success of the attack and the influence on the target resources differ in that the influence inflicts damage on the victim. For example, if an online store is attacked, a prolonged denial of service can cause financial losses for the company. In any particular case, DoS activity can either directly cause harm or create a threat and potential risk of damage.

The first D in DDoS means distributed: distributed denial of service attack... In this case, we are talking about a huge mass of malicious requests coming to the victim's server from many different places. Typically, these attacks are organized through botnets.

In this article, we will take a closer look at what types of DDoS traffic and what types of DDoS attacks exist. For each type of attack, there will be brief recommendations for preventing and restoring operability.

DDoS traffic types

The simplest type of traffic is HTTP requests. With the help of such requests, for example, any visitor communicates with your site through a browser. The request is based on an HTTP header.

HTTP header... HTTP headers are fields that describe what kind of resource is being requested, such as a URL or a form, or a JPEG. Also, the HTTP headers inform the web server what type of browser is being used. The most common HTTP headers are ACCEPT, LANGUAGE, and USER AGENT.

The requester can use as many headers as desired, giving them the desired properties. DDoS attackers can alter these and many other HTTP headers, making them difficult to detect for an attack. In addition, HTTP headers can be written to control caching and proxy services. For example, you can instruct the proxy server not to cache information.

HTTP GET

• HTTP (S) GET request is a method that requests information from the server. This request can ask the server to transfer some kind of file, image, page or script to display in the browser.
• HTTP (S) GET flood - method DDoS attacksand the application layer (7) of the OSI model, in which the attacker sends a powerful stream of requests to the server in order to overflow its resources. As a result, the server cannot respond not only to hacker requests, but also to requests from real clients.

HTTP POST

• HTTP (S) POST request is a method in which data is placed in the body of the request for further processing on the server. The HTTP POST request encodes the submitted information and places it on the form, and then submits this content to the server. This method used when it is necessary to transfer large amounts of information or files.
• An HTTP (S) POST flood is a type of DDoS attack in which a number of POST requests overwhelm the server so that the server is unable to respond to all requests. This can lead to extremely high use of system resources, and, as a result, to an emergency stop of the server.

Each of the above HTTP requests can be transmitted over a secure protocol HTTPS... In this case, all data sent between the client (attacker) and the server is encrypted. It turns out that "security" here plays into the hands of attackers: in order to identify a malicious request, the server must first decrypt it. Those. the entire stream of requests has to be decrypted, of which a lot is received during a DDoS attack. This puts additional load on the victim server.

SYN flood (TCP / SYN) establishes half-open connections with the host. When the victim receives a SYN packet on an open port, it must reply with a SYN-ACK packet and establish a connection. After that, the initiator sends a response to the recipient with an ACK packet. This process is conventionally called a handshake. However, during a SYN flood attack, the handshake cannot be completed. The attacker does not respond to the SYN-ACK of the victim server. Such connections remain half-open until the timeout expires, the connection queue is full, and new clients cannot connect to the server.

UDP flood are most often used for broadband DDoS attacks due to their sessionlessness, as well as the simplicity of creating protocol 17 (UDP) messages by various programming languages.

ICMP flood... The Internet Control Message Protocol (ICMP) is primarily used to convey error messages and is not used to transmit data. ICMP packets can accompany TCP packets when connecting to a server. ICMP flood is a DDoS attack method at the 3rd level of the OSI model, using ICMP messages to overload the attacked network channel.

MAC flood is a rare type of attack in which the attacker sends multiple empty Ethernet frames with different MAC addresses. Network switches consider each MAC address separately and, as a result, reserve resources for each of them. When all the memory on the switch is used, it either stops responding or turns off. On some types of routers, a MAC flood attack can cause entire routing tables to be dropped, thus disrupting the entire network.

Classification and targets of DDoS attacks by OSI layer

Internet uses oSI model... In total, there are 7 levels in the model, which cover all communication environments: from the physical environment (1st level) to the application level (7th level), where programs communicate with each other.

DDoS attacks are possible at each of the seven levels. Let's consider them in more detail.

