本文介绍了DDoS攻击的七种常见形式,包括Synflood、Smurf等,并分享了相应的防御策略,如限制TCP连接数、开启防火墙及TCP报文限制等。
DDOS是英文Distributed Denial of Service的缩写,意即"分布式拒绝服务",DDOS的中文名叫分布式拒绝服务攻击,
俗称洪水攻击。DoS的攻击方式有很多种,最基本的DoS攻击就是利用合理的服务请求来占用过多的服务资源,从而使合法用户无法得到服务的响应。
7种常见的DOS攻击法则
1.Synflood: 该 攻击以多个随机的源主机地址向目的主机发送SYN包,而在收到目的主机的SYN ACK后并不回应,这样,目的主机就为这些源主机建立了大量的连接队列, 而且由于没有收到ACK一直维护着这些队列,造成了资源的大量消耗而不能向正常请求提供服务。
2.Smurf:该攻击向一个子网的广播地址发一个带有特定请求(如ICMP回应请求)的包,并且将源地址伪装成想要攻击的主机地址。子网上所有主机都回应广播包请求而向被攻击主机发包,使该主机受到攻击。
3.Land-based:攻击者将一个包的源地址和目的地址都设置为目标主机的地址,然后将该包通过IP欺骗的方式发送给被攻击主机,这种包可以造成被攻击主机因试图与自己建立连接而陷入死循环,从而很大程度地降低了系统性能。
4.Ping of Death: 根据TCP/IP的规范,一个包的长度最大为65536字节。尽管一个包的长度不能超过65536字节,但是一个包分成的多个片段的叠加却能做到。当一个 主机收到了长度大于65536字节的包时,就是受到了Ping of Death攻击,该攻击会造成主机的宕机。
5.Teardrop:IP 数据包在网络传递时,数据包可以分成更小的片段。攻击者可以通过发送两段(或者更多)数据包来实现TearDrop攻击。第一个包的偏移量为0,长度为 N,第二个包的偏移量小于N。为了合并这些数据段,TCP/IP堆栈会分配超乎寻常的巨大资源,从而造成系统资源的缺乏甚至机器的重新启动。
6.PingSweep:使用ICMP Echo轮询多个主机。
7.Pingflood: 该攻击在短时间内向目的主机发送大量ping包,造成网络堵塞或主机资源耗尽。 针对ddos的特点,写点防御心得给大家。
第一:修改注册表,防止轻度DOS攻击.这个不用写了,大家都会,自己GOOGLE找资料去吧。
第二:限制服务器一个IP地址1-3个TCP连接。 假如您的网站框架多建议用6个。 别太多了。超过限制数目封IP ,封闭时间有讲究看最后一条。
第三:打开防火墙只许80,和您的远程管理端口通过。其他任何端口能关的都关了。
第 四:TCP报文限制,把TCP连接时间改为1秒内给定服务器最少发送5个报文,否则封IP,因为DDOS没秒发送的报文大部分都在1-4个。就是和服务器 握手一下马上离开。正常的访问比如打开网页都大于5个报文以上。当然也有例外,为了抵抗DD,误杀一两个不要紧。
第五:服务器资源占用,一个IP 就给每秒100KB的浏量。正常打开网页够了。
第六:服务器进制代理服务器访问。经过抓包分析,DD的IP里面不少是代理服务器。
第七:80的TCP time_wait时间空连接阀值改小点。10-15秒吧。 10秒打不开您的网站就封浏览着IP。
第八:很重要的封ip时间,5-10秒就能够了,封了太长,某些正常客户IP正好和伪IP相同,容易把真的用户给封掉。 封闭5秒,有效防止DDOS。 就是真的用户被封了,刷新一下就又能够打开了。对于DDOS的这样“握”一下服务器IP的假IP比较有效。
就写这么多吧,下次继续。。。 本文选自:http://hi.baidu.com/nick_jack
英文介绍:
DDOS is a Distributed Denial of Service in English acronym means "distributed denial of service", DDOS Chinese by the name of the distributed denial of service attacks, commonly known as flood attacks. DoS attacks on the way there are many, the most basic DoS attacks is the use of reasonable requests for service to a disproportionate amount of resources and services, so that legitimate users can not get the service to respond.
7 common law of DOS attack
1.Synflood: the number of random attacks by the source address of the host to host the purpose of sending SYN packets, and the purpose of the receipt of the SYN ACK after the host does not respond in this way on purpose host for the host to establish the source of a lot of connection queue , But has not received due to the ACK has been to maintain these queues, resulting in a large number of resources consumption and can not be normal to the request.
2.Smurf: the attack to a subnet broadcast address made with a specific request (for example, respond to the request of the ICMP) packet, and the source address of the disguised want to attack the host address. All on-line sub-radio hosts are to respond to the request packet to the host contract had been attacked, the host to attack.
