当前位置：网站首页>DDoS attack and defense: from principle to practice

DDoS attack and defense: from principle to practice

2022-06-21 11:18:00 【0xtuhao】

reminder ： The following contents are only for technical exchange

terrible DDoS

Out of retaliation 、 blackmail and impose exactions on 、 Political needs and other reasons , In addition, the attack cost is getting lower and lower 、 The effect is particularly obvious ,DDoS Attacks have evolved into global cyber security threats .

harm

According to Kaspersky 2016Q3 Investigation report of ,DDoS The attack caused 61% Your company has no access to its critical business information ,38% Companies have no access to their key businesses ,33% As a result, the victim has a business contract or contract loss .

chart 1

trend

Sum up , current DDoS Attacks have the following trends ：

1. internationalization

current DDoS Attacks are increasingly attacking internationalization , And China has become the second largest country after the United States DDoS Attack the injured country , And domestic DDoS The proportion of attack sources overseas is also increasing .

chart 2

2. Super large scale

Because cross network scheduling traffic is more and more convenient 、 The purchase price of traffic is getting cheaper , Now? DDoS The scale of attack traffic is growing . especially 2014 At the end of the year, a cloud also suffered as much as 450Gbps The attack of .

chart 3

3. Marketization

Marketization is bound to bring cost advantages , Now all kinds of online DDoS platform 、 There are endless trading channels for broilers , This allows attackers to launch large-scale attacks at a very low cost . For the comparison of flow acquisition methods, please refer to the following table .

surface 1

DDoS Attack popular science

DDoS The attack principle of , To put it simply , In fact, it is used tcp/udp The law of agreement , By occupying protocol stack resources or initiating large traffic congestion, the target machine performance or network performance can be consumed , Let's briefly review TCP“ Three handshakes ” And “ Four waves ” as well as UDP Communication process .

TCP Three handshakes and four waves

chart 4

TCP Establishing a connection ： Three handshakes

1.client: syn

2.server: syn+ack

3.client: ack

TCP disconnect ： Four waves

1.client: fin

2.server: ack

3.server: fin

4.client: ack

UDP Communication process

chart 5

According to the above figure, we can find ,udp Communication is connectionless 、 unreliable , Data is transmitted directly , There is no negotiation process .

Attack principle and attack harm

According to the different attack objects , The analysis of attack principle and attack harm is divided into 3 class , Attack network bandwidth resources 、 Applications and systems .

Attack network bandwidth resources

chart 6

Attack system resources

chart 7

Attack application resources

chart 8

DDoS Protection science popularization

Attack protection principle

from tcp/udp Introduction to the principle of protocol stack DDoS Protection principle ：

chart 9

syn flood:

The third handshake can be received from the client reset 、 The second handshake sends the wrong ack, etc. Client reply Reset, Combine the trust mechanism to judge .

ack flood:

Discard three times ack, Let the other party reconnect ： retransmission syn Building links , Follow up is syn flood Protection principle ; Learning is normal ack Source , When the threshold is exceeded , The ack If it is not in the normal source list, it will be discarded ack Three times , Let the other party reconnect ： retransmission syn Building links , Follow up is syn flood protective

udp flood:

1、 Speed limit start threshold , One second to the server IP Of the same port UDP Number of packets , If it is web The server , It can be set strictly 2、 Message content characteristics – Pattern matching pattern matching rules are mainly used to filter attack packets with characteristic characters 3、IP features –ACL If 1） Source IP+ Purpose fixed ;2） The flow exceeds 1G==> Use at the network device level acl To filter

surface 2

Protection at different levels

Classified by attack traffic scale

Small flow Less than 1000Mbps, And within the scope of server hardware and application acceptance , Not affecting the business ： utilize iptables perhaps DDoS Protection application realizes software layer protection

Large flow Greater than 1000Mbps, But in DDoS Cleaning equipment performance range , And smaller than the outlet of the machine room , May affect other businesses of the same computer room ： utilize iptables perhaps DDoS Protection application realizes software layer protection , Or directly configure black holes and other protection strategies at the exit equipment of the computer room , Or switch the domain name at the same time , Will provide external services IP Change to high load Proxy Cluster extranet IP perhaps CDN High imitation IP Or public cloud DDoS Protection gateway IP, By its agent to RealServer; Or direct access DDoS Cleaning equipment