7th oSI layer: Applied

What to do: Application monitoring is a systematic software monitoring that uses a specific set of algorithms, technologies and approaches (depending on the platform on which this software is used) to identify 0day application vulnerabilities (level 7 attacks). Once such attacks are identified, they can be stopped once and for all and their source can be traced. This is done most simply on this layer.

6th OSI layer: Representative

What to do: To mitigate the harm, look for tools such as distributing the SSL encryption infrastructure (that is, hosting the SSL on a great server, if possible) and inspecting application traffic for attacks or policy violations on the application platform. A good platform ensures that traffic is encrypted and sent back to the initial infrastructure with the decrypted content residing in the secure memory of the secure bastion host.

5th OSI layer: Session

What to do: Support firmware hardware up to date to reduce the risk of a threat.

4th OSI layer: Transport

What to do: Filtering DDoS traffic, known as blackholing, is a technique often used by ISPs to protect customers (we use this method ourselves). However, this approach makes the client's site inaccessible to both the attacker's traffic and legitimate user traffic. However, access blocking is used by ISPs in the fight against DDoS attacks to protect customers from threats such as slowing down of network equipment and service outages.

3rd OSI layer: Network

What to do: Limit the number of processed ICMP requests and reduce the potential impact of this traffic on the Firewall speed and Internet bandwidth.

2nd OSI layer: Channel

What to do: Many modern switches can be configured in such a way that the number of MAC addresses is limited to reliable ones, which are checked for authentication, authorization and accounting on the server (AAA protocol) and subsequently filtered.

1st OSI layer: Physical

What to do: Take a systematic approach to monitoring the performance of physical network equipment.

Eliminate large-scale DoS / DDoS attacks

Although an attack is possible at any of the layers, attacks on layers 3-4 and 7 of the OSI model are especially popular.

• DDoS attacks at the 3rd and 4th levels - infrastructure attacks - types of attacks based on the use of a large volume, powerful data flow (flood) at the network infrastructure and transport levels in order to slow down the operation of the web server, "fill" the channel , and ultimately prevent other users from accessing the resource. These types of attacks typically include ICMP, SYN and UDP floods.
• A Layer 7 DDoS attack is an attack that overloads some specific elements of the application server infrastructure. Level 7 attacks are particularly complex, stealthy, and difficult to detect due to their similarity to useful web traffic. Even the most basic Level 7 attacks, such as attempting to log in with an arbitrary username and password, or repeated random searches on dynamic web pages, can critically load the CPU and databases. Also, DDoS attackers can repeatedly modify the signatures of Level 7 attacks, making them even more difficult to recognize and eliminate.

Some actions and equipment to mitigate attacks:

• Dynamic packet inspection firewalls
• Dynamic SYN proxy mechanisms
• Limiting the number of SYNs per second for each IP address
• Limiting the number of SYNs per second for each remote IP address
• Installing ICMP Flood Screens on Firewall
• Installing UDP Flood Screens on Firewall
• Rate limiting routers adjacent to firewalls and networks

11.11.2012

Under the floodit means a huge stream of data in the form of messages, which is sent for posting on all kinds of forums and chats. From a technical point of view, flood is one of the most common types of computer attacks, and its purpose is to send such a number of requests that the server hardware will be forced to fulfill denial of service user services. If a computer assault carried out from a large number of computers then you are dealing with.

There are several types of flood DDoS attacks, the main ones are listed below:

• SYN-ACK flood
• HTTP flood
• ICMP flood
• UDP flood

SYN-ACK flood

SYN-ACK flood - one of the types network attackswhich is based on sending a huge number of SYN requests per unit of time. The result will be the disabling of the service, the work of which was based on the TCP protocol. First, the client sends to the server a packet containing the SYN flag, the presence of which indicates that the client wants to establish a connection. The server, in turn, sends a response packet. In addition to the SYN flag, it also contains an ACK flag, which draws the client's attention to the fact that the request has been accepted and a confirmation of the connection from the client is expected. He replies with a packet with an ACK flag about a successful connection. The server stores all requests for "connection" from clients in a queue of a certain size. Requests are kept in a queue until an ACK flag is returned from the client. A SYN attack is based on sending packets to a server from a non-existent source that exceed the queue size. The server will simply not be able to respond to the packet at a fictitious address. The queue will not decrease and the service will stop functioning.