3.Land-based: the attacker will be a source of the package address and destination address are set to host the target address, and then the IP packet through the deception of the attack were sent to the mainframe, which can packages have been created as a result of trying to attack the host And their connection to be trapped in cycle of death, to a large extent, thereby reducing system performance.
4.Ping of Death: According to the TCP / IP standards, a package of up to 65,536 bytes in length. Despite the length of a package can not be more than 65,536 bytes, but a package is divided into a number of fragments can be superimposed. When a host has received more than 65,536 bytes in length when the package is subject to a Ping of Death attacks, the attacks will cause the host downtime.
5.Teardrop: IP packet transmission network, the packets can be divided into smaller segments. An attacker can send two (or more) packets to achieve TearDrop attacks. The first package to offset 0, length N, the second of the offset package is less than N. In order to merge the data above, TCP / IP stack will be the distribution of unusually huge resources, resulting in a lack of system resources or even restart the machine.
6.PingSweep: the use of ICMP Echo hosts a number of polling.
7.Pingflood: The purpose of the attack in a short period of time to host a large number of ping packets, causing the network to plug the host or depletion of resources. Ddos for feature writing experience to the defense at all.
First: to modify the registry to prevent mild DOS attack. Do not have to write this, we all own GOOGLE go looking for information.
The second: an IP address of the server restrictions 1-3 TCP connection. If your multi-site framework proposed by 6 months. Do not too much. Restrictions on the number of closures over IP, closed about time to see the last.
Third: to open the firewall only 80, and your remote management through the port. Any other port related to the shut.
Fourth: TCP packet restrictions on the TCP connection time to be changed to 1 second within a given server at least 5 to send messages, letters or IP, not because of DDOS seconds to send the message most of them in 1-4 months. Is about to shake hands and immediately left servers. For example, the normal access to open web pages are more than 5 or more messages. Of course there are exceptions, in order to resist DD, 12 of manslaughter does not matter.
Fifth: The occupation of server resources, IP gave a 100KB per second, the amount of Liu. Open the pages normal enough.
Sixth: M proxy server access. After analysis of the capture, DD of IP there is a lot of proxy server.
VII: 80 of the TCP time_wait air time to connect Gaixiao point threshold. It 10-15 seconds. 10 seconds could not open the seal on your Web site browser with IP.
Eighth: the importance of closure, 5-time ip can be 10 seconds, the closure is too long, some of the normal customer IP and pseudo-IP is the same, really easy to Fengdiao to the user. Closed 5 seconds, to effectively prevent DDOS. The user is really blocked, you will also be able to refresh the open. DDOS for such "grip" the server's IP fake IP to be more effective.
Xiezhemeduo on it, continue to the next. . .
7种常见的DOS攻击法则
1.Synflood: 该 攻击以多个随机的源主机地址向目的主机发送SYN包,而在收到目的主机的SYN ACK后并不回应,这样,目的主机就为这些源主机建立了大量的连接队列, 而且由于没有收到ACK一直维护着这些队列,造成了资源的大量消耗而不能向正常请求提供服务。
2.Smurf:该攻击向一个子网的广播地址发一个带有特定请求(如ICMP回应请求)的包,并且将源地址伪装成想要攻击的主机地址。子网上所有主机都回应广播包请求而向被攻击主机发包,使该主机受到攻击。
3.Land-based:攻击者将一个包的源地址和目的地址都设置为目标主机的地址,然后将该包通过IP欺骗的方式发送给被攻击主机,这种包可以造成被攻击主机因试图与自己建立连接而陷入死循环,从而很大程度地降低了系统性能。
4.Ping of Death: 根据TCP/IP的规范,一个包的长度最大为65536字节。尽管一个包的长度不能超过65536字节,但是一个包分成的多个片段的叠加却能做到。当一个 主机收到了长度大于65536字节的包时,就是受到了Ping of Death攻击,该攻击会造成主机的宕机。
5.Teardrop:IP 数据包在网络传递时,数据包可以分成更小的片段。攻击者可以通过发送两段(或者更多)数据包来实现TearDrop攻击。第一个包的偏移量为0,长度为 N,第二个包的偏移量小于N。为了合并这些数据段,TCP/IP堆栈会分配超乎寻常的巨大资源,从而造成系统资源的缺乏甚至机器的重新启动。
6.PingSweep:使用ICMP Echo轮询多个主机。
7.Pingflood: 该攻击在短时间内向目的主机发送大量ping包,造成网络堵塞或主机资源耗尽。 针对ddos的特点,写点防御心得给大家。
第一:修改注册表,防止轻度DOS攻击.这个不用写了,大家都会,自己GOOGLE找资料去吧。
第二:限制服务器一个IP地址1-3个TCP连接。 假如您的网站框架多建议用6个。 别太多了。超过限制数目封IP ,封闭时间有讲究看最后一条。
第三:打开防火墙只许80,和您的远程管理端口通过。其他任何端口能关的都关了。
第 四:TCP报文限制,把TCP连接时间改为1秒内给定服务器最少发送5个报文,否则封IP,因为DDOS没秒发送的报文大部分都在1-4个。就是和服务器 握手一下马上离开。正常的访问比如打开网页都大于5个报文以上。当然也有例外,为了抵抗DD,误杀一两个不要紧。
第五:服务器资源占用,一个IP 就给每秒100KB的浏量。正常打开网页够了。
第六:服务器进制代理服务器访问。经过抓包分析,DD的IP里面不少是代理服务器。
第七:80的TCP time_wait时间空连接阀值改小点。10-15秒吧。 10秒打不开您的网站就封浏览着IP。
第八:很重要的封ip时间,5-10秒就能够了,封了太长,某些正常客户IP正好和伪IP相同,容易把真的用户给封掉。 封闭5秒,有效防止DDOS。 就是真的用户被封了,刷新一下就又能够打开了。对于DDOS的这样“握”一下服务器IP的假IP比较有效。
就写这么多吧,下次继续。。。 本文选自:http://hi.baidu.com/nick_jack
