Common DDoS Attacks and Defense Methods

In the field of network security, DDoS attacks have always been a hot topic, and with the continuous development of network technology and the evolution of the complexity of the network environment, DDoS attacks have become more frequent and more destructive. According to the 2023 Annual Comprehensive Report on Network Security Situation Research and Analysis, the number of DDoS attacks on the network layer of the whole network for the whole year amounted to 251 million times! 

DDoS attack, Distributed Denial of Service (Distributed Denial of Service), is a network attack in which the attacker utilizes one or more computers in different locations to launch an attack on one or more targets at the same time, consuming the performance of the target servers or network bandwidth, making the servers run slowly or go down, and thus causing the servers to fail to provide services normally. Type. 

DDoS attacks are a common type of network attack and one of the most important Internet security threats today.

DDOS Attack Techniques 

Common direct traffic attacks (SYN, ACK, ICMP, udp flood), reflective traffic attacks using specific applications or protocols, application-based CC, slow HTTP, etc. 

ICMP Flood 

An attacker sends a large number of ICMP Echo requests to a target server, exhausting the server's resources and preventing it from responding normally to other network requests. 

ICMP Reflection Flood Attack 

Refers to Smurf IP sending ICMP packets using a broadcast address, once broadcast, it will be responded by all hosts in the broadcast domain, of course, these packets are responded to the spoofed IP address (pointing to the target host). The masquerading IP address can be any address on the Internet, not necessarily local. If the hacker keeps sending ICMP packets, it can cause a denial of service. 

UDP Flood 

The attacker sends a large number of UDP packets to the target server, which prevents the server from processing these large number of invalid packets, resulting in a service failure. This attack utilizes the characteristics of the UDP protocol to exhaust the resources of the target server by sending a large number of UDP packets to it. 

SYN Flood 

Sending syn packets to the destination host with multiple random source host addresses and not responding to the syn+ ack packets received from the destination host, the destination host creates a large connection queue for these source hosts and maintains these connection queues due to the lack of ack being received, resulting in a large consumption of resources and an inability to provide service to normal requests. 

NTP Flood 

NTP attack is a DDoS attack that utilizes the attacked NTP server to attack the target system. The attacker sends a large number of forged NTP query requests to the NTP server, and the server sends a large amount of NTP response data to the target system, thus consuming the bandwidth and system resources of the target system. 

CC Attack 

CC attack, Challenge Collapsar, is a type of Distributed Denial of Service (DDoS) attack, in which the attacker sends forged HTTP requests to some target web servers, which often require complex and time-consuming computation or database operations to exhaust the resources of the target web servers, causing the target servers to stop responding to the requests, resulting in slow or even inaccessible access. slow or even inaccessible. 


NTP (Network Time Protocol) Flood 

NTP is a standard network time synchronization protocol based on the transmission of the UDP protocol, which facilitates the forging of source addresses due to the connectionless nature of the UDP protocol. The attacker uses a special packet, which is an IP address pointing to a server that acts as a reflector. The source IP address is forged to be the IP of the attack target, and the reflector is tricked when it receives the packet, and will send the response data to the target being attacked, exhausting the bandwidth resources of the target network. 

General NTP servers have a lot of bandwidth, the attacker may only need 1Mbps of upload bandwidth to spoof the NTP server, it can bring hundreds or thousands of Mbps of attack traffic to the target server. Therefore, the “ask-answer” protocol can be utilized by the reflective attack, the address of the query packet is forged as the target address, the answer packet will be sent to the target, once the protocol has a recursive effect, the traffic has been significantly enlarged, which can be called a kind of “kill by borrowing a knife” traffic-based attacks. This is a “kill with a knife” type of traffic attack. 

DNS Query Flood 

DNS, as one of the core services of the Internet, is naturally a major target of DDoS attacks. 

DNS Query Flood uses the method of manipulating a large number of puppet machines to send a large number of domain name resolution requests to the target server. When the server receives the domain name resolution request, it will first find out whether there is a corresponding cache on the server, and if it can't find it and the domain name can't be resolved directly, it will recursively query the domain name information to its upper DNS server. 

Usually, the domain name that the attacker requests to resolve is randomly generated or does not exist on the network. Since the corresponding result cannot be found locally, the server must use recursive query to submit a resolution request to the higher-level DNS servers, causing a chain reaction. The resolution process puts a lot of load on the server, and every second the number of domain name resolution requests exceeds a certain number will cause the DNS server to time out in resolving the domain name. 