HTTP flood

HTTP flood - is used in the case of the service with database... The attack targets either web server, or a script that works with the database. A huge number of GET requests are sent on port 80 so that the web server cannot pay due attention to other types of requests. Log files grow and work with the database becomes impossible.

ICMP flood

ICMP flood - easy way decrease bandwidth and increasing loads on the stack by means of sending the same type of ICMP PING requests. Dangerous if little attention is paid to firewalls, since a server responding to endless ECHO requests is doomed. So in the case of the same amount of incoming and outgoing traffic, just write the rules in iptables.

UDP flood

UDP flood - another way cluttering the bandwidthbased on working with a protocol that does not require synchronization before sending data. The attack boils down to simply sending a packet to the server's UDP port. After receiving the packet, the server begins to intensively process it. The client then sends the Udp packets of invalid content one by one. As a result, the ports will stop functioning and the system will crash.

In principle, to determine type of DDoS attack often it is not necessary to spend a lot of time. It is enough to know a few signs. If significantly increased size of log files - You are dealing with HTTP flood... If a limited access to the service as a result of exceeding the number of allowed connections - this SYN-ACK flood... If outgoing and incoming traffic are approximately equal - You are dealing with ICMP flood... The main thing is not to forget about maintaining the security of your server from DDoS and give it due attention. The best thing is to take care of

Your morning starts with reading bug reports and analyzing logs. You daily
you update the software and tweak the firewall rules hourly. Snort is your best
friend, and Zabbix is \u200b\u200ban invisible helper. You have built a real bastion to which
not get close on either side. But! You are completely defenseless against yourself
insidious and vile attacks in the world - DDoS.

It's hard to say when the term DoS attack first appeared. Experts say
about 1996, along the way hinting that this type of attack "reached" the broad masses only in
1999, when the websites of Amazon, Yahoo, CNN and eBay hit one after another.
Even earlier, the DoS effect was used to test the stability of systems and
communication channels. And if you dig deeper and use the term DoS to
designation of the phenomenon, it becomes clear that it has always existed, since the
first mainframes. Just think of him as a deterrent
started much later.

Speaking simple languageDoS attacks are some kind of malicious
activities aiming to bring computer system before that
states where it will not be able to serve legitimate users or
correctly perform the functions assigned to it. To the state of "refusal in
maintenance "usually result in software errors or excessive load on the network
channel or system as a whole. As a result, the software, or the entire operating system
machines, "crashes" or ends up in a "looped" state. And this threatens
downtime, loss of visitors / customers and losses.

Anatomy of a DoS attack

DoS attacks are classified as local and remote. Local include
various exploits, fork bombs and programs that open a million files each or
launching some kind of cyclical algorithm that eats up memory and processor
resources. We will not dwell on all this. Remote DoS attacks
let's consider in more detail. They are divided into two types:

1. Remote exploitation of errors in software in order to render it inoperative
   state.
2. Flood - sending a huge amount of meaningless (less often
   - meaningful) packages. The flood target can be a communication channel or resources
   cars. In the first case, the packet stream occupies the entire bandwidth and does not
   gives the attacked machine the ability to process legitimate requests. In the second
   - machine resources are captured using multiple and very frequent
   calls to any service that performs a complex, resource-intensive
   operation. This can be, for example, a long call to one of
   active components (script) of the web server. The server wastes all machine resources
   to process the attacker's requests, and users have to wait.

In the traditional performance (one attacker - one victim) now remains
only the first type of attacks is effective. The classic flood is useless. Just because
that with today's bandwidth of servers, the level of computing power and
widespread use of various anti-DoS techniques in software (for example, delays
when the same client performs the same actions multiple times), the attacker
turns into an annoying mosquito, unable to inflict any
damage. But if there are hundreds, thousands or even hundreds of thousands of these mosquitoes, they
easily put the server on the blades. The crowd is a terrible force not only in life, but also in
the computer world. Distributed Denial of Service (DDoS) Attack,
usually carried out by many zombified hosts, can
cut off even the most persistent server from the outside world, and the only effective
protection - the organization of a distributed system of servers (but this is far from affordable
not everyone, hello Google).