英文介绍:
DDOS is a Distributed Denial of Service in English acronym means "distributed denial of service", DDOS Chinese by the name of the distributed denial of service attacks, commonly known as flood attacks. DoS attacks on the way there are many, the most basic DoS attacks is the use of reasonable requests for service to a disproportionate amount of resources and services, so that legitimate users can not get the service to respond.
7 common law of DOS attack
1.Synflood: the number of random attacks by the source address of the host to host the purpose of sending SYN packets, and the purpose of the receipt of the SYN ACK after the host does not respond in this way on purpose host for the host to establish the source of a lot of connection queue , But has not received due to the ACK has been to maintain these queues, resulting in a large number of resources consumption and can not be normal to the request.
2.Smurf: the attack to a subnet broadcast address made with a specific request (for example, respond to the request of the ICMP) packet, and the source address of the disguised want to attack the host address. All on-line sub-radio hosts are to respond to the request packet to the host contract had been attacked, the host to attack.
3.Land-based: the attacker will be a source of the package address and destination address are set to host the target address, and then the IP packet through the deception of the attack were sent to the mainframe, which can packages have been created as a result of trying to attack the host And their connection to be trapped in cycle of death, to a large extent, thereby reducing system performance.
4.Ping of Death: According to the TCP / IP standards, a package of up to 65,536 bytes in length. Despite the length of a package can not be more than 65,536 bytes, but a package is divided into a number of fragments can be superimposed. When a host has received more than 65,536 bytes in length when the package is subject to a Ping of Death attacks, the attacks will cause the host downtime.
5.Teardrop: IP packet transmission network, the packets can be divided into smaller segments. An attacker can send two (or more) packets to achieve TearDrop attacks. The first package to offset 0, length N, the second of the offset package is less than N. In order to merge the data above, TCP / IP stack will be the distribution of unusually huge resources, resulting in a lack of system resources or even restart the machine.
6.PingSweep: the use of ICMP Echo hosts a number of polling.
7.Pingflood: The purpose of the attack in a short period of time to host a large number of ping packets, causing the network to plug the host or depletion of resources. Ddos for feature writing experience to the defense at all.
First: to modify the registry to prevent mild DOS attack. Do not have to write this, we all own GOOGLE go looking for information.
The second: an IP address of the server restrictions 1-3 TCP connection. If your multi-site framework proposed by 6 months. Do not too much. Restrictions on the number of closures over IP, closed about time to see the last.
Third: to open the firewall only 80, and your remote management through the port. Any other port related to the shut.
Fourth: TCP packet restrictions on the TCP connection time to be changed to 1 second within a given server at least 5 to send messages, letters or IP, not because of DDOS seconds to send the message most of them in 1-4 months. Is about to shake hands and immediately left servers. For example, the normal access to open web pages are more than 5 or more messages. Of course there are exceptions, in order to resist DD, 12 of manslaughter does not matter.
Fifth: The occupation of server resources, IP gave a 100KB per second, the amount of Liu. Open the pages normal enough.
Sixth: M proxy server access. After analysis of the capture, DD of IP there is a lot of proxy server.
VII: 80 of the TCP time_wait air time to connect Gaixiao point threshold. It 10-15 seconds. 10 seconds could not open the seal on your Web site browser with IP.
Eighth: the importance of closure, 5-time ip can be 10 seconds, the closure is too long, some of the normal customer IP and pseudo-IP is the same, really easy to Fengdiao to the user. Closed 5 seconds, to effectively prevent DDOS. The user is really blocked, you will also be able to refresh the open. DDOS for such "grip" the server's IP fake IP to be more effective.
Xiezhemeduo on it, continue to the next. . .
扫一扫
11万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
