What is a Distributed Denial of Service (DDoS) Attack?
Distributed Denial of Service (DDoS) involves coordinating multiple computers to operate as an attack platform. By utilizing malware through remote connections, DDoS attacks can target one or more destinations, overwhelming the target server’s capabilities or network bandwidth, thus disrupting normal service availability.
How
Typically, attackers use an unauthorized account to install a DDoS master control program on one computer and deploy agent programs across multiple computers on a network. At a specified time, the master program communicates with numerous agents. When the agents receive instructions, they attack the target, and the master program can activate hundreds or thousands of agents within seconds.
Classification
|
DDoS Attack Classification |
Attack Subcategories |
Description |
|---|---|---|
|
Malformed Packets |
FragFlood, Smurf, StreamFlood, LandFlood, IP Malformed Packets, TCP Malformed Packets, UDP Malformed Packets, etc. |
Malformed packet attacks involve sending defective IP packets to the target system, causing it to crash while processing these packets, thereby achieving the goal of denial-of-service. |
|
Transport Layer DDoS Attacks |
Syn Flood, AckFlood, UDPFlood, ICMPFlood, RstFlood, etc. |
For example, in a Syn Flood attack, it exploits the TCP protocol’s three-way handshake mechanism. Upon receiving a Syn request, the server must use a listening queue to retain the connection for a period. By constantly sending Syn requests without responding to Syn+Ack packets, it depletes server resources. Once the listening queue is full, the server cannot respond to normal user requests, resulting in a denial-of-service attack. |
|
DNS DDoS Attacks |
DNSRequestFlood, DNSResponseFlood, Fake Source + Real Source DNS Query Flood, Authoritative Server Attacks, Local Server Attacks, etc. |
For instance, DNS Query Flood attacks essentially execute legitimate Query requests, a normal business activity. However, if numerous bot machines simultaneously initiate a massive number of domain name query requests, the server cannot respond to regular Query requests, leading to a denial of service. |
|
Connection-Based DDoS Attacks |
TCP Slow Connection Attacks, Connection Exhaustion Attacks, Loic, Hoic, Slowloris, Pyloris, Xoic, etc., slow attacks. |
Take Slowloris attack as an example, it targets the web server’s concurrency limit. When the web server’s connection concurrency reaches its limit, it cannot process new requests. Upon receiving a new HTTP request, the web service establishes a new connection to handle the request and closes it upon completion. If the connection remains continuously active, when another new HTTP request arrives, it must establish a new connection for processing. When all connections are continuously active, the web server cannot process any new requests. Slowloris uses the characteristics of the HTTP protocol to achieve its goals. An HTTP request ends the Headers section with \r\n\r\n. If the web server receives only \r\n, it considers the HTTP Headers section incomplete, retains the connection, and waits for subsequent request data. |
|
Web Application Layer DDoS Attacks |
HTTP Get Flood, HTTP Post Flood, CC Attacks, etc. |
Generally, application-layer attacks completely mimic user requests, similar to various search engines and crawlers, making it difficult to distinguish these attacks from legitimate business activities. Some resource-intensive transactions and pages in web services, such as pagination in web applications, can become targets of early CC attacks if page parameter controls are too large and pagination is frequent. As most attacks now are hybrids, frequent operations simulating user behavior can be considered CC attacks. For instance, various bot software accessing websites can be regarded as a form of CC attack. CC attacks target the backend operations of web applications, not only causing denial of service but also directly impacting the functionality and performance of web applications, including web response time, database services, and disk read/write operations. |
Suricata Rules
- TCP Malformed Packets
The TCP packet flag bits include URG, ACK, PSH, RST, SYN, and FIN. Attackers send packets with illegal TCP flag combinations, which the victim host tries to process, consuming its resources. Some operating systems might even crash due to abnormal packet processing.
- Teardrop Attack
Attackers intercept an IP packet and set the offset fields incorrectly. When the recipient receives these fragmented packets, it cannot correctly reassemble the packets based on the offset fields, leading to repeated reassembly attempts and potential system crashes due to resource exhaustion.
- Smurf Attack
Attackers send ICMP echo request packets with the victim’s IP address spoofed as the source to a network’s broadcast address, causing all network host devices to respond to the victim with ICMP echo replies, resulting in system overload and network congestion.