Control methods

The danger of most DDoS attacks lies in their absolute transparency and
"normality". After all, if a software error can always be corrected, then a complete
the consumption of resources is almost commonplace. Many face them
administrators, when machine resources (bandwidth) become insufficient,
or the website is subject to a slashdot effect (twitter.com became unavailable after
minutes after the first news of Michael Jackson's death). And if you cut
traffic and resources for everyone, then you will save yourself from DDoS, but you will lose good
half of the clients.

There is practically no way out of this situation, but the consequences of DDoS attacks and their
efficiency can be significantly reduced due to correct setting
router, firewall and constant analysis of anomalies in network traffic. IN
In the next part of the article, we will consider in sequence:

• ways to recognize an incipient DDoS attack;
• methods of dealing with specific types of DDoS attacks;
• versatile tips to help prepare for a DoS attack and
  reduce its effectiveness.

At the very end, the answer will be given to the question: what to do when it started
DDoS attack.

Fight against flood attacks

So, there are two types of DoS / DDoS attacks, and the most common one is
based on the idea of \u200b\u200bflooding, that is, filling the victim with a huge number of packets.
Flood is different: ICMP flood, SYN flood, UDP flood, and HTTP flood. Modern
DoS bots can use all of these types of attacks at the same time, so you should
take care in advance of adequate protection against each of them.

1. ICMP flood.

A very primitive method of clogging up bandwidth and creating loads on
network stack through monotonic sending of ICMP ECHO requests (ping). Easily
detected by analyzing traffic flows in both directions: during an attack
of ICMP flood type, they are almost identical. Almost painless way of absolute
protection is based on disabling responses to ICMP ECHO requests:

# sysctl net.ipv4.icmp_echo_ignore_all \u003d 1

Or using a firewall:

# iptables -A INPUT -p icmp -j DROP --icmp-type 8

2. SYN flood.

One of the common ways not only to clog the communication channel, but also to enter
network stack operating system into a state where he can no longer
accept new connection requests. Based on attempted initialization
a large number of simultaneous TCP connections by sending a SYN packet with
non-existent return address. After several attempts to send a reply
ACK packet to an inaccessible address, most operating systems install an unidentified
queue connection. And only after the n-th attempt the connection is closed. Because
the flow of ACK packets is very large, soon the queue is full, and the core
refuses attempts to open a new connection. The smartest DoS bots are also
analyze the system before starting an attack in order to send requests only to open
vital ports. It is easy to identify such an attack: enough
try to connect to one of the services. Defensive measures are usually
include:

Increasing the queue of "half-open" TCP connections:

# sysctl -w net.ipv4.tcp_max_syn_backlog \u003d 1024

Reducing the holding time of "half-open" connections:

# sysctl -w net.ipv4.tcp_synack_retries \u003d 1

Enabling TCP syncookies mechanism:

# sysctl -w net.ipv4.tcp_syncookies \u003d 1

Limiting the maximum number of "half-open" connections from one IP to
specific port:

# iptables -I INPUT -p tcp --syn --dport 80 -m iplimit --iplimit-above
10 -j DROP

3. UDP flood.

Typical method of cluttering bandwidth. Based on an infinite premise
UDP packets to the ports of various UDP services. Easily removed by cutting off
such services from the outside world and setting a limit on the number of connections in
unit of time to the DNS server on the gateway side:

# iptables -I INPUT -p udp --dport 53 -j DROP -m iplimit --iplimit-above 1

4. HTTP flood.

One of the most widespread flooding methods today. Based on
endlessly sending HTTP GET messages to port 80 in order to download
a web server so that it is unable to handle all
other requests. Often, the flood target is not the root of the web server, but one of
scripts that perform resource-intensive tasks or work with a database. In any
case, an indicator of an attack that has begun will be an abnormally fast growth of logs
web server.

