فا

‫ DDoS Quick Guide - Part 1

IRCAR201404207
Date: 2014-04-01

The core concepts of cyber security are availability, integrity, and confidentiality. Denial of Service (DoS) attacks impact the availability of information resources. The DoS is successful if it renders information resources unavailable. Success and impact differ in that impact is relative to the victim.

Possible DDoS Traffic Types

HTTP Header

HTTP headers are fields which describe which resources are requested, such as URL, a form, JPEG, etc. HTTP headers also inform the web server what kind of web browser is being used. Common HTTP headers are GET, POST, ACCEPT, LANGUAGE, and USER AGENT. The requester can insert as many headers as they want and can make them communication specific. DDoS attackers can change these and many other HTTP headers to make it more difficult to identify the attack origin. In addition, HTTP headers can be designed to manipulate caching and proxy services. For example, is it possible to ask a caching proxy to not cache the information.

HTTP POST Flood

An HTTP POST Flood is a type of DDoS attack in which the volume of POST requests overwhelms the server so that the server cannot respond to them all. This can result in exceptionally high utilization of system resources and consequently crash the server.

HTTP POST Request

An HTTP POST Request is a method that submits data in the body of the request to be processes by the server. For example, a POST request takes the information in a form and encodes it, then post the content of the form to the server.

HTTPS POST Flood

An HTTPS POST Flood is an HTTP POST flood sent over an SSL session. Due to the use of SSL it is necessary to decrypt this request in order to inspect it.

HTTPS POST Request

An HTTPS POST Request is an encrypted version of an HTTP POST request. The actual data transferred back and forth is encrypted.

HTTPS GET Flood

An HTTPS GET Flood is an HTTP GET flood sent over an SSL session. Due to the SSL, it is necessary to decrypt the requests in order to mitigate the flood.

HTTPS GET Request

An HTTPS GET Request is an HTTP GET Request sent over an SSL session. Due to the use of SSL, it is necessary to decrypt the requests in order to inspect it.

HTTP GET Flood

An HTTP GET Flood is a layer 7 application layer DDoS attack method in which attackers send a huge flood of requests to the server to overwhelm its resources. As a result, the server cannot respond to legitimate requests from the server.

HTTP GET Request

An HTTP GET Request is a method that makes a request for information for the server. A GET request asks the server to give you something such as an image or script so that it may be rendered by your browsers.

SYN Flood (TCP/SYN)

SYN Flood works by establishing half-open connections to a node. When the target receives a SYN packet to an open port, the target will respond with a SYN-ACK and try to establish a connection. However, during a SYN flood, the three-way handshake never completes because the client never responds to the server's SYN-ACK. As a result, these "connections" remain in the half-open state until they time out.

UDP Flood

UDP floods are used frequently for larger bandwidth DDoS attacks because they are connectionless and it is easy to generate protocol 17 (UDP) messages from many different scripting and compiled languages.

ICMP Flood

Internet Control Message Protocol (ICMP) is primarily used for error messaging and typically does not exchange data between systems. ICMP packets may accompany TCP packets when connecting to a sever. An ICMP flood is a layer 3 infrastructure DDoS attack method that uses ICMP messages to overload the targeted network's bandwidth.

MAC Flood

A rare attack, in which the attacker sends multiple dummy Ethernet frames, each with a different MAC address, Network switches treat MAC addresses separately, and hence reserve some resources for each request. When all the memory in a switch is used up, it either shuts down or becomes unresponsive. In a few types of routers, a MAC flood attack may cause these to drop their entire routing table, thus disrupting the whole network under its routing domain.

SomeDDoSMitigationActionsandHardware

· Statefulinspectionfirewalls

· Stateful SYN Proxy Mechanisms

· Limiting the number of SYNs per second per IP

· Limiting the number of SYNs per second per destination IP

· Set ICMP flood SCREEN settings (thresholds) in the firewall

· Set UDP flood SCREEN settings (thresholds) in the firewall

· Rate limit routersadjacent to thefirewalland network

Resource:

http://www.us-cert.gov/


نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 18 مرداد 1393

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها: 0