According to Microsoft's statistics, the maximum number of dynamic domain name queries a DNS server can handle is 9,000 requests per second. A P3 PC can easily construct tens of thousands of domain name resolution requests per second, enough to paralyze a DNS server with extremely high hardware configuration, thus showing the vulnerability of DNS servers. 

Teardrop Attack 

An attacker sends corrupted IP packets, such as overlapping packets or oversized packet loads, to a target machine. By these means, the attack can bring down a variety of different operating systems through a bug in the TCP/IP stack's fragmentation and reorganization code. 

Ping of Death 

An attacker launches an attack against a target by exploiting a condition where the length of a single packet exceeds the packet length specified by the IP specification. 

DDOS Defense 

Different enterprises can use different defense methods according to the actual situation, the more important point is to consider the budget problem, in most of the time, you buy high defense services as well as traffic can not line up. 

Commonly used defense methods: local equipment cleaning, operator cleaning, cloud cleaning. 

Local cleaning equipment 

The industry is accustomed to call ADS equipment, can be bypassed or tandem deployment, bypass deployment of the need to reoccur when the attack traffic traction. It can resist some small-scale traffic attacks, but it is more troublesome to encounter large-scale attacks. The typical equipment is the black hole of Green Alliance. 

The biggest problem of local cleaning is that when the DDoS attack traffic exceeds the exit bandwidth of the enterprise, even if the ADS equipment can handle it, it can't solve the problem. 

Typical deployment structure is shown below, the detection device to mirror over the traffic analysis, detection of DDoS attacks notify the cleaning device, cleaning device through the BGP or OSPF protocols will be attacked by the target host of the traffic hauling to the cleaning device, and then the clean traffic after cleaning through the policy route or MPLS LSP and other ways to inject back into the network; when the detection device detects the DDoS attack stops, it notifies the cleaning device to stop traffic traction. 

Operator Cleaning 

When local traffic cleaning can not solve the problem of traffic exceeding the egress bandwidth, it is often necessary to take advantage of the operator's ability to urgently expand the capacity or open the cleaning service. 

Cloud Cleaning 

Content Delivery System (CDN) refers to the process of improving access speed and service quality by placing node servers throughout the network so that users can access services at the nearest location to them.CDN utilizes four key technologies: content delivery, content routing, memory storage, and content management. CDNs can also be used to quickly restore services when they are not available. 

The original intention of CDN technology is to improve the speed of Internet users to access static websites, but due to the characteristics of distributed, nearby access to the attack traffic can be diluted, so some traditional CDN vendors, in addition to providing cloud acceleration services, have also begun to launch cloud cleaning services. 

Cloud cleaning needs to pay attention to some of the following issues 

(1) Cloud cleaning needs to be configured in advance with the appropriate records. 

(2) DNS modification of the record, you need to wait for the TTL timeout to take effect 

(3) Attacks directly on the source IP can not use cloud cleaning protection. 

Other methods 

When facing DDOS attacks, if there are multiple lines, you can transfer the access demand from the attacked line to other Internet lines through load balancing. 

Message Filtering 

Access rate limitation for one IP 

IP blocking 

Defense Wording 

Effective defense against DDoS attacks involves several aspects of technology and strategy, the following are some common defense measures: 

1、Use high broadband 
​
Network bandwidth directly determines the network's ability to resist attacks. High-bandwidth support for large amounts of data transmission and high-speed Internet connections, can be able to provide strong traffic throughput when there is a large amount of traffic into the site, to reduce network congestion. 

2、Adopt security defense products 

The use of security defense products to provide DDoS protection, can effectively defend against malformed message attacks, SYN Flood, ACK Flood, UDP Flood, ICMP Flood and other network layer attacks, as well as SSL, DNS and other application layer attacks. 

Not only that, RuiAnShield can also provide WAF, Bot, API security protection services, node identification and blocking L3/L4/L7 layer of various types of attack requests; support for static resources cached to the edge node to achieve the effect of acceleration, to ensure that the site is safe and accelerated. 

3、Enhanced edge defense 

Firewalls and intrusion detection systems (IDS) deployed at the edge of the network can identify and filter attack traffic to a certain extent. Firewalls can be configured with rules to block unauthorized access, while IDS can analyze packets passing through the network to identify malicious activity. 

4. Design redundancy and backup plans 

Having a recovery plan and business continuity ready is key to fighting DDoS attacks. Ensuring that critical data and applications have redundant backups and are distributed across multiple geographic locations allows you to recover from an attack that affects resources in one place.