Methods for dealing with HTTP flooding include tuning your web server and database
in order to reduce the effect of the attack, as well as filter out DoS bots using
various techniques. First, you should increase the maximum number of connections to
database at the same time. Second, install in front of the Apache web server a lightweight
and productive nginx - it will cache requests and serve static. it
a solution from the "must have" list that will not only reduce the effect of DoS attacks, but also
will allow the server to withstand huge loads. A small example:

# vi /etc/nginx/nginx.conf
# Increase the maximum number of files used
worker_rlimit_nofile 80000;
events (
# Increase the maximum number of connections
worker_connections 65536;
# Use efficient epoll method to handle connections
use epoll;
}
http (
gzip off;
# Disable the timeout for closing keep-alive connections
keepalive_timeout 0;
# Don't give nginx version in response header
server_tokens off;
# Reset connection by timeout
reset_timedout_connection on;
}
# Standard settings to work as a proxy
server (
listen 111.111.111.111 default deferred;
server_name host.com www.host.com;
log_format IP $ remote_addr;
location / (
proxy_pass http://127.0.0.1/;
}
location ~ * \\. (jpeg | jpg | gif | png | css | js | pdf | txt | tar) $ (
root /home/www/host.com/httpdocs;
}
}

If necessary, you can use the nginx module
ngx_http_limit_req_module, which limits the number of simultaneous connections from
one address (http://sysoev.ru/nginx/docs/http/ngx_http_limit_req_module.html).
Resource-intensive scripts can be protected from bots with delays, Click
me ", setting cookies and other techniques aimed at checking
"humanity".

In order not to get into a stalemate during the collapse of a DDoS storm on
systems, it is necessary to carefully prepare them for such a situation:

1. All servers with direct access to the external network must be
   prepared for a quick and easy remote reboot (sshd will save the father
   Russian democracy). A big plus will be the presence of a second,
   administrative, network interface through which you can access
   to the server if the main channel is clogged.
2. The software used on the server must always be up to date
   condition. All holes are patched, updates are installed (simple as
   boot, advice that many do not follow). It will protect you from DoS attacks,
   exploiting bugs in services.
3. All listening network services intended for the administrative
   use must be hidden by a firewall from anyone who should not
   have access to them. Then the attacker will not be able to use them to conduct
   DoS or brute force attacks.
4. On the approaches to the server (nearest router) should be installed
   traffic analysis system (NetFlow to help), which will allow timely
   learn about an attack that is starting and take timely measures to prevent it.

Add the following lines to /etc/sysctl.conf:

# vi /etc/sysctl.conf
# Protection against spoofing
net.ipv4.conf.default.rp_filter \u003d 1
# Check TCP connection every minute. If the other side is legal
machine, she will immediately answer. The default value is 2 hours.
net.ipv4.tcp_keepalive_time \u003d 60
# Try again after ten seconds
net.ipv4.tcp_keepalive_intvl \u003d 10
# Number of checks before closing the connection
net.ipv4.tcp_keepalive_probes \u003d 5

It should be noted that all the techniques given in the past and in this section,
are aimed at reducing the effectiveness of DDoS attacks aimed at
use up machine resources. Protect against flooding clogging the channel with debris
almost impossible, and the only correct, but not always feasible
the way to fight is to "make the attack senseless." If you have
a really wide channel that will easily pass traffic
small botnet, consider that your server is protected from 90% of attacks. There are more
a sophisticated way of protection. It is based on a distributed organization
a computer network that includes many redundant servers that
connected to different trunk channels. When computing power or
the bandwidth of the channel is running out, all new clients are redirected
to another server (or are gradually "spread" across servers by the principle
round-robin). This is an incredibly expensive, but very durable structure, fill up
which is almost unrealistic.

Another more or less effective solution is to buy expensive
hardware systems Cisco Traffic Anomaly Detector and Cisco Guard. Working in
bundle, they can suppress the incipient attack, but, like most others
decisions based on learning and state analysis fail. Therefore it follows
think carefully before knocking out tens of thousands of
dollars for such protection.

It seems to have begun. What to do?

Before the immediate start of the attack, the bots "warm up", gradually
increasing the flow of packets to the attacked machine. It's important to take the moment and start
active actions. Constant monitoring of the router will help in this,
connected to an external network (analysis of NetFlow graphs). On the victim server
it is possible to determine the beginning of the attack by means at hand

SYN floods are easily established by counting the number of "half-open"
TCP connections:

# netstat -na | grep ": 80 \\" | grep SYN_RCVD

In a normal situation, they should not be at all (or a very small number:
maximum 1-3). If this is not the case, you are attacked, urgently go to the drop
attackers.

