Website construction security DDOS attack and defense
Source: Shangpin China |
Type: website encyclopedia |
Date: 2013-02-13
Beijing website construction Shangpin China: A few days ago, a website operated by us suffered a ddos attack. Our website is a public welfare website Website production To build a platform between various manufacturers and White Hat to transmit security issues and other information, we do not know why we will encounter such shameless attacks. Since we are not engaged in this type of attack, and the attack technology is generally rough, we seldom discuss it. But since such an attack has occurred, we feel that we can share what we learned in the process after the attack and our ideas about this attack to make this attack produce real value, It's not that such attacks just waste everyone's time. In addition, we found that large enterprises have been attacked, but their response measures and learned experience after being attacked are relatively few, which leads to that each company is exploring their own experience, still staying in the situation where one enterprise is fighting against the attack of the entire Internet. For the attacker, this attack is against you, and the next attack is against him, In addition, there is no loss of technology or resources after the attack, which is also the reason why such attacks are frequent and unbridled. Let's try to make some changes:) Common ddos attacks and defenses Continue to adhere to 80sec's "Know it then hack it". Here we briefly talk about ddos attack and defense. The full name of ddos is distributed denial of service attack. Since it is a denial of service attack that must stop the service for some reason, the most important and common reason is to use the limited resources on the server side, which has a wide range of resources. You can simply sort out a process of normal completion of a request: 1 The user enters the requested address in the client browser 2 The browser parses the request, including analyzing the dns in it to determine the address of the remote server that needs to be reached 3 After the address is specified, the browser and server services try to establish a connection. The packets trying to establish a connection pass through the local network, and the intermediate route finally reaches the target network and then reaches the target server 4 After the network connection is established, the browser creates different packets according to the request and sends the packets to a port on the server 5. The port is mapped to the process, and the process will perform internal parsing after receiving the data packet 6 Various resources inside the request server, including backend APIs and some databases or files 7 After the logic processing is completed, the data package returns to the user's browser according to the previously established channel, and the browser completes the parsing and request. All the above points can be used for ddos attacks, including: 1 Some famous clients hijack viruses. Remember visiting Baidu Jump Sogou?:) 2. The DNS hijacking event occurred in a large Internet company, or a large number of direct DNS requests directly attacked the DNS server. Here, we can use some professional third-party DNS services, such as Dnspod, to alleviate this problem 3 Use the network resources needed to establish network connections to attack the server bandwidth so that normal data packets cannot reach flood attacks such as udp, and consume the CPU resources of front-end devices so that data packets can not be effectively forwarded such as icmp and some fragmented packets, It consumes the resources needed by the server to establish a normal connection, such as syn flood, or it occupies a large number of connections, making normal connections impossible to initiate, such as the TCP flood this time 4. Use some features of webserver to attack. Compared with nginx, the process of apache processing a request is cumbersome. 5. Take advantage of some internal features of the application to attack the internal resources of the application, such as MySQL, and the interfaces that consume large resources on the back end. This is also the traditional CC attack. The concept of attack and defense is involved here, but in fact, if you understand the attack points and attack methods of the other party, defense will become a simple process of resource pooling. Do not use your weakest place to fight against the strongest place. You should start from the most appropriate place to solve the problem. For example, it is not a good way to solve application layer attacks on routers and other devices. Similarly, It is also impossible to try to solve the problems of the network layer in the application layer. In brief, the goal is to only allow normal data and requests to enter our services. A perfect defense system should consider the following aspects: 1 As the entrance of user request, it must have good DNS defense 2. The bandwidth resources that match your value, and the application layer defense strategy is arranged on the core node. Only the network data packets of your normal applications can enter, such as blocking all data packets except 80 3. There are machine clusters that support your service value to resist the pressure of the application layer. If necessary, you need to continue to decompose an http request, and