MGC TOKEN technical explanation —— DDOS defense principle

MGC Token defense DDOS principle
To ensure system security and user data security, MGC Tokoen defends hacking attacks in various ways in server protection technology. Only part of this is shown here.
DDOS (Distributed Denial of Service), also known as distributed denial of service attacks. By controlling a botnet composed of multiple broilers or servers, the hacker sends a large number of seemingly legitimate requests to the target, thereby consuming a large amount of network resources and smashing the network, preventing users from accessing the network resources normally.
0X02DDOS hazard
Export bandwidth blocked
The game is dropped, causing customer churn
The server has a large number of connections, and the connection resources are exhausted.
Server card, slow, dead, unable to connect
0X03 attack source
High-performance server with package software
Networkable devices (such as printers, cameras, TVs, etc.)
Mobile devices (a large number, fast growth, high performance is conducive to the formation of botnets)
Personal PC (a vulnerable PC or some hacker fans volunteer to become a DDOS member)
Hacker-controlled botnets (botnets are divided into IRC, HTTP, and P2P)
0X04 flow characteristics
IP addresses are random or fixed. Some IP segments are random.
Did not complete the three-way handshake
Most of the addresses are forged
The number of requests is large and fast
0X05 causes DDOS reasons
Human factor
Money interest
Political conflict
Religious Conflicts
In order to find the name
Non-human factors
Bandwidth limit
Protocol defect
Maximum device performance
Application performance limit
System performance limit
0X06 attack type and defense
Smurf attack
The attacker sends an ICMP request packet to the gateway, and the source address of the ICMP request packet is pseudo-created as the victim host IP address, and the destination address is the broadcast address. When the router receives the packet and finds that the destination address is a broadcast address, the packet will be broadcasted. All the surviving hosts in the LAN will receive an ICMP request packet, and the source address is the victim host IP. Next, the victim host will receive ICMP response packets from all hosts in the network, flooding the victim host through a large number of returned ICMP response packets, eventually causing network congestion and the victim host to crash. The following is a schematic diagram of the smurf attack.

MGC Token protection program:
Prevent the router from broadcasting ICMP request packets;
Preventing the operating system from responding to ICMP request packets sent by the broadcast;
Configure the firewall to stand still from the ping package outside your network.
TearDrop attack
Before you understand this attack, you need to know what IP fragmentation is. Data transmission in the network must result in packet fragmentation, because each network has a different maximum single packet size, which is commonly referred to as the MTU (Maximum Transmission Unit). When the data to be transmitted exceeds the MTU of the network where the host you are communicating with, the data packet will be fragmented and then reassembled into the original data packet at the destination. The following is the packet fragmentation. Reorganization process

The TearDrop attack is to set the wrong slice offset so that when the packet arrives at the destination, the server cannot reassemble the packet because the packet combination is assembled by the slice offset and eventually causes a crash. Compare normal IP packets with bad IP packets

This type of attack is mainly effective against the old Windows version and the Linux version. If it is protected, it can detect whether the sent data packet offset is legal. If it is legally assembled, it is illegal to discard it. For example: this: fragmentation reassembly check algorithm.
Land Attack
When an attacker launches a Land Attack attack, it needs to issue a SYN packet first, and set the source IP address and destination IP address of the packet to the target IP to be attacked, so that the target responds to the source IP after receiving the SYN packet. A SYN+ACK packet, which establishes an empty connection with itself, and then releases the connection when it reaches the idle timeout. The attacker sends a large number of such packets, which exhausts the target’s TCP connection pool and eventually causes a denial of service. The attack process is as follows

MGC Token Defense Solution: This attack is effective for early systems. By setting the firewall and routing rules, the packets with the same source IP address and destination IP address are detected, and the data packets are discarded and filtered.
SYN FLOOD attack
The SYN FLOOD attack is generated during the TCP three-way handshake. The attacker sends a large number of fake TCP packets with the SYN flag to establish a number of false half-open connections with the target host. After the server returns the SYN+ACK packet, the attacker does not respond to it, that is, no. Return the ACK packet to the server so that the server waits until it times out. This type of attack can cause the target server to be exhausted and the link is blocked, thus achieving the purpose of denial of service. The SYN FLOOD attack icon is as follows

