DoS representative attack methods include PingofDeath, TearDrop, UDPflood, SYNflood, LandAttack, IPSpoofingDoS, etc. DoS is Denial of Service, whose purpose is to prevent a computer or network from providing normal services.
The operating environment of this tutorial: Windows 7 system, Dell G3 computer.
DoS is the abbreviation of Denial of Service, that is, denial of service. The attack behavior that causes DoS is called a DoS attack. Its purpose is to prevent the computer or network from providing normal services. The most common DoS attacks include computer network broadband attacks and connectivity attacks.
DoS attack refers to deliberately attacking the flaws in the implementation of network protocols or directly and brutally exhausting the resources of the attacked object through brutal means, with the purpose of making the target computer or network unable to provide normal services or resource access, causing the target computer or network to be unable to provide normal services or resource access. The target system service system stops responding or even crashes, and this attack does not include invading the target server or target network device. These service resources include network bandwidth, file system space capacity, open processes or allowed connections. This kind of attack will lead to a shortage of resources. No matter how fast the computer's processing speed is, how large the memory capacity is, or how fast the network bandwidth is, the consequences of this attack cannot be avoided.
Denial of service attack is a malicious attack that causes great harm to the network. Today, representative DoS attack methods include PingofDeath, TearDrop, UDPflood, SYNflood, LandAttack, IPSpoofingDoS, etc. See how they are implemented.
ping of death (ping of death)DengKelen
ICMP (InternetControlMessageProtocol, Internet Control Message Protocol) is used on the Internet for error handling and delivery of control information. The most common ping program has this function. In the RFC document of TCP/IP, there are strict restrictions on the maximum size of the packet. The TCP/IP protocol stack of many operating systems stipulates that the ICMP packet size is 64KB, and after reading the header of the packet, it must Generate a buffer for the payload based on the information contained in this header. "PingofDeath" is a deliberately malformed test Ping (PacketInternetGroper) packet, claiming that its size exceeds the ICMP upper limit, that is, the loaded size exceeds the 64KB upper limit, causing memory allocation errors in network systems that have not taken protective measures, causing TCP/IP protocol The stack crashes and eventually the receiver crashes.
Teardrop
Teardrop attack uses the information contained in the header of the packet in the IP fragment to trust the TCP/IP protocol stack implementation to implement its own attack . IP fragments contain information indicating which part of the original packet the fragment contains. Some TCP/IP protocol stacks (such as NT before servicepack 4) will crash when receiving forged fragments with overlapping offsets.
UDP Flood(UDPflood)
UDPflood attack: Nowadays, UDP (User Data Packet Protocol) is widely used on the Internet, and many provide services such as WWW and Mail. Devices are usually servers using Unix, and they open some UDP services by default that are maliciously exploited by hackers. For example, the echo service will display each data packet received, and the chargen service, originally a test function, will randomly feedback some characters when receiving each data packet. The UDPflood impersonation attack uses the vulnerabilities of these two simple TCP/IP services to conduct malicious attacks. By forging a UDP connection with the Chargen service of a certain host, the reply address points to a host with the Echo service enabled. By referring the Chargen and Echo services to each other, sending useless junk data that takes up bandwidth back and forth, and generating enough useless data flows between the two hosts, this denial of service attack quickly causes the available bandwidth of the network to be exhausted.
SYN Flood(SYNflood)
SYNflood attack: We know that when a user makes a standard TCP (TransmissionControlProtocol) connection, there will be a 3-way handshake process. First, the server is requested to send a SYN (SynchronizeSequenceNumber) message. After receiving the SYN, the server will send back a SYN-ACK to the requester to confirm. When the requester receives the SYN-ACK, it will send an ACK message to the server again. , so that the TCP connection is successfully established. "SYNFlooding" specifically targets the process of TCP protocol stack initializing the connection handshake between two hosts to carry out DoS attacks. It only performs the first two steps in the implementation process: when the server receives the SYN-ACK confirmation message from the requester, The requester uses source address spoofing and other means to prevent the server from receiving an ACK response, so the server will be in a state of waiting to receive the requester's ACK message for a certain period of time. For a certain server, the available TCP connections are limited because they only have a limited memory buffer for creating connections. If this buffer is filled with initial information for false connections, the server will block the next connection. Stop responding until the connection attempt in the buffer times out. If a malicious attacker sends such connection requests in rapid succession, the server's available TCP connection queue will soon be blocked, the system's available resources will be sharply reduced, and the network's available bandwidth will shrink rapidly. If this continues, only a few lucky users' requests can be inserted. In addition to getting responses among a large number of false requests, the server will not be able to provide normal legitimate services to users.
Land (LandAttack) attack
In the Land attack, the hacker uses a specially crafted SYN packet-its original address and target address are both set to a certain A server address to attack. This will cause the receiving server to send a SYN-ACK message to its own address, which in turn will send an ACK message back and create an empty connection. Each such connection will be retained until timeout. Under a Land attack, many UNIX will Crash, NT becomes extremely slow (lasts about five minutes).
IP Spoofing
This attack is implemented by using the RST bit of the TCP protocol stack. It uses IP spoofing to force the server to reset the legitimate user's connection, affecting the legitimate user's connection. connect. Assume that a legitimate user (100.100.100.100) has established a normal connection with the server. The attacker constructs attack TCP data, disguises his IP as 100.100.100.100, and sends a TCP data segment with the RST bit to the server. After receiving such data, the server thinks that the connection sent from 100.100.100.100 has an error, and will clear the established connection in the buffer. At this time, if the legitimate user 100.100.100.100 sends legitimate data again, the server will no longer have such a connection. The user will be denied service and can only start over to establish a new connection.
For more computer-related knowledge, please visit the FAQ column!
The above is the detailed content of What is a dos attack. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