The HTTP flood is a little more complicated. First you need to count the number
Apache processes and the number of connections on port 80 (HTTP flood):

# ps aux | grep httpd | wc -l
# netstat -na | grep ": 80 \\" | wc -l

Values \u200b\u200bseveral times higher than the statistical average give grounds
ponder. Next, you should view the list of IP addresses from which requests are coming
for connection:

# netstat -na | grep ": 80 \\" | sort | uniq -c | sort -nr | less

It is impossible to unambiguously identify a DoS attack, you can only confirm your
guesses about the presence of such, if one address is repeated too many in the list
times (and even then, this may indicate visitors sitting behind NAT).
Additional confirmation will be the analysis of packets using tcpdump:

# tcpdump -n -i eth0 -s 0 -w output.txt dst port 80 and host of the IP server

The indicator is a large stream of monotonous (and not containing useful
information) packets from different IPs directed to one port / service (for example,
web server root or specific cgi script).

Having finally decided, we begin to drop unwanted IP addresses (there will be
much more effect if you do this on a router):

# iptables -A INPUT -s xxx.xxx.xxx.xxx -p tcp --destination-port http -j
DROP

Or immediately by subnets:

# iptables -A INPUT -s xxx.xxx.0.0 / 16 -p tcp --destination-port http -j
DROP

This will give you some head start (very small; often the source IP address
spoof), which you must use to refer to
to the provider / hoster (with the logs of the web server, kernel,
firewall and the list of IP addresses you identified). Most of them, of course,
will ignore this message (and hosting sites with paid traffic will also be glad -
A DoS attack will bring them profit) or simply shut down your server. But in any
In case, this should be done without fail - effective protection against DDoS is possible
just on main canals... Alone you can handle petty attacks
aimed at depleting server resources, but you will find yourself defenseless against
more or less serious DDoS.

Fighting DDoS on FreeBSD

Reducing the waiting time for a response packet to a SYN-ACK request (protection against
SYN flood):

# sysctl net.inet.tcp.msl \u003d 7500

We turn the server into a black hole. So the kernel will not send back packets when
trying to connect to unoccupied ports (reduces the load on the machine during
DDoS on random ports):

# sysctl net.inet.tcp.blackhole \u003d 2
# sysctl net.inet.udp.blackhole \u003d 1

We limit the number of responses to ICMP messages to 50 per second (protection against
ICMP flood):

# sysctl net.inet.icmp.icmplim \u003d 50

We increase the maximum number of connections to the server (protection from all
types of DDoS):

# sysctl kern.ipc.somaxconn \u003d 32768

Turn on DEVICE_POLLING - self-poll network driver core on
high loads (significantly reduces the load on the system during DDoS "a):

1. Rebuild the kernel with the "options DEVICE_POLLING" option;
2. We activate the polling mechanism: "sysctl kern.polling.enable \u003d 1";
3. Add the entry "kern.polling.enable \u003d 1" to /etc/sysctl.conf.

Naive Internet

At its dawn, DoS attacks were a real disaster for servers
and ordinary workstations. The website could have been easily overwhelmed with
a single host implementing a Smurf attack. Workstations with
the installed Windows OS fell like dominoes from attacks like Ping of Death, Land,
WinNuke. Today all this is not worth fearing.

Largest botnets

400 thousand
computers.
- 315 thousand
computers.
Bobax - 185 thousand computers.
Rustock - 150 thousand computers.
Storm - 100 thousand computers.
Psybot - 100 thousand Linux-based ADSL routers.
BBC botnet - 22 thousand computers.
,
created by the BBC.

Mark on history

1997 DDoS attack on the Microsoft website. One day of silence.
1999 - Web sites of Yahoo, CNN, eBay, etc. were "out of range".
October 2002 - An attack on the Internet root DNS servers. For a while there were
7 out of 13 servers were disabled.
February 21, 2003 - DDoS attack on LiveJournal.com. Two days service
was in a paralyzed state, only occasionally showing signs of life.

Intelligent systems

INFO

Round-robin is a load balancing algorithm for distributed computing
system by enumerating its elements in a circular cycle.