Talking about DDos Attack and Defense

Water can carry a boat, can also overturn the boat

I recently revisited Dow’s classic masterpiece “White Hat Speaking Web Security”. It is not enough to find a good book to read it once. Each taste has a different taste. This book focuses on corporate security, which means that the emphasis is on the security construction within the enterprise, rather than on some loopholes. After reading it again, I feel that I need to take some notes to strengthen my memory. So I started with this article and recorded some notes of classic books I have seen. This article is mainly used to record the knowledge of DDos attack and defense after reading “White Hat Speaking Web Security”. Most of the content of this record comes from “White Hat Says Web Security”, thank you!

Introduction to DDos

DDos is also called Distributed Denial of Service. The full name is Distributed Denial of Service. The attack caused by DDos is called denial of service attack. The principle is to use a large number of requests to cause resource overload, resulting in service unavailability.
DDos attacks can be divided into network layer attacks and application layer attacks. The attack methods can be divided into fast traffic attacks and slow traffic attacks. However, the principle is that resources are overloaded and services are unavailable.

Network layer DDos attack

Network layer DDos attacks include SYN flood, UDP flood, and ICMP flood.

SYN flood attack

The SYN flood attack mainly utilizes the bug in the TCP three-way handshake process. We know that the TCP three-way handshake process is to establish a connection between the two parties to send SYN, SYN+ACK, ACK packets, and when the attacker randomly constructs the source ip to send the SYN packet. The SYN+ACK returned by the server cannot be answered (because ip is arbitrarily constructed), the server will try to resend, and there will be at least 30s of waiting time, causing the resource saturation service to be unavailable. This attack is slow. Dos attack.

UDP flood attack

Since udp is a connectionless protocol, an attacker can forge a large number of source IP addresses to send udp packets. Such attacks are high-traffic attacks. Under normal application conditions, the UDP packet bidirectional traffic will be basically equal, so it also consumes its own resources when consuming the other party’s resources.

ICMP flood attack

This attack is a large-traffic attack. The principle is to continuously send abnormal ICMP packets (so-called abnormal ICMP packets are large), causing the target bandwidth to be occupied, but its own resources will also be consumed. And many servers are currently banned (the icmp package can be blocked in the firewall), so this method is outdated.

Network layer DDos defense

  • Optimized on the network architecture, using load balancing and shunting.
  • Add anti-DDos device, flow cleaning.
  • Limit the frequency of single ip requests.
  • Protection settings such as firewalls prohibit icmp packages, etc.

The nature of DDos attacks at the network layer is in fact unprotectable. What we can do is to continuously optimize our network architecture and increase network bandwidth.

Application layer DDos attack

The application layer DDos attack does not occur at the network layer. It occurs when the application handles the request after the TCP setup handshake succeeds.

CC Attack

There is another interesting source of CC attacks. It is said that Green League developed a product called “Collapasar” to defend against DDos attacks, which can effectively defend against SYN flood attacks. However, in order to provoke, the hacker developed a Challenge Collapasar tool (CC).
The principle of a CC attack is to continuously initiate an abnormal request for a page that consumes a large amount of resources, resulting in exhaustion of resources. Therefore, before sending a CC attack, we need to find a web page that is slow to load and consumes more resources, such as pages that need to query the database, read and write hard disk files, and so on. With cc attacks, crawlers are used to initiate http requests for certain pages that need to consume a lot of resources.


This is a denial of service attack caused by a webserver middleware vulnerability, the principle of which is to send HTTP requests to the server at a very low speed. Middleware such as apache will set the maximum number of concurrent links by default, and this kind of attack will continue to maintain the connection, resulting in service saturation is not available. Slowloris is a bit like a SYN flood attack based on the HTTP protocol.


Construct the following malformed http request package

GET / HTTP/1.1\r\n
Host: Victim host\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n
Content-Length: 42\r\n

The end of the full http request header should be twice\r\n\r\n, which is missing once, so the server will wait.


The principle is to specify a very large Content-Length value when sending an HTTP POST packet, and then send the packet at a very low speed, keeping the connection constant, resulting in service saturation being unavailable.