defense:
SYNCheck: The protection device is used, and the 3-way handshake becomes the 6-way handshake. The protection device detects whether the SYN request is legal. After passing, the protection device forwards the packet to the server. The subsequent packets are still served by the protection device.
Micro blocks: Administrators can create a small index (less than 16 bytes) for each SYN request in memory without having to store the entire connection object in memory.
RST cookies: After the client initiates the first SYN request, the server deliberately responds with an incorrect SYN+ACK message. If the legitimate user receives this message, it will respond to the RST message to the server. When the server receives this message, it records the IP address of the host into the legal IP list. The next time the host initiates a SYN request, it can pass directly.
STACK tweaking: Administrators can adjust the TCP stack to mitigate the effects of SYN flood attacks. This includes reducing the timeout period and reassigning the connection when the stack is released, otherwise the incoming connection is randomly deleted.
ACK FLOOD attack
The ACK FLOOD attack utilizes the TCP three-way handshake process. There are two types here.
The first type: the attacker forges a large number of SYN+ACK packets to send to the target host. Each time the target host receives a SYN+ACK packet, it will go to its own TCP connection table to check whether it has established a connection with the sender of the ACK. If yes, send an ACK packet to complete the TCP connection, if not, send ACK+RST to disconnect. However, certain CUP computing resources are consumed during the query process. If a large number of SYN+ACK packets are received in an instant, a large amount of CPU resources of the server will be consumed, resulting in a failure to establish or increase the delay of the normal connection, and even causing the server to crash or crash.
The second type: using the ACK+SYN response of the TCP three-way handshake, the attacker sends a large number of SYN requests to different servers. The source IP addresses of these SYN request packets are the victim host IP, so that there will be a large number of SYN+ACK responses. The data packet is sent to the victim host, which occupies the target network bandwidth resource and forms a denial of service.

Usually DDOS attacks combine ACK floods with SYN floods to increase power. The defense scheme can be referred to as follows: using CDN for traffic dilution; avoiding server IP exposure on the public network; passing speed limit or dynamic fingerprinting; using symmetry judgment to analyze whether there is an attack; receiving ACK packets sent by users continuously When the time is interrupted, let it reconnect.
UDP FLOOD attack
UDP (User Datagram Protocol) is a connectionless and stateless network protocol. UDP does not need to perform three-way handshake like TCP. It has low running overhead and does not need to confirm whether the packet successfully arrives at the destination. This makes the UDP flood attack not only efficient, but also can be performed with relatively few resources. UDP FLOOD can be attacked with small packets (64 bytes), or with large packets (greater than 1500 bytes, Ethernet MTU is 1500 bytes). A large number of small data packets will increase the pressure on network devices to process data packets. For large data packets, network devices need to be fragmented and reorganized. The ultimate effect is to occupy the bandwidth of the network transmission interface, network congestion, slow server response, and so on.

MGC Token defense scheme: limit the traffic received per second (may cause misjudgment); add dynamic users to the blacklist through dynamic fingerprint learning (the attack takes a certain time).
NTP amplification attack
NTP (Network Time Protocol) is a protocol used to synchronize computer network time. It synchronizes the computer with the clock source and provides high-precision time correction. The UDP port is used for communication. Usually there are some debugging interfaces on the NTP server, and the monlist request in these interfaces can trigger the amplification attack. When the host sends a monlist query request to the NTP server, the NTP server returns the last 600 IP addresses that are time synchronized with it. Therefore, the attacker only needs to forge the source address as the IP of the victim host, send a monlist query request packet to the NTP server, and the victim host receives a large number of UDP response packets. This kind of attack is relatively harmful in the amplification attack. The following is a schematic diagram of NTP amplification attack.

Summarize the reasons for this attack, the request and response packets are not equivalent; UDP protocol communication ambiguity (no data transmission confirmation mechanism); and NTP server no authentication mechanism. MGC Token defense solution: use anti-DDoS device for cleaning; harden and upgrade NTP server; ban UDP port 123 at network exit; defend against ACL through network layer or by carrier; turn off monlist function of NTP service now, in ntp.conf Add the disable monitor option to the configuration file.
DNS amplification attack
DNS (Domain Name System), because it is difficult to memorize each website by using an IP address, a host name is used to represent the corresponding server, and the host name is converted into an IP address through the process of domain name resolution. Let’s take a look at the DNS message format to see where the attack occurred.

Message header format

The meanings of the fields in the first part of the message are as follows, where green highlighting is one of the attack points, which will be analyzed later.

The following is the value that can be set by the query type in the problem record. We find that the last ANY type will request all records, which is also an attack point.

DNS queries can be divided into recursive queries and iterative queries. The following is a DNS iterative query graph.