decompose the connection establishment process pressure to other clusters. It seems that there are general hardware firewalls that can do this, and even decompose the normal http request parsing process, Ensure that normal requests arrive at the back end, eliminate malformed requests, record and monitor the request frequency of normal requests, and block the application layer in case of exceptions Each company has its own assessment of its own value to determine the size of security investment. Each attack will also involve the existence of interests. Just as defense has inherent weaknesses for various reasons, such as insufficient investment and imperfect implementation, attack also has inherent weaknesses, because each attack involves different links, Each link can be completed by people of different levels. The resources he has, the tools and technologies he uses are not perfect, so it is possible to defend. In addition, I believe that the people who carry out DDOS attacks are a fixed industry, and there will be some fixed people. The technology, tools, resources and interest chain used in them are relatively fixed, In contrast, each enterprise lacks corresponding communication. It is naturally difficult to fight against an industry with an individual enterprise. If each enterprise can share its experience when being attacked, including the size and IP distribution of botnets, the characteristics of attack tools, and even the ability to analyze the interests and operators behind it, So every attack can increase everyone's overall defense ability and make the attacker's attack ability lose. We are willing to do this. Emergency response After the attack, the first phenomenon is that our website is no longer available, but we can still access the management interface. We log in and simply execute the command: netstat -antp We have seen that there are a large number of links in the ESTABLISHED state. Under normal conditions, the number of visits to our website is not so high. If it is so high, we believe that China's information security is promising. In fact, it is relatively simple to deal with such a situation. This is a four tier attack, that is, all IPs are real, Since only the network connection resources of the webserver have been consumed so far, we only need to simply block these IPs at the network layer. Very simply, use the following command: for i in `netstat -an | grep -i ‘:80 ‘|grep ‘EST’ | awk ‘{print $5}’ | cut -d : -f 1 | sort | uniq -c | awk ‘{if($1 > 50) {print $2}}’` echo $i echo $i >> /tmp/banip /sbin/iptables -A INPUT -p tcp -j DROP -s $i done Then, as a planned task, it can be executed once a minute. Soon, the blocking list of iptables was filled with a large number of blocked IPs. We simply calculated that some of the IPs with the largest number of connections came from South Korea. In order to ensure the performance of the system, we increased the number of acceptable connections of the system and the request rate of each connection to Nginx, and the system resumed normal operation. The normal status lasted until the next day, but after noon, we found that there was another problem with the access. The network was very slow. Using ping, we found that about 70% of the packets were lost. After difficult login to the system, we found that there were few normal TCP connections in the system. To find out the cause, we captured the packets of the system: tcpdump -w tmp.pcap port not 22 tcpdump -r tmp.pcap -nnA We found that the attack has been adjusted from the application layer attack to the network layer attack. A large number of udp and icmp packets whose target port is 80 fill the network at an extremely fast speed. One packet size is about 1k. The resources occupied this time are purely bandwidth resources. Even if the system is restricted, this problem cannot be solved, but it does not matter, For the network layer problem, we can make restrictions on the network layer. We just need to disable all non TCP packets that arrive at our ip, such as UDP and ICMP, on the network. But we do not have our own servers and lack control over network devices. At present, it is supported by CERT of the Ministry of Industry and Information Technology. Due to the temporary inability to coordinate the corresponding operations, As you can see, our service is very slow and basically stopped. After a period of time, the attacker stopped the attack and then the service was restored. Is it very frustrating? But at the same time, we have received the help of many enthusiastic friends and better network and server resources. Our ability in network resources has been greatly improved, which has alleviated the problem in this regard. Here I would like to thank them. Root cause and counterattack I am puzzled by the fact that attacking us does not gain actual benefits. Why are people still attacking us? I heard that other companies have been attacked. I think one reason is that attacking us does not gain any benefits, but in fact, the attacker does not lose anything, whether in terms of resources or legal risks, He will not lose too much because of one attack. In contrast, service providers have lost too much. This is unbalanced from the perspective of economics. We are in a weak position. Generally speaking, there is no punishment for the perpetrators, but this time, we think we can do