Construct the following malformed http request package

GET / HTTP/1.1\r\n
Host: Victim host\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n
Content-Length: 9999999999\r\n\r\n

Slow Read attack

The Slow Read attack method uses the size of the sliding window in the TCP protocol to control the size of the data sent and sent by the server, so that the server needs to split a response into a number of packets to send.

Server Limit Dos

This is due to the dos attack caused by cookies, of course, the principle is based on the characteristics of the webserver. The default maximum http header length of apache is 8192 bytes. If this length is exceeded, a 4xx error will be returned. If we use the storage xss vulnerability to write a very long cookie to the client page, then after the user accesses this page, the request header will load a malicious long cookie, which will prevent it from accessing the page of the station (unless it is emptied). Cookie)


This is due to the flawed code writing, which leads to a large amount of resource consumption when using regular rules, resulting in the service being unavailable, which is determined by the use of regular expressions in the matching characteristics.

Application layer DDos defense

  • Determine the User-Agent field (unreliable, because it can be constructed at will)
  • Mosaic js code in web pages (unreliable, because crawlers can also carry browser engines, or execute js code)
  • For ip+cookie, limit access frequency (because cookies can be changed, ip can use proxy, or broiler, not reliable)
  • Add a verification code to the page, such as when searching the database.
  • When writing code, try to achieve optimization, and use the cache technology reasonably, reducing the database read operation.

The defense of the application layer is sometimes more difficult than the network layer, because there are many factors that cause the application layer to be attacked by dos. Sometimes it is often because of the programmer’s mistakes, which causes a certain page to load and consumes a lot of resources, sometimes because the middleware is improperly configured. and many more. The core of the application layer DDos defense is to distinguish between people and machines (crawlers), because a large number of requests can not be artificial, certainly machine-built. Therefore, if you can effectively distinguish between human and reptile behavior, you can defend against this attack well.

Wireless DDOS

@Updated on May 31, 2017

Auth Flood Attack

Auth Flood attack: that is, an authentication flood attack. The attack target is mainly for those associated clients that are authenticated and associated with the AP. The attacker will send a large number of forged authentication request frames (forged authentication services and status codes) to the AP when receiving a large number of forged identities. When the verification request exceeds the capacity that can be withheld, the AP will disconnect other wireless services.

Deauth Flood Attack

The Deauth Flood attack is a de-authentication flood attack. It is designed to turn a client into an unassociated/unauthenticated state by spoofing the unauthentication frame from the AP to the client unicast address. For current tools, this form of attack is very effective and fast in interrupting customer wireless services. In general, before the attacker sends another unauthentication frame, the client re-associates and authenticates to get the service again. The attacker repeatedly spoofs the cancellation of the authentication frame in order for all clients to continue to refuse service.

Association Flood Attack

The Association Flood attack is an associated flood attack. A list built into the wireless router or access point is the connection status table, which shows the status of all wireless clients that are connected to the AP. It attempts to flood the AP’s client association table by exploiting a large number of impersonation and forged wireless client associations to achieve the purpose of flooding the AP.
Because open authentication (empty authentication) allows any client to be authenticated after association. An attacker who exploits this vulnerability can flood a client’s client association table of the target AP by creating multiple clients that reach the connected or associated client to mimic many clients.

Disassociation Flood Attack

The Disassociation Flood attack is a disassociation flood attack, which is similar to the deauthenticaiton flood attack. It forces the client to become unassociated/unauthenticated by spoofing the unassociated frames from the AP to the client. In general, the client re-associates to get the service again before the attacker sends another un-association frame. The attacker repeatedly spoofs the unrelated frame in order for the client to continue to refuse the service.
The Disassociation Broadcast attack and the Disassociation Flood attack are basically the same, but differ in the degree of transmission and the tools used. The former is often used for wireless man-in-the-middle attacks, while the latter is often used for target-determined peer-to-peer wireless DOS, such as destruction or interference designation. Wireless access points of institutions or departments, etc.

RF Jamming Attack

The RF Jamming attack is an RF jamming attack. The attack is to destroy normal wireless communication by emitting interference radio frequency. The first few attacks are mainly based on wireless communication processes and protocols. RF is radio frequency, mainly including wireless signal transmitters and receivers.

本文标题:Talking about DDos Attack and Defense


发布时间:2017年05月10日 - 09:05

最后更新:2019年08月16日 - 15:08


许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

nmask wechat