- Land Attack
A land attack involves an attacker sending a TCP packet with the source and destination addresses as the victim’s IP address, forcing the victim to send SYN-ACK responses to itself, ultimately consuming resources.
- Ping of Death
Attackers send oversized ICMP packets to victim B, overloading the victim system.
- Syn Flood
Maliciously sending numerous SYN packets to a server’s port can open numerous half-open connections and allocate TCB, consuming server resources and preventing normal connection requests from being processed. The attacker’s resource consumption is relatively negligible.
- UDP Flood
UDP Flood, a bandwidth attack, sends massive UDP packets to a target server. These packets, usually large and fast, can lead to network congestion, reduce session-dependent network devices’ performance, or even exhaust session resources, causing network outages.
- ICMP Flood
ICMP Flood occurs when a specific target is subjected to continuous ICMP echo requests, overburdening the target system and preventing it from processing legitimate transmissions.
- DNS Query Flood
Multiple bot machines simultaneously initiate a large number of domain query requests, causing the server not to respond to normal Query requests, resulting in a denial of service.
- Slowloris
Attackers set Keep-Alive in the HTTP request header to keep the TCP connection open and slowly send key-value formatted data to the server, like a:b\r\n, making the server assume HTTP header incomplete and keep waiting. If multiple threads or bot machines perform the same action, the server’s web container quickly fills with attacker-occupied TCP connections, blocking new requests.
- CC Attack
An attack targeting Web services at the seventh layer, where legitimate data packets continuously issue HTTP requests for different resources and pages, excessively burdening the server’s computation and IO resources, leading to paralysis.
Suricata Options Supporting DDoS Traffic Models
- tcp.flags
detect which flags are set in the TCP header
#define TH_FIN 0x01
#define TH_SYN 0x02
#define TH_RST 0x04
#define TH_PUSH 0x08
#define TH_ACK 0x10
#define TH_URG 0x20- fragbits, fragoffset
check if the fragmentation and reserved bits are set in the IP header
match on specific decimal values of the IP fragment offset field- itype, icode
match on a specific ICMP type/code
TYPE CODE Description
0 0 Echo Reply — Echo Reply (Ping Response)
3 0 Network Unreachable — Network Unreachable
3 1 Host Unreachable — Host Unreachable
3 2 Protocol Unreachable — Protocol Unreachable
3 3 Port Unreachable — Port Unreachable
3 4 Fragmentation needed but no frag
3 5 Source routing failed — Source Routing Failed
3 6 Destination network unknown — Destination Network Unknown
... ...- flow
match on direction and state of the flow
established/not established
For TCP a connection will be established after a three way handshake.
For other protocols (for example UDP), the connection will be considered established after seeing traffic from
both sides of the connection.- threshold
control the rule's alert frequency
threshold: type <threshold|limit|both>, track <by_src|by_dst>, count , seconds
A threshold setting of N means on the Nth time the rule matches an alert is generated.
If set to limit N, it alerts at most N times.- byte_test
extract and perform an operation selected with against the value in at a particular
data = DetectBytetestParse("4 , ! &, 5 , 0 , little ", NULL, NULL);
((data->op == DETECT_BYTETEST_OP_AND)
&& (data->nbytes == 4)
&& (data->value == 5)
&& (data->offset == 0)
&& (data->neg_op)
&& (data->flags == DETECT_BYTETEST_LITTLE)
&& (data->base == DETECT_BYTETEST_BASE_UNSET))- dns.query, http.header, http.method, http.uri
content modifiers- dsize, depth, distance, within
match on the size of the packet payload
how many bytes from the beginning of the payload will be checked
distance the distance between two content checks
within the distance to the last contentReference
https://help.aliyun.com/document_detail/28401.html
Principles and Defense of Single-Packet Attacks
SYN Flood Principles and Protection
DDoS Attack – Detailed Explanation of CC Attack Defense (HTTP)
Detailed Explanation of ICMP Packets
The original statement: This article is authorized by the author to be published by the Tencent Cloud Developer Community. Unauthorized reproduction is prohibited.
If there is any infringement, please contact [email protected] for removal.