Look at the DNS recursive query graph

From the DNS packet structure and the DNS recursive query process, we can roughly analyze the attack principle. First, the attacker sends an instruction to the botnet to cause each host in the botnet to issue a DNS query request packet with a fake source address. These request packet query types are set to ANY because this type will request all records. These records will be in the returned response packet, which means that the size of this packet is the largest compared to other types. Then the query type is set to recursive query, why is it not an iterative query? Look carefully at the process graph of the two queries. If the DNS server that inquires the first request does not query the result, the first request server will return another. A DNS server IP, let the requesting host continue to query this IP, but the attacker’s data source address is forged, so the second query will not be initiated, because the first query is not initiated by it; The recursive query is returned to the query request initiator after the result is queried. With these two features, an attacker can successfully initiate a DNS amplification attack. This common query request can amplify the attack traffic by 2 to 10 times. If you want to increase the attack multiplier, you can use the DNS extension mechanism EDNS0 defined in RFC 2671. If EDNS0 is not used, if the response packet size is less than 512 bytes, UDP is used to encapsulate the data; if the response packet size exceeds 512 bytes, the TCP connection or the server truncates the response packet, discards the portion exceeding 512 bytes, and discards The TC position is 1. Both of these methods are not conducive to DNS amplification attacks. However, after the EDNS0 mechanism is enabled, the OPT RR field is added. These two fields contain the maximum UDP packet size information that can be processed. Therefore, the attacker sets this information very large, and the server generates a response packet based on this information. . Finally, take a look at the DNS amplification attack demonstration

For defense, you can refer to the following points: contact the ISP to clean up the upstream traffic; the DNS server only provides services to the trusted domain, restricts the provision of DNS resolution services to users outside the domain; limits the query rate of a single IP; has sufficient bandwidth to withstand small scale Attack; close the recursive query of the DNS server; use the firewall to filter the ANY Request.
SNMP amplification attack
SNMP (Simple Network Management Protocol) is the most widely used network management protocol in the network. It provides a management framework to monitor and maintain Internet devices. It uses UDP161 port for communication. The attacker sends a GetBulk request to the device that opens the SNMP service on the Internet and uses the default communication string as the authentication credential. Common default communication strings such as public, private, and some vendor default communication strings. The GetBulk request is added in SNMPv2. This request will cause the SNMP device to return as much data as possible, which is the utilization point of the SNMP amplification attack. Let’s take a look at the SNMP PDU format.

The attacker first changes the source address to the target IP to be attacked, and then uses the default communication string to issue a GetBulk request to a large number of SNMP devices. After receiving the GetBulk request packet, the device returns a large piece of device retrieval information to the device. The target host, the final target host will be overwhelmed by the packets returned by these SNMP devices, resulting in a denial of service. Take a look at the SNMP attack map.

You can take the following measures to prevent: SNMP-enabled devices are prevented from responding to GetBulk requests to prevent their devices from being exploited by hackers; change the default communication string; modify the default port 161; hide the public IP address of the SNMP device.
TFTP amplification attack
TFTP (Trivial File Transfer Protocol) uses UDP port 69 for communication. Since TFTP uses an unreliable UDP protocol, he cannot guarantee that any message sent can actually reach the destination, so he must Use the timer to detect and retransmit packets. The following is the TFTP file transfer process diagram.

Timeout retransmission mechanism

It can be seen that the TFTP protocol divides the data into multiple data blocks for transmission. Each data block has a maximum of 512 bytes. When the client receives the data block, it needs to return an ACK confirmation message to the server before continuing. Transfer the next message. If the server does not receive an ACK message from the client, when the time reaches the timeout counter, the retransmission mechanism is enabled, which is the attack utilization point. The attacker uses the defect on the TFTP protocol to forge the source address to initiate a request to the server. After the first data packet replied by the server, the attacker cannot receive the ACK sent by the client. At this time, TFTP will use its retransmission mechanism to periodically retransmit the first data packet. When the attacker sends a large number of such requests, the TFTP amplification attack will occur. Take a look at the TFTP amplification attack diagram

The defense scheme can be referred to as follows: Do not expose the TFTP server to the public network; perform intrusion detection on the traffic flowing through the TFTP service; set the retransmission (packet) rate to 1; and provide services only for hosts in the trusted domain.
CC attack
The CC attack (ChallengeCollapsar) is also known as the HTTP flood attack. The principle is that the attacker controls the broiler, the botnet or the proxy server, and continuously sends a large number of legitimate requests to the target web service, so that the normal user’s web request is processed slowly or even Can not be processed, create a large number of background database query actions, consume the target CPU resources, and eventually cause the server to crash. This type of attack does not require a large amount of bandwidth and cannot be attacked using a forged IP address. The real machine needs to establish a connection with the web server. Because the HTTP protocol is established on the TCP protocol, TCP three-way handshake must be performed before HTTP communication can be performed. . If the target web server supports HTTPS, the initiated HTTPS flood attack can also penetrate some protection devices.

