Author: Ben
附圖:Cisco Guard XT 5650-B 阻斷式攻擊防禦設備
Preface
To understand DDoS defense theory, readers should be familiar with some common protocols such as IP, TCP, UDP, HTTP and SMTP. Readers also have to understand the principles inside each protocol, e.g. TCP Three-way Handshake, IP addressing calculation (for instance, identify broadcast address in 10.1.3.24/14) and the definition of each flag on TCP headers. If readers still do not understand the questions above, please refer to related documents before reading the present article.
In Part I, we have analyzed various DDoS resolutions which all have their merits. However, their common disadvantage is that packets can never reach the target server whether it is a normal connection when DDoS defense starts. Though the server is protected, for those hackers who aim to shut down server’s service, somehow they have achieved their goal.
Therefore, based on DDoS attack theory, we will explain some typical DDoS attacks in the following section.
Introduction to TCP DDoS
Some common TCP DDoS attacks are demonstrated as follows:
- SYN Flood
- ACK-Flood
- SYN+ACK Flood
- SYN+RST Flood
- RST Flood
- Established Flood
- FIN Flood
- TCP Options Flood
- X-Tree Flood
Readers should be able to identify many TCP flags in these attacks. This is why we will briefly introduce TCP principle in the following section.
Most people would come up with SYN Flood first when talking about DDoS. However, SYN Flood is not the one and only one ultimate objective of attacks. Actually, SYN Flood is usually prepared for next attack to implant Backdoor for stealing confidential data.
TCP principle
Before explaining TCP principle, readers have to understand each field’s definition in TCP header. Details are demonstrated as follows:
| Field | Definition |
|---|---|
| Sequence Number | Separate different TCP connections |
| Acknowledgement Number | The next sequence number that the receiver is expecting |
| HLEN (Head Length) | Specify the size of the TCP header (bit) |
| Code (Flag) | Specify TCP packet content |
| Windows | The size of the receive window |
| Options | Determine TCP packet size (default MTU is 536) |
Flag (Code) is highly related to DDoS attacks. Definitions are demonstrated as follows:
| Flag | Definition |
|---|---|
| URG | Indicate the Urgent pointer field is significant. It is usually used for emergent interruption of service. |
| ACK | Indicate that the Acknowledgment field is significant. |
| PSH | Ask to push the buffered data to the receiving application. |
| RST | Reset the connection. |
| SYN | Synchronize sequence numbers. |
| FIN | No more data from sender |
TCP connection establishment can be divided into the following three parts:
- Connection development (Three-Way Handshake)
- Data transmission
- End of connection
See the following figure:
Accordingly, we have to understand field function and flag definition of TCP header in depth so that we can truly master TCP principle and attack prevention.
Introduction to SYN Flooding
After introducing TCP principle, we will see how SYN Flooding works in this section. The following figure represents normal TCP Three-way Handshake.
The question is what will happen if TCP client cannot send ACK in the last procedure of Three-way Handshake because of some unknown reasons.
The following figure demonstrates that TCP Server will consecutively resend SYN+ACK until time out. Then send RST to reset connection.
DoS and DDoS attack theory
The target of DoS and DDoS attacks can be widespread, including DNS, HTTP and SMTP. In this section, we will discuss TCP SYN Flood.
SYN Round Trip Time (RTT) refers to the time required to take between SYN+ACK and ACK. As Server receives first TCP SYN sent from Client, TCP connection will enter in SYN_RCVD status, i.e. SYN is RECEIVED. After ACK is received, Server will turn into ESTABLISHED status, i.e. TCP connection is established.
The point is that every TCP machine has its queue limitation. Thus, as Server SYN_RCVD status is reaching queue limit, the oldest SYN_RCVD entries will be removed for accepting additional entries. If someone rapidly send large amount of SYN to Server, the oldest TCP SYN_RCVD entry corresponding to the first SYN will be removed by the following too much additional entries. Even client want to send ACK to its corresponding SYN_RCVD, it already has no longer existed so that connection failed.
As a result, TCP DDoS attack can easily achieve its purpose only by rapidly consuming SYN_RCVD state.
SYN Flood basically comprises two types: Non-Spoofed (non-pretended IP Address) and Spoofed (pretended IP address). Non-Spoofed attack does not camouflage the IP address of attacking source so attackers will receive Server SYN+ACK in which it discloses attackers’ location. In Spoofed attack, on the other hand, Server will send SYN+ACK to the pretended IP address so the real attacker’s location is hard to discover. Additionally, that innocent host which owns this pretended IP address also will be attacked by large amount of SYN+ACK, i.e. the secondary attack.
Conclusion
DDoS attack is both economical and effective. Even ‘ping’ or ‘ab’ (Apache Benchmark) can be used for DDoS attacks. Except for Cisco Guard and Detector, currently there is no specific defensive device toward DDoS attacks. Besides, business client may not be able to completely control bandwidth attacks. Thus, we also have to depend on related preventive measures provided by ISP so that we can reach a complete DDoS resolution.