Very large scale traffic stay DDoS Outside the performance range of cleaning equipment , But within the exit performance of the machine room , May affect other businesses of the same computer room , Or larger than the outlet of the machine room , Having affected all or most businesses of the same computer room ： Contact the operator to check the deployment of packet current limiting configuration and observe the service recovery

Classified by attack traffic protocol

syn/fin/ack etc. tcp Agreement package Set alert threshold and response threshold , The former starts to alarm , The latter starts processing , Adjust the protection strategy and means according to the flow size and impact degree , Gradual upgrade .

udp/dns query etc. udp Agreement package For most game businesses , All are TCP Agreed , So we can make a contract according to the business agreement tcp Agreement white list , If you encounter a large number of udp request , It can be confirmed with the product without product confirmation or delayed , Directly at the system level /HPPS Or discard it on the cleaning equipment udp package .

http flood/CC And other attacks that require interaction with the database This usually leads to database or webserver High load or too many connections , You may need to restart the service to release the number of connections after limiting or cleaning the traffic , Therefore, it is more inclined to reduce the number of connections supported when the system resources can support . relatively speaking , This kind of attack protection is difficult , It consumes a lot of protective equipment .

other icmp Packets can be discarded directly , First, discard or limit the current at all levels below the exit of the machine room . Such attacks are now rare , Limited damage to business .

DDoS Attack and protection practice

build by oneself DDoS platform

Now there are open source DDoS Platform source code , As long as there are enough machines and bandwidth resources , Can deploy a set of highly lethal at any time DDoS platform , See the third scheme in the figure below .

chart 10

Contracting tools

Here is a common DDoS Contract code of the client , You can see that there are many attack methods ,ip、 port 、tcp flag、 Package sizes are customized .

def func():
        os.system("./txDDoS -a "+type+" -d "+ip+" -y "+port+" -f 0x10 -s 10.10.10.10 -l 1300")
if __name__ == "__main__":
  pool = multiprocessing.Pool(processes=int(nbproc))
  for i in xrange(int(nbproc)):
      pool.apply_async(func)
  pool.close()
  pool.join()

Finished. DDoS The implementation of the attack , Here's how to learn from iptables、 Use self and high-performance agents to defend DDoS attack .

iptables protective

sysctl -w net.ipv4.ip_forward=1 &>/dev/null
# Open the forward 
sysctl -w net.ipv4.tcp_syncookies=1 &>/dev/null
# open  syncookie （ Lightweight prevention  DOS  attack ）
sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=3800 &>/dev/null
# set default  TCP  The maximum connection time is  3800  second （ This option can greatly reduce the number of connections ）
sysctl -w net.ipv4.ip_conntrack_max=300000 &>/dev/n
# Set the maximum connection tree to  30W（ This depends on your memory and  iptables  Version , Every  connection  need  300  Multiple bytes ）
iptables -N syn-flood
iptables -A INPUT -p tcp --syn -j syn-flood
iptables -I syn-flood -p tcp -m limit --limit 3/s --limit-burst 6 -j RETURN
iptables -A syn-flood -j REJECT
# prevent SYN attack   Lightweight prevention 
iptables -A INPUT -i eth0 -p tcp --syn -m connlimit --connlimit-above 15 -j DROP
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
# prevent DOS Too many connections , Each external network card can be allowed IP most 15 An initial connection , Discard more than

Apply self-protection

With Nginx For example , Limit individual ip Request frequency .

http { 
limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s; // The trigger condition , All visits ip  Limit per second 10 A request  
server {        
        location  ~ \.php$ { 
            limit_req zone=one burst=5 nodelay;   // The action performed , adopt zone The name corresponds to      }
            }
  location /download/ { 
            limit_conn addr 1;    //  Limit at the same time 1 A connection , Exceeded connections returned 503              
       } 
      } 
  }

