What are the common DDoS attacks and the ways to defend against them?

In the field of network security, DDoS attacks have always been a hot topic, with the continuous development of network technology and the evolution of the complexity of the network environment, DDoS attacks have become more frequent and more destructive. According to the 2023 Network Security Situation Research and Analysis Annual Comprehensive Report, the number of DDoS attacks on the network layer of the entire network for the whole year amounted to 251 million times! DDoS attacks, i.e. Distributed Denial of Service attacks (Distributed Denial of Service), refers to the attacker's use of a computer or computers in different locations to launch an attack on one or more targets at the same time, consuming the performance of the target server or network bandwidth. DDoS attacks are a common type of network attack and one of the most significant Internet security threats.

 DDOS attack techniques common traffic direct attacks (SYN, ACK, ICMP, udp flood), reflective traffic attacks utilizing specific applications or protocols, application-based CC, slow HTTP, etc. 

An ICMP Flood attacker sends a large number of ICMP Echo requests to the target server, exhausting the server's resources and preventing it from responding properly to other network requests. 

ICMP Reflective Flood Attack means that Smurf IP sends ICMP packets using a broadcast address, and once broadcast, they are responded to by all hosts in the broadcast domain, and of course these packets are responded to the spoofed IP address (pointing to the target host).The masquerading IP address can be any address on the Internet, not necessarily local.  
If the hacker keeps sending ICMP packets, a denial of service can result.  

A UDP Flood attacker sends a large number of UDP packets to the target server, preventing the server from processing these large number of invalid packets, which results in service paralysis. This attack utilizes the characteristics of the UDP protocol to exhaust the resources of the target server by sending a large number of UDP packets to the target server SYN Flood sends syn packets to the destination host with multiple random source host addresses, and does not respond to syn+ ack packets received from the destination host, which establishes a large queue of connections to these source hosts, and since the No ack has been received to maintain these connection queues, resulting in a large consumption of resources and the inability to provide service to normal requests. 

NTP FloodNTP attack is a DDoS attack that utilizes the attacked NTP server to attack the target system. The attacker sends a large number of forged NTP query requests to the NTP server, and the server sends a large amount of NTP response data to the target system, thus occupying the bandwidth and system resources of the target system. 

CC attack CC attack, English Challenge Collapsar, is a type of Distributed Denial of Service (DDoS) attack, which is carried out by sending forged HTTP requests to some target web servers, which often require complex and time-consuming computation or database operations to exhaust the resources of the target web servers, resulting in the target servers stopping responding to the requests, causing the The target server stops responding to the requests, resulting in slow or even no access for users. 

NTP (Network Time Protocol) FloodNTP is a standard network time synchronization protocol based on the transmission of the UDP protocol, which facilitates the forgery of source addresses due to the connectionless nature of the UDP protocol. Attackers use special packets, that is, IP addresses pointing to a server that acts as a reflector. The source IP address is forged to be the IP of the attack target, and the reflector is tricked when it receives the packet, and will send the response data to the target being attacked, exhausting the bandwidth resources of the target network. General NTP servers have a lot of bandwidth, the attacker may only need 1Mbps of upload bandwidth to spoof the NTP server, it can bring hundreds or thousands of Mbps of attack traffic to the target server. 

Therefore, the “ask-answer” protocol can be utilized by the reflective attack, the address of the query packet is forged as the target address, the answer packet will be sent to the target, once the protocol has a recursive effect, the traffic has been significantly enlarged, which can be called a kind of “kill by borrowing a knife” traffic-based attacks. This is a “kill with a borrowed knife” type of traffic attack.

DNS Query FloodDNS, as one of the core services of the Internet, is naturally a major target of DDoS attacks. 
DNS Query Flood uses the method of manipulating a large number of puppet machines to send a large number of domain name resolution requests to the target server. When the server receives a domain name resolution request, it will first look up whether there is a corresponding cache on the server, and if it can't find it and the domain name can't be resolved directly, it will recursively query the domain name information to its upper DNS server. 

Usually, the domain name that the attacker requests to resolve is randomly generated or does not exist on the network. Since the corresponding result cannot be found locally, the server must use recursive query to submit a resolution request to the higher-level DNS servers, causing a chain reaction.The resolution process puts a lot of load on the server, and every second the number of domain name resolution requests exceeds a certain number will cause the DNS server to time out in resolving the domain name.  

