DDoS is a method that makes a machine or a network resource unavailable to the user due to an overload of resources, for example, a 100-parking-space parking lot full of cars, where one car cannot park unless another leaves. If the parked cars stay without moving out, the entrance of the parking lot will be lined with cars waiting to park. This means that the parking lot is overloaded and cannot work anymore; this is what is called the denial of service.
Our system is like the parking lot; the system resource is like the loading lot. Resources are limited, but the service must always go on. So if all the resources have been occupied, the service will be overloaded, causing the system to stop the new response.
The DDoS attack made by the normal request enlarges several times to attack the service system through a number of network nodes at the same time. These network nodes are often controlled by hackers, and a botnet is formed when the number of nodes reaches a certain size. Large botnets can be in the tens of thousands or even hundreds of thousands of units of the scale. Such DDoS attacks are almost unstoppable.
The SYN flood, UDP flood, and ICMP flood are common DDoS attacks, among which the SYN flood is the most classic. It was discovered in 1996 but still remains strong. The SYN flood takes advantage of the flaws in the TCP protocol design, which is the basis of the entire Internet, and it is impossible to repair these flaws as it will influence the whole Internet service.
Under normal circumstances, the TCP three-way handshake process is as follows
- The client sends a SYN packet to the server, including the port number used by the client and the initial sequence number x.
- Once the SYN packet from the client is received by the server, a TCP packet of SYN and ACK bits will be sent to the client, including the confirmation number x + 1 and the initial sequence number y of the server side.
- When the client receives the returned SYN + ACK packet from the server, it returns an ACK packet with number y + 1 with serial number x + 1, which signals the completion of a standard TCP connection.
The SYN flood attack will forge a large number of source IP addresses and send a large number of SYN packets to the server. Since the IP addresses are forged, the IP will not reply. If the server never receives the echo from the false IP, it will try again and wait three to five times for a SYN time (generally 30 s–2 min). The normal connection is discarded as the server is busy all the time.
The SYN cookie/SYN proxy and the safe reset algorithm are the main methods that can fight the SYN flood. The principal idea of the SYN cookie is to assign a cookie and to get the call frequency of each IP address. In a short period of time, if a large number of packets are called from the same IP address, it is an attack, and the packet from the IP address will be discarded.
Many products against DDoS usually use various algorithms and clean the traffic considering some characteristics of DDoS attacks. Network devices against DDoS can be connected in series or in parallel at the exit of the network.
DDoS is still a problem because when the attack traffic is more than the maximum load of network equipment or bandwidth, the network will be paralyzed. In general, large sites are more capable of withstanding “anti-DDoS attacks because the bandwidth of the large sites is abundant and the number of servers in the cluster is big. However, a cluster resource is limited in an actual attack; sometimes, the DDoS traffic will end up with several Gs or tens of Gs, so that network operators should cooperate with the server to cope with the response of DDoS attacks.