Principles and Defense Measures of DDoS Attacks

Principles and Defense Measures of DDoS Attacks

1. Basic Concepts of DDoS Attacks

DDoS (Distributed Denial of Service Attack) is an attack method that involves controlling a large number of "zombie hosts" (such as computers, servers, or IoT devices infected with malware) to simultaneously send massive requests to a target system. This exhausts the target's resources (such as bandwidth, computing power, and memory), making it inaccessible to legitimate users. Unlike ordinary DoS (single-source attacks), DDoS attacks originate from widely distributed sources, making it difficult to defend against by blocking a single IP.

2. Core Principles of DDoS Attacks

(1) The Three Key Roles in an Attack

  • Controller (Attacker): The command center operated by the attacker.
  • Botnet: The distributed group of controlled devices that receive instructions from the controller.
  • Target: The server, network, or application being attacked.

(2) Attack Chain Process

  1. Infiltration and Control: The attacker gains control over a large number of devices by exploiting vulnerabilities, spreading malware, etc., forming a botnet.
  2. Command Issuance: The controller sends attack commands to the botnet via covert channels (such as encrypted IRC or HTTP protocols).
  3. Traffic Flooding: The zombie devices simultaneously send forged or high-frequency requests to the target, for example:
    • A large number of TCP connection requests (e.g., SYN Flood).
    • UDP packets with forged source IPs (e.g., Reflection Amplification Attacks).
    • High-frequency application-layer requests (e.g., HTTP Flood).

3. Common DDoS Attack Types and Mechanisms

(1) Network Layer Attacks (L3/L4)

  • SYN Flood Attack:

    • Principle: Zombie hosts send a large number of TCP SYN packets but do not complete the three-way handshake, exhausting the target's connection queue resources.
    • Key Point: Forged source IPs cause the target's SYN-ACK reply packets to fail to reach the real host, leading to a continuous buildup of half-open connections.

  • UDP Flood Attack:

    • Principle: Sending a large number of UDP packets to random ports on the target, forcing it to frequently reply with "ICMP Destination Unreachable" messages, consuming bandwidth and CPU.

  • Reflection Amplification Attack (e.g., NTP, DNS Reflection):

    • Principle: Zombie hosts forge the source IP as the target IP and send small requests to public servers (e.g., NTP servers). The servers then reply with large data packets to the target, achieving traffic amplification (up to hundreds of times).

(2) Application Layer Attacks (L7)

  • HTTP Flood:

    • Principle: Simulating normal users frequently accessing resource-intensive pages (such as search interfaces), consuming server computing power.
    • Characteristic: Requests appear legitimate, making them difficult to filter with simple rules.

  • Slow Attack (e.g., Slowloris):

    • Principle: Establishing a large number of HTTP connections and then slowly sending incomplete request headers, occupying the server's concurrent connection limit.

4. DDoS Defense Measures

(1) Traffic Scrubbing and Diversion

  • Principle: By deploying high-defense IPs or scrubbing centers, traffic is redirected to scrubbing devices where malicious traffic is filtered before being forwarded to the target.
  • Technical Methods:
    • Rate Limiting: Setting thresholds for request frequency from a single IP.
    • Protocol Verification: Discarding packets that do not conform to TCP standards (e.g., asymmetric handshake packets).
    • Fingerprint Identification: Analyzing packet characteristics (such as abnormal TTL values or timestamps) to identify zombie hosts.

(2) Resource Redundancy and Elastic Scaling

  • Principle: Using cloud services for auto-scaling (e.g., AWS Auto Scaling) or load balancing to disperse pressure and avoid single points of failure.

(3) Application Layer Protection

  • Challenge: Application-layer attacks require deep parsing of protocols like HTTP and cannot rely solely on IP blocking.
  • Solutions:
    • Human-Machine Verification: Presenting CAPTCHAs to suspicious IPs.
    • Behavioral Analysis: Distinguishing between real and fake users based on access patterns (e.g., mouse movements, click intervals).

(4) Collaborative Defense and Threat Intelligence

  • BGP Blackhole Routing: Cooperating with ISPs to route attack traffic to a "black hole" for discarding.
  • Shared Blacklists: Updating malicious IP lists in real-time via threat intelligence platforms.

5. Practical Case: DNS Reflection Amplification Attack

  1. Attack Preparation: The attacker controls a botnet and forges the source IP as the target IP.
  2. Amplification Request: Zombie hosts send small query packets (e.g., 60 bytes) to open DNS servers, requesting resolution records for large domain names.
  3. Amplification Effect: The DNS server replies with response packets containing large amounts of data (up to 3000 bytes), amplifying traffic by up to 50 times.
  4. Target Paralysis: The target server is flooded with massive DNS responses, exhausting its bandwidth.

Through the above steps, you can understand the logic of DDoS attacks, their classification, and defense layers. Practical defense requires dynamically adjusting strategies based on network architecture, protocol characteristics, and real-time monitoring.