Connection Flood Attack principle

Connection Flood(TCP Multi connection attack ,CC Attacks and other types of attacks that cause denial of service by establishing a large number of connection requests ) It is a typical and very effective attack method that uses small traffic to impact large bandwidth network services , This kind of attack has become more and more rampant .

The principle of this attack is to use real IP Address initiates a large number of connections to the server , And it will not be released for a long time after the connection is established , Take up the resources of the server , Cause residual connections on the server (WAIT state ) Too much , Low efficiency , Even resource depletion , Unable to respond to connections initiated by other customers .

One attack method is to send a large number of connection requests to the server every second , This is similar to a fixed source IP Of SYN Flood attack , The difference is that the real source IP Address . Usually this limits each source on the firewall IP Address the number of connections per second to achieve the purpose of protection . But now there are tools that use slow connections , That is, it takes a few seconds to establish a connection with the server , After the connection is established successfully, it will not release and send garbage packets to the server regularly, so that the connection can be maintained for a long time . Such a IP Address can establish hundreds of connections with the server , The number of connections that the server can tolerate is limited , This achieves the effect of denial of service .

in addition , When worms erupt on a large scale , The worm code is relatively simple , There will be a large number of sources in the process of propagation IP Packets with the same address , about TCP Worms behave as large-scale scanning . This is judging Connection Flood You need to pay attention to .

Use... On the attacked server netstat –an Look at ：

There are a lot of connection states , From a few sources . If the statistics , You can see that the number of connections is abnormal compared with the usual number . And it starts to fluctuate when it reaches a certain value , It indicates that the performance limit may be approached at this time . therefore , The judgment of this attack ： It is not reflected in the flow , It may even be small ; a large number of ESTABLISH state ; New ESTABLISH The total number of states fluctuates .

Connection Flood protective

1、 Active removal of residual connections .
2、 For malicious connections IP To ban .
3、 Limit each source IP Connection number .
4、 It can be used for specific URL Protection .
5、 The check Proxy Initiated later Http Get Flood Source .