MGC Token defense scheme: statically reduce the webpage when necessary, reduce the use of the database; limit the number of connections; modify the maximum timeout; let the user manually input the verification code; add special fields in the response packet to verify the validity of the IP; Access the host IP of the server.
HTTP slow attack
Slow HTTP Dos AttACKs, hackers simulate normal users sending slow http requests to the web server. Because of the slow speed, the server needs to keep connecting resources until the data transfer ends or the request ends. . When the server side establishes a large number of such slow connections, it will cause the server to refuse service. This type of attack can be divided into two categories, one is that the client sends data, and the other is that the client reads the data sent by the server. HTTP slow attacks have a significant impact on thread-based web servers, such as apache and dhttpd, but have little effect on event-based web servers, such as ngix and lighttpd. HTTP slow attacks can also be subdivided into the following types of attacks.
Slowloris attack mode

The HTTP protocol stipulates that the request header ends with a blank line, so the complete http request header ends with \r\n\r\n. However, ending with an abnormal \r\n will cause the server to think that our request header has not finished yet, waiting for us to continue sending data until the timeout period. The difference between the two request headers is as follows, CRLF (Carriage Return Line Feed) indicates carriage return

Slow post attack mode
In the http header information, content-length can be used to declare the transmission length of the HTTP message entity, and the server side will have the content-length value as the length of the HTTP BODY. With this feature, the attacker sets the content-length very large, and then slowly sends the data part, such as sending only one byte at a time, so that the server side will remain connected until the client passes all the data.

Slow read attack mode

The attacker sends a complete HTTP data request, after which the server will respond, when the attacker sets the size of his TCP window very small, the server will transfer data according to the client’s TCP window size. Because the client’s TCP window size is small, the server can only slowly transfer data to the client. When a large number of such connections are established, the concurrent connection pool of the web application will be exhausted, eventually leading to a denial of service.

Apache range header attack

This attack method is only for apache. When the client transmits a large file, there will be a range field, which means that the large file is segmented and divided into several small segments for transmission. For example, an attacker divides a file into segments by one byte, which causes the data to be transmitted slowly, occupying connections for a long time, and consuming server CPU and memory resources.
The above four attack methods can also refer to this article: CC attack. Understand the attack principle, we can defend against it. Here is the protection strategy of apache: set and use the following modules.
The mod_reqtimeout module controls the timeout period and minimum rate of requesting data transmission. The protection configuration is as follows:

Mod_qos module, a service quality control module of Apache, users can configure various thresholds, the protection configuration is as follows

Mod_security module, an open source WAF module, has rules specifically for slow attack protection, the protection configuration is as follows

The above are some protection strategies for Apache.
XSS-DOS
Use the stored XXS vulnerability in the website to insert malicious javascript code into the website. The function of the code is to continuously initiate a large number of requests to the web server, causing the server to crash and unable to respond to normal user requests. After the client accesses the page with the malicious javascript code inserted, the screenshot of the capture packet is as follows

Since this type of attack is caused by storage-type XSS, the MGC Token re-defense aspect should consider how to defend against storage-type XSS. The defense strategy is as follows: special character filtering for user input and url parameters; encoding and converting output content; combined with black and white list mechanism.
Time lens attack
By controlling the same source and the same destination IP packet, packets of different paths are sent to the target server at the same time, thereby achieving the purpose of centralized traffic attack.

MGC Token defense scheme: increase jitter, interfere with the attack path, and make the packet unreachable; the source route is prohibited by the operator.
Other defense measures:
Use high-performance network equipment; sufficient network bandwidth guarantee; upgrade host server hardware; avoid exposing the real IP of the server to the public network; use CDN to dilute the traffic, when the large traffic is diluted to each CDN node, then the traffic Cleaning is carried out to achieve the purpose of protecting the source station. However, this defense method can only be used in DDOS attacks initiated on domain names. If an attacker directly attacks IP, it needs to use anycast technology to defend.