DoS/DDoS attacks, especially DDoS TCP Syn flood attacks, are a permanent threat to network systems and service servers of agencies and organizations. This type of attack often causes exhaustion of system resources or floods the transmission line, interrupts service to legitimate users, or even causes system downtime.
DDoS attacks are difficult to detect and effectively prevent because the number of controlled hosts participating in the attack is very large and scattered in many places. In order to have an effective DDoS attack prevention solution, research on various types of DDoS attacks is necessary.
This article, VNETWORK will share with businesses on how to secure Website and prevent DoS/DDoS TCP Syn flood effectively. Besides, there are necessary knowledge about network security, digital information security in the present time, helping to improve the understanding of DDoS attacks and on that basis, to choose effective prevention measures. for each specific system.
The content of the article is mainly about the prevention method of DDoS Attack TCP Syn Flood, so the concepts we will only briefly introduce. We will detail each concept in other articles.
DoS & DDoS Attack
DoS (Denial of Service) Attack: It is a denial of service attack with a 1 on 1 attack. And DDoS (Distributed Denial of Service) Attack: A distributed denial of service attack. This is a form of the council.
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks differ only in the scope of the attack. While DoS attack traffic usually comes from one or a handful of sources, DDoS attack traffic often arises from a variety of sources scattered across the Internet.
In short, DoS is a hacker taking advantage of a server’s weaknesses and overwhelming that server, leading to an inability to respond to any other requests. But if the server has an extremely high configuration that prevents hackers from crashing them with DoS, they will attack from multiple sources like DDoS. Hackers will be like the main controller, controlling a system consisting of thousands of other computers (zombies) through handlers such as IRC (Internet Relay Chat) or C&C (Command and Control), all attacking at the same time. No matter how strong the server is, if you don’t know how to detect it, it will soon crash quickly.
Hacker spread malicious code to DDoS
Where do hackers find thousands of zombies to carry out massive DDoS attacks on large-scale businesses? To prepare for a large sweep, hackers will first have to spread some kind of malicious code onto the Internet. Vietnamese youth often like to use free products, Crack products, which are easy to download software download and accidentally become zombies for remote hackers.
The remote control here is nothing too sublime, simply sending an HTTP Request to a certain IP only. In today’s booming IoT era, even the rice cooker is also a component in the IoT network, so it can also be infected with malware and become a zombie that obeys hackers’ remote control.
Hackers use DoS attacks with the sole purpose of paralyzing website activity. Make slow responses to requests from users or disable the website altogether. There are three main types of DoS / DDoS attacks:
- Attack on network bandwidth
Hackers use basic tactics, whoever has more resources wins. Not only is the victim’s network bandwidth overloaded, but it also affects neighboring networks.
- Attack on protocol
The Internet works by using protocols, which are simply the means of moving an object from point A to point B on the network. These attacks include Ping of Death, SYN Flood, packet modification, and others.
- Attack on the application layer
Web server applications (Windows IIS, Apache, …) are subject to frequent attacks. Hackers’ new trend towards application platforms WordPress, Joomla …
DDoS TCP SYN Flood attack
In the transport layer, there is a concept of a “three-way handshake”. This successful 3-step handshake confirmation is opened with the SYN packet and ends with the ACK packet (Seq + 1). When the DoS / DDoS attack occurs, the zombie will only send the whole SYN without sending the ACK (Seq + 1) to confirm the 3-step handshake, because the hacker simply doesn’t own the zombie, just controls the zombie. Any server that receives an SYN must create a thread/buffer to serve that SYN. This leads to even fake SYN sent from zombies to be created thread/buffer to wait for service. This will lead to server overload.
DDoS prevention at the TCP layer (Filter Attack Syn Flood)
-
Uses packet filtering techniques based on IP address.
-
Increasing the Backlog size helps increase the target system’s ability to accept new connections.
-
Reduced TCP-SYN connection request acknowledgment wait time helps servers cancel unconfirmed connection requests in a shorter amount of time, freeing up the resources that the pending connections take.
-
Using SYN cache helps maintain common Backlogs for the whole server instead of the Backlogs for each application. This can increase the number of connections waiting for confirmation.
-
Using SYN Cookies allows the resource to be allocated only for the connection once it has been confirmed. SYN requests will be canceled if not confirmed before being forwarded to the target server. This method can help prevent SYN Flood attacks effectively.
-
Use firewalls or proxies to filter packets or enforce predefined security policies.
VNIS integrates Cloud WAF firewall and CDN Power-ups for comprehensive website security and effective anti-Attack TCP Syn Flood for businesses
Register for a free 7-day trial of VNIS at Hotline: (028) 7306 8789
Summary
Distributed Denial of Service (DDoS) attacks are a constant threat to the network of government agencies and businesses. Many large-scale DDoS attacks have been carried out, paralyzing the government’s network and disrupting the operation of popular online services such as Yahoo.
DDoS attacks are difficult to effectively defend against due to their enormous size and distributed nature. Many sophisticated DDoS attack techniques and tools have been developed, of which the most effective support for DDoS attacks is the rapid development of malware infection techniques and building networks. Ghost computer (zombies, botnets). Hackers can take control of computers connected to the Internet, and control botnets with hundreds of thousands of computers to perform DDoS attacks. To have an Anti-DDoS solution effectively, researching the types of DDoS attacks should be done first.