something. We try to dig out the attackers behind them, or even clean up the botnet. First of all, this attack originated from the application layer attack, so all the IPs are real. After communicating with CERT, it is also found that these IPs are South Korean, and the control end is not in China. Because there was no communication with China during this period, even if it was later replaced by a udp+icmp flood, they are still South Korean IPs, which is very interesting, Normally, udp+icmp packets can be forged, but there is no forgery here, which is probably confirmed later by us. These IPs are real IPs, and they must still keep in touch with the attacker after the attack. The general contact method is the DNS domain name because it is convenient to control. In this case, if we can dig into the DNS domain name, we may indirectly find out where the real culprits are. First of all, we quickly found out the 80 port machines in the attack IP. Because we are confident about the security problems on the 80 port, we should soon know the details behind these IPs (the origin of the 80sec name). We found that most of them were routers and some web vpn devices. We guess that the attack was mainly targeted at Korean individual users, The personal user's machine operating system is usually Windows, so there may be a relatively large limit in sending data packets on a higher version, which also explains why even udp+icmp attacks we see are mostly real IP. After discovering these routing devices, we tried to go deeper and quickly logged in with some weak passwords, such as admin/admin. Indeed, netizens all over the world are the same. Admin/admin is a natural portal. After logging in some routes, we found that one function of these routers is to set our own DNS, which means that all the following DNS requests can be directed to our own DNS server, which will be very useful for us to understand the details of the internal network, so we established our own DNS server, It also enables the logging function of dns requests to record the details of all requests. We controlled the dns pointing of about 20 routers and successfully redirected them to our own servers. The rest is simple data analysis, where we can make the following guesses about the control domain name of the botnet: 1. This DNS should be used to flexibly control the cache time of domain names. Generally, the TTL will not be too long 2. This DNS should be requested regularly, so it will appear in a large proportion of DNS requests 3 The DNS should exist for control, so the domain name should not get a high access index in search engines and other places. This will be easier to determine when it is combined with the rules in 2, which is a natural contradiction. 4 This DNS should be requested under each route It is easy to get the answer through simple statistics. We found some 3322 general malware domain names but found that they were not needed, because only a few machines visited them. After some time, we finally found that the access to a domain name was the same as that of Never (a portal in South Korea), workgroup001.snow******. net, It seems that the management of their botnets is very good. About 18 machines have visited this domain name. The host of this domain name is hosted in Singapore. The TTL of this domain name is 1800, that is, half an hour. This domain name has no record in all search engines. It was registered by a Korean one year ago in Godady. At the same time, we visited 3389, which points to the host, By simply shifting 5 times, it can be judged that there is a typical Windows back door on it. It seems that we have found it, right? After a period of follow-up observation, the domain name pointed to 127.0.0.1, and we were sure of our answer, workgroup001. snow * * *. net, which seemed to be very good at botnet management:) This is a typical ddos attack. After the attack, we obtained the list of hosts participating in the attack and the domain name and IP address of the control end. I believe that the certs of China and South Korea are very interested in cleaning up the attack source. We have some losses, But the attackers also lost some money (probably including a botnet and a domain name at the control end, and even an internal legal investigation). We are no longer unequal, are we? Beijing website production Company summary: As a friend said, all defenses are imperfect just as attacks are imperfect. A good defender should be good at finding the imperfections of an attacker while improving his defense ability to become perfect, looking for loopholes in an attack, and not be afraid of an attack. For a Ddos attack, there are loopholes in launching an attack, If we are good at exploiting the vulnerabilities and catching the attackers behind us, we believe that the future ddos attack cases will be much reduced, and the attackers will also make more trade-offs, losses, benefits and laws before launching attacks against the target. This article was published on Beijing Website Construction Company Shangpin China //ihucc.com/
Source Statement: This article is original or edited by Shangpin China's editors. If it needs to be reproduced, please indicate that it is from Shangpin China. The above contents (including pictures and words) are from the Internet. If there is any infringement, please contact us in time (010-60259772).
