Ethical Hacking 简明教程

Ethical Hacking - DDOS Attacks

分布式拒绝服务 (DDoS) 攻击是一种通过从多个源生成大量流量来使在线服务或网站不可用的尝试。

A Distributed Denial of Service (DDoS) attack is an attempt to make an online service or a website unavailable by overloading it with huge floods of traffic generated from multiple sources.

与拒绝服务 (DoS) 攻击不同,在拒绝服务 (DoS) 攻击中,使用一台计算机和一个 Internet 连接向目标资源发送大量数据包,分布式拒绝服务 (DDoS) 攻击使用多台计算机和多个 Internet 连接,通常在全球范围内分布,称为 botnet

Unlike a Denial of Service (DoS) attack, in which one computer and one Internet connection is used to flood a targeted resource with packets, a DDoS attack uses many computers and many Internet connections, often distributed globally in what is referred to as a botnet.

大规模体积 DDoS 攻击可以产生每秒以十千兆比特(甚至数百千兆比特)衡量的流量。我们确信您的普通网络将无法处理此类流量。

A large scale volumetric DDoS attack can generate a traffic measured in tens of Gigabits (and even hundreds of Gigabits) per second. We are sure your normal network will not be able to handle such traffic.

What are Botnets?

攻击者构建一个黑客机器网络,这些机器被称为 botnets ,通过电子邮件、网站和社交媒体传播恶意代码段。一旦这些计算机受到感染,就可以在没有其所有者知情的情况下进行远程控制,并像一支军队一样用来对任何目标发动攻击。

Attackers build a network of hacked machines which are known as botnets, by spreading malicious piece of code through emails, websites, and social media. Once these computers are infected, they can be controlled remotely, without their owners' knowledge, and used like an army to launch an attack against any target.

ddos system

DDoS 洪流可以通过多种方式生成。例如 −

A DDoS flood can be generated in multiple ways. For example −

  1. Botnets can be used for sending more number of connection requests than a server can handle at a time.

  2. Attackers can have computers send a victim resource huge amounts of random data to use up the target’s bandwidth.

由于这些机器的分布式特性,它们可用于生成难以处理的分布式高流量。最后导致服务完全阻塞。

Due to the distributed nature of these machines, they can be used to generate distributed high traffic which may be difficult to handle. It finally results in a complete blockage of a service.

Types of DDoS Attacks

DDoS 攻击可以大致分为三种类型−

DDoS attacks can be broadly categorized into three categories −

  1. Volume-based Attacks

  2. Protocol Attacks

  3. Application Layer Attacks

Volume-Based Attacks

基于容量的攻击包括 TCP 泛洪、UDP 泛洪、ICMP 泛洪和其他欺骗数据包泛洪。这些攻击也称为 Layer 3 & 4 Attacks 。在此,攻击者试图使目标站点的带宽饱和。攻击幅度以 Bits per Second (bps) 为单位来衡量。

Volume-based attacks include TCP floods, UDP floods, ICMP floods, and other spoofedpacket floods. These are also called Layer 3 & 4 Attacks. Here, an attacker tries to saturate the bandwidth of the target site. The attack magnitude is measured in Bits per Second (bps).

  1. UDP Flood − A UDP flood is used to flood random ports on a remote host with numerous UDP packets, more specifically port number 53. Specialized firewalls can be used to filter out or block malicious UDP packets.

  2. ICMP Flood − This is similar to UDP flood and used to flood a remote host with numerous ICMP Echo Requests. This type of attack can consume both outgoing and incoming bandwidth and a high volume of ping requests will result in overall system slowdown.

  3. HTTP Flood − The attacker sends HTTP GET and POST requests to a targeted web server in a large volume which cannot be handled by the server and leads to denial of additional connections from legitimate clients.

  4. Amplification Attack − The attacker makes a request that generates a large response which includes DNS requests for large TXT records and HTTP GET requests for large files like images, PDFs, or any other data files.

Protocol Attacks

协议攻击包括 SYN 洪水,死亡之 ping,碎片分组攻击,Smurf DDoS 等。这种类型的攻击会占用实际的服务器资源和其他资源,如防火墙和负载平衡器。攻击级别是用 Packets per Second 来衡量的。

Protocol attacks include SYN floods, Ping of Death, fragmented packet attacks, Smurf DDoS, etc. This type of attack consumes actual server resources and other resources like firewalls and load balancers. The attack magnitude is measured in Packets per Second.

  1. DNS Flood − DNS floods are used for attacking both the infrastructure and a DNS application to overwhelm a target system and consume all its available network bandwidth.

  2. SYN Flood − The attacker sends TCP connection requests faster than the targeted machine can process them, causing network saturation. Administrators can tweak TCP stacks to mitigate the effect of SYN floods. To reduce the effect of SYN floods, you can reduce the timeout until a stack frees memory allocated to a connection, or selectively dropping incoming connections using a firewall or iptables.

  3. Ping of Death − The attacker sends malformed or oversized packets using a simple ping command. IP allows sending 65,535 bytes packets but sending a ping packet larger than 65,535 bytes violates the Internet Protocol and could cause memory overflow on the target system and finally crash the system. To avoid Ping of Death attacks and its variants, many sites block ICMP ping messages altogether at their firewalls.

