DoS Prevention
Categories:
DDoS Prevention
Two types of DoS attacks:
- Cause service crashes
- Cause network congestion
Attack Types
| Attack Type | Attack Method | Response Method |
|---|---|---|
| Distributed DoS | Multiple machines with independent IPs attack simultaneously | 1. Degrade service 2. Blacklist 3. Shut down network devices |
| Yo-yo attack | Attack services with auto-scaling capabilities during resource reduction intervals | Blacklist |
| Application layer attacks | Target specific functions or features, LAND attacks belong to this type | Blacklist |
| LANS | This attack method uses specially crafted TCP SYN packets (typically used to open new connections), causing the target machine to initiate empty connections where both source and destination addresses are its own IP, continuously self-responding until system resources are exhausted and it crashes. This attack method differs from SYN flood attacks. | Blacklist |
| Advanced persistent DoS | Anti-reconnaissance/targeted/evasion of countermeasures/long-term attacks/large computing power/multi-threaded attacks | Degrade service |
| HTTP slow POST DoS attack | Create legitimate connections then send large amounts of data at extremely slow speeds, causing server resource exhaustion | Degrade service |
| Challenge Collapsar (CC) attack | Frequently send standard legitimate requests that consume more resources, such as search engines consuming large amounts of memory | Degrade service, content identification |
| ICMP flood Internet Control Message Protocol (ICMP) flood | Large amounts of ping/error ping packets /Ping of death(malformed ping packet) | Degrade service |
| Permanent denial-of-service attacks | Attack hardware | Content identification |
| Reflected attack | Send requests to third parties, forging addresses to direct responses to the actual victim | ddos category |
| Amplification | Use some services as reflectors to amplify traffic | ddos category |
| Mirai botnet | Utilize compromised IoT devices | ddos category |
| SACK Panic | Manipulate maximum segment size and selective acknowledgment, causing retransmissions | Content identification |
| Shrew attack | Exploit weaknesses in TCP retransmission timeout mechanism, using brief synchronous traffic bursts to interrupt TCP connections on the same link | Timeout discard |
| Slow Read attack | Similar to slow post, send legitimate requests but read very slowly to exhaust connection pool, achieved by advertising a very small number for TCP Receive Window size | Timeout disconnect, degrade service, blacklist |
| SYN flood | Send large amounts of TCP/SYN packets, causing server to generate half-open connections | Timeout mechanism |
| Teardrop attacks | Send corrupted IP fragments with overlapping, oversized payloads to target machines | Content identification |
| TTL expiration attack | When packets are discarded due to TTL expiration, router CPU must generate and send ICMP timeout responses. Generating many such responses overloads the router’s CPU | Discard traffic |
| UPnP attack | Based on DNS amplification technology, but the attack mechanism is a UPnP router that forwards requests from one external source to another, ignoring UPnP behavioral rules | Degrade service |
| SSDP reflection attack | Many devices, including some residential routers, have vulnerabilities in UPnP software that attackers can exploit to get responses to their chosen target addresses from port 1900. | Degrade service, block port |
| ARP spoofing | Associate MAC address with IP address of another computer or gateway (such as router), causing traffic originally intended for the original real IP to be rerouted to the attacker, resulting in denial of service. | ddos category |
Prevention Measures
- Identify attack traffic
- Disrupt service
- Identify traffic content
- Congest service
- Record access times
- Disrupt service
- Process attack traffic
- Discard attack traffic
- Block attack IPs
- Limited number of IPv4 IPs, easy to create blacklists
- Large number of IPv6 addresses, difficult to create blacklists. Can use IPv6 address ranges, but risk of incorrect blocking
- Control access frequency
Open Source Tools
Attack Tools
https://github.com/palahsu/DDoS-Ripper- 162 forks, 755 stars
- https://github.com/MHProDev/MHDDoS
- 539 forks, 2.2k stars
- MHDDoS - DDoS Attack Script With 40 Methods
- https://github.com/NewEraCracker/LOIC
- 539 forks, 1.9k stars
- C#
- network stress tool
- https://github.com/PraneethKarnena/DDoS-Scripts
- 165 forks, 192 stars
- C, Python
- https://github.com/theodorecooper/awesome-ddos-tools
- 46 stars
- collection of ddos tools
Defense Tools
- https://github.com/AltraMayor/gatekeeper
- GPL-3.0 License
- 159 forks, 737 stars
- C, Lua
- Gatekeeper is the first open source DoS protection system.
https://github.com/Exa-Networks/exabgp- Apache like license
- 415 forks, 1.8k stars
- Python
- The BGP swiss army knife of networking
- https://github.com/curiefense/curiefense
- Apache 2.0 License
- 60 forks, 386 stars
- Application-layer protection
- protects sites, services, and APIs
- https://github.com/qssec/Hades-lite
- GPL-3.0 License
- 24 forks, 72 stars
- C
- Kernel-level Anti-ddos driver
- https://github.com/snort3/snort3
- GPL-2.0 License
- 372 forks, 1.4k stars
- next generation Snort IPS (Intrusion Prevention System)
- C++
Traffic Monitoring
- https://github.com/netdata/netdata
- GPL-3.0 License
- 5.2k forks, 58.3k stars
- C
- https://github.com/giampaolo/psutil
- BSD-3-Clause License
- 1.2 forks, 8.2k stars
- Python, C
- Cross-platform lib for process and system monitoring in Python, also network monitoring
- https://github.com/iptraf-ng/iptraf-ng
- GPL-2.0 License
- 22 forks, 119 stars
- C
- IPTraf-ng is a console-based network monitoring program for Linux that displays information about IP traffic.