High performance agents

Haproxy+keepalived

1.Haproxy To configure

front end ：

frontend http
bind 10.0.0.20:80
acl anti_DDoS always_true
# White list 
acl whiteip src -f /usr/local/haproxy/etc/whiteip.lst
# Mark illegal user 
stick-table type ip size 20k expire 2m store gpc0
tcp-request connection track-sc1 src
 
tcp-request inspect-delay 5s
# Deny illegal user to establish connection 
tcp-request connection reject if anti_DDoS { src_get_gpc0 gt 0 }

Back end ：

backend xxx.xxx.cn
mode http
option forwardfor
option httplog
balance roundrobin
cookie SERVERID insert indirect
option httpchk GET /KeepAlive.ashx HTTP/1.1\r\nHost:\ server.1card1.cn
acl anti_DDoS always_false
# White list 
acl whiteip src -f /usr/local/haproxy/etc/whiteip.lst
# Storage client10 Session rate in seconds 
stick-table type ip size 20k expire 2m store http_req_rate(10s),bytes_out_rate(10s)
tcp-request content track-sc2 src
# The session rate exceeds in ten seconds 50 One is suspicious 
acl conn_rate_limit src_http_req_rate(server.1card1.cn) gt 80
# Judge http Whether there is... In the request SERVERID Of cookie
acl cookie_present cook(SERVERID) -m found
# Mark as illegal user 
acl mark_as_abuser sc1_inc_gpc0 gt 0
tcp-request content reject if anti_DDoS !whiteip conn_rate_limit mark_as_abuser

2.keepalived To configure

global_defs {
    router_id {{ server_id }}
}
vrrp_script chk_haproxy{
    script "/home/proxy/keepalived/{{ project }}/check_haproxy_{{ server_id  }}.sh"
    interval 2
    weight -10
}
vrrp_instance VI_1 {
    state {{ role }}
    interface {{ interface }}
    virtual_router_id 10{{ tag }}  
    priority {{ value }}   
    advert_int 1  
    authentication {
    auth_type PASS 
    auth_pass keepalived_DDoS
    track_script {   
        chk_haproxy 
    } 
}
virtual_ipaddress {
    {{ vip }}/24 dev {{ interface }} label {{ interface }}:{{ tag }}
}

Access CDN High prevention IP Or public cloud intelligence DDoS Defense system

because cdn High prevention ip And public cloud intelligence DDoS The defense principle is similar , Are using agents or dns Scheduling mode “ drainage -> cleaning -> recycle ” Defense process , So combine the two .

CDN High prevention IP

The server suffered a lot of traffic on the Internet DDoS When the service is unavailable after the attack , The launch of a paid value-added service , Users can configure advanced defense by IP, Drain attack traffic to advanced defense IP, Make sure the source station is stable and reliable . Can usually provide up to several hundred Gbps Protection capacity of , Resist general DDoS More than enough to attack .

Public cloud intelligence DDoS Defense system

Pictured 11, It mainly consists of the following roles ：

Scheduling system , stay DDoS The distributed defense system plays an important role in intelligent domain name resolution 、 network monitoring 、 Traffic scheduling, etc . Origin station , Developer business server . Attack protection points , The main function is to filter attack traffic , And forward the normal traffic to the source station .

Back end machine room ： stay DDoS The distributed defense system will cooperate with the attack protection points , In order to play the role of protection against excessive flow , The ability to provide dual protection .

chart 11

commonly CDN Or both the public cloud and the cloud provide email 、web System 、 Wechat official account and other forms of application 、 The configuration process , Basically, you can operate according to the following ideas ：

chart 12

The main steps are ：

1- To the public cloud or CDN The manufacturer applies for access to advanced anti DDoS IP perhaps DDoS Cleaning system , At the same time, submit the original resolution record of the site domain name

2- Modify the site domain name resolution record to point to the public cloud or CDN Provided by the manufacturer ip

3- Public cloud or CDN Manufacturer cleaning DDoS Attack traffic , Send the cleaned normal traffic back to the original resolution record of the site domain name ip

Public cloud DDoS Introduction to protection services

At present, most public cloud manufacturers put DDoS Protection is listed in the service list , But because of Technology 、 resources 、 Differences in management, etc , There are the following differences ：

1. The charging mode is different ： Some will DDoS Protection as a complimentary service , Some will DDoS Protection charges , And the charging prices or starting points of different manufacturers are different .