Application Layer Attacks

应用程序层攻击包括 Slowloris、零日 DDoS 攻击、针对 Apache、Windows 或 OpenBSD 漏洞的 DDoS 攻击等。这里的目标是使 Web 服务器崩溃。攻击强度以 Requests per Second 为单位。

Application Layer Attacks include Slowloris, Zero-day DDoS attacks, DDoS attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Here the goal is to crash the web server. The attack magnitude is measured in Requests per Second.

  1. Application Attack − This is also called Layer 7 Attack, where the attacker makes excessive log-in, database-lookup, or search requests to overload the application. It is really difficult to detect Layer 7 attacks because they resemble legitimate website traffic.

  2. Slowloris − The attacker sends huge number of HTTP headers to a targeted web server, but never completes a request. The targeted server keeps each of these false connections open and eventually overflows the maximum concurrent connection pool, and leads to denial of additional connections from legitimate clients.

  3. NTP Amplification − The attacker exploits publically-accessible Network Time Protocol (NTP) servers to overwhelm the targeted server with User Datagram Protocol (UDP) traffic.

  4. Zero-day DDoS Attacks − A zero-day vulnerability is a system or application flaw previously unknown to the vendor, and has not been fixed or patched. These are new type of attacks coming into existence day by day, for example, exploiting vulnerabilities for which no patch has yet been released.

How to Fix a DDoS Attack

您可以应用的 DDoS 保护选项有很多,这取决于 DDoS 攻击的类型。

There are quite a few DDoS protection options which you can apply depending on the type of DDoS attack.

您的 DDoS 保护从识别和关闭系统中所有可能的 OS 和应用程序级别漏洞开始,关闭所有可能的端口,从系统中删除不必要的访问权限,并在代理或 CDN 系统后面隐藏您的服务器。

Your DDoS protection starts from identifying and closing all the possible OS and application level vulnerabilities in your system, closing all the possible ports, removing unnecessary access from the system and hiding your server behind a proxy or CDN system.

如果您发现 DDoS 攻击的强度较低,那么您可以找到许多基于防火墙的解决方案,这些解决方案可以帮助您过滤掉基于 DDoS 的流量。但如果您遭受大流量 DDoS 攻击(如千兆位或更多),那么您应该寻求 DDoS 保护服务提供商的帮助,该服务提供商提供更全面、主动和真实的方法。

If you see a low magnitude of the DDoS, then you can find many firewall-based solutions which can help you in filtering out DDoS based traffic. But if you have high volume of DDoS attack like in gigabits or even more, then you should take the help of a DDoS protection service provider that offers a more holistic, proactive and genuine approach.

在选择和选择 DDoS 保护服务提供商时,您必须小心。有许多服务提供商想要利用您的处境。如果您告诉他们您正在受到 DDoS 攻击,那么他们将开始以不合理的高成本向您提供各种服务。

You must be careful while approaching and selecting a DDoS protection service provider. There are number of service providers who want to take advantage of your situation. If you inform them that you are under DDoS attack, then they will start offering you a variety of services at unreasonably high costs.

我们可以向您建议一个简单有效的解决方案,它从寻找一个出色的 DNS 解决方案提供商开始,该提供商足够灵活,可以为您的网站配置 A 和 CNAME 记录。其次,您将需要一个出色的 CDN 提供商,它可以处理大量的 DDoS 流量,并作为其 CDN 软件包的一部分为您提供 DDoS 保护服务。

We can suggest you a simple and working solution which starts with a search for a good DNS solution provider who is flexible enough to configure A and CNAME records for your website. Second, you will need a good CDN provider that can handle big DDoS traffic and provide you DDoS protection service as a part of their CDN package.

假设您的服务器 IP 地址为 AAA.BBB.CCC.DDD。然后,您应该执行以下 DNS 配置 −

Assume your server IP address is AAA.BBB.CCC.DDD. Then you should do the following DNS configuration −

  1. Create a A Record in DNS zone file as shown below with a DNS identifier, for example, ARECORDID and keep it secret from the outside world.

  2. Now ask your CDN provider to link the created DNS identifier with a URL, something like cdn.someotherid.domain.com.

  3. You will use the CDN URL cdn.someotherid.domain.com to create two CNAME records, the first one to point to www and the second record to point to @ as shown below.

你可以向系统管理员寻求帮助,以便理解这些要点并适当地配置 DNS 和 CDN。最后,你将在 DNS 中获得如下配置。

You can take the help from your system administrator to understand these points and configure your DNS and CDN appropriately. Finally, you will have the following configuration at your DNS.

dns configuration

现在,让 CDN 提供商处理所有类型的 DDoS 攻击,你的系统将保持安全。但前提是你不得向任何人透露系统的 IP 地址或 A 记录标识符,否则直接攻击将重新开始。

Now, let the CDN provider handle all type of DDoS attacks and your system will remain safe. But here the condition is that you should not disclose your system’s IP address or A record identifier to anyone; else direct attacks will start again.

Quick Fix

DDoS 攻击比以往任何时候都更加常见,不幸的是,对于此问题没有快速修复方法。但是,如果你的系统受到 DDoS 攻击,请不要惊慌,开始逐步调查此事。

DDoS attacks have become more common than ever before, and unfortunately, there is no quick fix for this problem. However, if your system is under a DDoS attack, then don’t panic and start looking into the matter step by step.