12.7. Denial of Service Attacks

12.7.1. Introduction

DoS (Denial of Service) refers to denial of service, which is a network attack method commonly used to paralyze servers or networks.

In peacetime, the Distributed Denial of Service (DDoS, Distributed Denial of Service) attack is usually mentioned, which refers to the use of a sufficient number of puppet computers to generate a huge number of attack packets, which can attack one or more targets on the network. Implementing a DDoS attack increases the power exponentially, thereby depleting the victim target’s resources and forcing the target to lose the ability to provide normal services.

12.7.2. UDP reflection

Reflective DDoS attack based on UDP is a form of denial of service attack. The attacker does not directly attack the target, but uses some open servers in the Internet to forge the address of the attacker and send a special request message based on UDP service to the server, so that the data that is several times the request message is sent to the server. The attacked IP, thus indirectly forming a DDoS attack on the latter.

Services commonly used for DoS attacks are:

• NTP

• DNS

• SSDP

• Memcached

Among them, DNS attacks mainly refer to DNS Request Flood, DNS Response Flood, fake source + real source DNS Query Flood, authoritative server attack and Local server attack.

12.7.3. TCP Flood

TCP Flood is an attack that exploits the flaws of the TCP protocol. In this way, a large number of forged TCP SYN requests are sent to the attacking server by forging IP, and the attacked server responds with a handshake packet (SYN+ACK), because the forged IP will not respond after the handshake packet, the server will remain in the SYN_RECV state and try to retry. This will make the TCP wait for connection queue resources exhausted, and normal services cannot be performed.

12.7.4. Shrew DDoS

Shrew DDoS uses the retransmission mechanism of TCP to adjust the attack period to repeatedly trigger the RTO of the TCP protocol to achieve the effect of the attack. Its packets are sent at fixed, maliciously chosen slow times, a mode capable of limiting TCP traffic to a fraction of its ideal rate while transmitting at a low enough average rate to avoid detection.

Modern operating systems have made corresponding modifications to the TCP protocol so that it is not affected.

12.7.5. Ping Of Death

Under normal circumstances, there is no ICMP packet larger than 65536 bytes, but the packet supports the fragmentation reassembly mechanism. In this way, ICMP packets larger than 65536 bytes can be sent and reassembled on the target host, which will eventually lead to the buffer overflow of the attacked target and cause a denial of service attack.

Modern operating systems already check for this type of attack, making it unaffected.

12.7.6. Challenge Collapsar (CC)

A CC attack is a DoS attack targeting resources. Attackers usually use requests that consume server resources to achieve their goals.

There are many ways to attack CC, and common attacks can be implemented by visiting search pages, item display pages and other expensive functions. Some HTTP servers can also be attacked by uploading large files and sending requests with large and complex parameters.

12.7.7. Slow Attacks

The HTTP slow attack was officially disclosed by Wong Onn Chee and Tom Brennan at the 2012 OWASP conference, which uses low-speed packets to consume server resources to achieve the purpose of denial of service.

Slow attacks are divided into three attack modes: Slow headers / Slow body / Slow read. Slow headers keep sending HTTP headers slowly, consuming connection and memory resources of the server. Slow body sends an HTTP POST request with a large Content-Length, sending only a small amount of data each time, keeping the connection alive. Slow read reads Response at a very low speed.

12.7.8. Service-based features

• Unzip the compressed package

  • Huge 0-byte archive

• read file

  • read /dev/urandom etc. unlimited files

• Restricted deserialization

  • deserialize huge array

• Regular parsing

  • Consuming huge backtracking expressions

12.7.9. Common protection methods

• Fingerprint detection attack based on specific attack, block/limit the corresponding traffic

• Model normal traffic and block or limit the rate of identified abnormal traffic

• Comprehensive rate limiting policy based on IP/port

• Block/limit based on geographic location

12.7.10. Reference Links

• linux academy dos

• slowhttptest Application Layer DoS attack simulator

• Slowloris wiki