2. Different business scenarios ： Some public cloud factories will distinguish customer business scenarios , For example, live broadcast 、 Finance 、 Games and so on , However, most manufacturers do not distinguish in such a fine line .

3. Different functional richness ： Public cloud DDoS How many customized things does the protection service provide to users , Depending on product maturity .

4. Different cleaning capacities ：DDoS The scale of cleaning flow varies from dozens to dozens due to the difference of manufacturers Gbps To hundreds Gbps, The maturity and effectiveness of defense technologies used also vary , For example, there are cc The attack and defense effect will be reflected immediately , Some are very general .

Netease cloud DDoS Introduction to protection services

Netease cloud provides users with 5Gbps The following free abnormal flow cleaning , exceed 5Gbps The above will determine whether to continue cleaning according to the attack scale and resources , There is currently no charge for this service . Currently, Netease cloud provides DDoS The protective functions are ：

1. DDoS Attack traffic monitoring 、 Statistics and alarm

2. DDoS User defined cleaning policy , There are mainly flow sizes 、 The number of packets and requests

DDoS A collection of attack handling skills

1. Find out

Rsyslog

Flow monitoring alarm

see /var/log/messages（freebsd）,/var/log/syslog（debian）, Is there any information about being attacked ：

*SYN Flood**RST 
limit xxx to xxx**
listen queue limit*

Check the system or application connection , In particular, the number of connections and the occupancy of system resources

netstat -antp | grep -i ' Business port ' | wc -l
sar -n DEV

2 Attack type analysis

2.1 Tcpdump+wireshark

Use tcpdump Capture packets in real time to wireshark To analyze , With wireshark Realize automatic parsing and visual display , The processing efficiency is very fast

Tcpdump -i eth0 -w test.pcap

For example, it is identified by the target port and special mark ssdp flood：

udp.dstport == 1900
(udp contains "HTTP/1.1") and (udp contains 0a:53:54:3a)

chart 13

2.2 efficient DDoS Attack detection and analysis tools FastNetMon

You can also use FastNetMon Real time traffic detection and analysis , Display the results directly on the command line , But if the attack traffic is very large , It probably won't come in handy .

chart 14

2.3 Attack traceability

Linux On the server uRPF Reverse path forwarding protocol , It can effectively identify false sources ip, Put the false source ip Traffic discards . in addition , Use unicast Dilute attack traffic , because unicast Is characterized by the source - Purpose =1:n, But the message will only be sent to the node closest to the source , So the attack can be directed to a certain node , Ensure that other node services are available .

chart 15

Enterprise class DDoS Discussion on cleaning system architecture

Since the research

Mirror image / Spectroscopic （ collection ）+sflow/netflow（ analysis ）+DDoS Cleaning equipment （ cleaning ） The Trinity architecture is currently used by many enterprises to prevent D framework , However, it is generally only applicable to those who have their own computer room or in IDC Enterprises with relatively large business scale . As shown in the figure below , stay IDC Or through the image at the exit of the self built machine room / Spectroscopic collection flow , It is concentrated in the abnormal flow monitoring system for analysis , Once abnormal traffic is found , Then with DDoS Linkage of cleaning equipment , Issue cleaning rules and routing rules for cleaning .

chart 16

commercial

Now many network equipment manufacturers / Security vendors have systematic traffic collection 、 Abnormal flow detection and cleaning products , For example, green alliance 、 Huawei 、 Cisco 、Arbo etc. , Relevant products are well-known in the industry and each has its own market , Willing to build an enterprise through procurement DDoS Enterprises of the protection system can understand 、 Purchase corresponding products , I won't go into more details here .

blend

For large enterprises , Due to the large network environment and business scale ,DDoS The cleaning architecture will not adopt a single commercial or self-developed solution , It is a mixture of self-development 、 Commercial and public cloud solutions , For specific implementation, please refer to the above introduction .

thus ,DDoS Attack and defense ： From principle to practice, the first part is finished , You are welcome to share your insights .