According to Microsoft's statistics, the maximum number of dynamic domain name queries a DNS server can handle is 9,000 requests per second. 

And a P3 PC can easily construct tens of thousands of domain name resolution requests per second, enough to paralyze a DNS server with extremely high hardware configuration, thus showing the vulnerability of DNS servers. Teardrop Attack Attackers send corrupted IP packets, such as overlapping packets or oversized packet loads, to the target machine. By these means, the attack can paralyze a variety of different operating systems through a bug in the TCP/IP stack that slices and reassembles the code. ping of Death attackers take advantage of the condition that the length of a single packet exceeds the packet length specified by the IP specification to launch an attack on the target. ddos defense Different companies can use different defense methods according to the actual situation, and a more important One thing is to consider the budget problem, in most cases, you buy high defense services as well as traffic can not be used. 

Commonly used defense methods: 

Local equipment cleaning, operator cleaning, cloud cleaning. Local cleaning equipment industry customary called ADS equipment, can be bypassed or tandem deployment, bypass deployment needs to then attack the traffic traction. 

It can resist some small-scale traffic attacks, but it is more troublesome to encounter large-scale attacks. The typical equipment is the black hole of Green Alliance. 

The biggest problem of local cleaning is that when the DDoS attack traffic exceeds the exit bandwidth of the enterprise, even if the ADS equipment can handle it, it can't solve the problem. Typical deployment structure is shown below, the detection device to mirror the traffic over the analysis, detection of DDoS attacks notify the cleaning device, cleaning device through the BGP or OSPF protocol will be attacked by the target host of the traffic traction to the cleaning device, and then after cleaning the clean traffic through the policy route or MPLS LSP and other ways to inject back into the network; 

When the detection device detects that the DDoS attack has stopped, it notifies the cleaning device to stop traffic traction. 
Operator Cleaning When local traffic cleaning cannot solve the problem of traffic exceeding the egress broadband, it is often necessary to use the operator's ability to urgently expand capacity or turn on cleaning services. 

Cloud Cleaning Content Delivery System (CDN) is a system that improves access speed and service quality by placing node servers throughout the network so that users can access services at the nearest location to them. 

CDN utilizes four key technologies: 

Content Distribution, Content Routing, Memory Storage, and Content Management.The original intent of CDN technology was to improve the speed of Internet users' access to static websites, but due to the distributed, near-access characteristics, which can dilute the attack traffic, some traditional CDN vendors, in addition to providing cloud acceleration services, have also begun to introduce cloud cleaning services. Cloud cleaning needs to pay attention to some of the following issues 1) Cloud cleaning needs to be configured in advance with the appropriate records. 

(2) DNS modification of the record, you need to wait for the TTL timeout to take effect (3) direct attacks on the source IP, can not use cloud cleaning protection. Other ways to face DDOS attacks, if there are multiple lines, you can load balancing to transfer the access demand of the attacked line to other Internet lines. Message filtering an IP access rate limit blocking IP defense wording Effective defense against DDoS attacks involves multiple aspects of technology and strategy. 

The following are some commonly used defense measures: 

1, the use of high broadband network bandwidth directly determines the ability of the network to resist attacks. High-bandwidth support for large amounts of data transmission and high-speed Internet connections, can be able to provide a strong traffic throughput in the ability to have a large influx of traffic to the site, reducing network congestion. 

2, the use of security defense products using security defense products to provide DDoS protection, can effectively defend against malformed message attacks, SYN Flood, ACK Flood, UDP Flood, ICMP Flood and other network layer attacks, as well as SSL, DNS and other application layer attacks. Not only that, RuiAnShield can also provide WAF, Bot, API security protection service, node identification and block L3/L4/L7 layer of various types of attack requests; support for static resources cached to the edge node to achieve the effect of acceleration, to ensure that the site's security and acceleration. 

3, enhance the edge of the defense deployed at the edge of the network firewall and intrusion detection system (IDS) can identify and filter attack traffic to a certain extent. Firewalls can be configured with rules to block unauthorized access, while IDS can analyze packets passing through the network to identify malicious activity. 

4, Design Redundancy and Backup PlansPreparing a recovery plan and business continuity is key to combating DDoS attacks. Ensuring that critical data and applications have redundant backups and are distributed across multiple geographic locations can quickly restore service if an attack affects one resource.