拒绝服务攻击

DoS攻击的类型

Over the years, denial-of-service attacks have evolved to encompass a number of attack vectors and mechanisms.

分布式拒绝服务(DDoS)

Originally, DoS attacks involved one single system attacking another. 而DoS攻击可以以类似的方式进行, the majority of present-day DoS attacks involve a number of systems (even into the hundreds of thousands) under the attacker’s control, 同时攻击目标.

This coordination of attacking systems is referred to as a “distributed denial-of-service” (DDoS) and is often the mechanism of choice when carrying out the other attack types listed below. 甚至还有“压力源”(a).k.a. “橄榄球员”)服务, 表面上是受雇来测试自己的系统, 很容易被用来攻击毫无戒心的目标.

Network-targeted拒绝服务

被称为“带宽消耗攻击”,” the attacker will attempt to use up all available network bandwidth (“flooding”) such that legitimate traffic can no longer pass to/from targeted systems. Additionally, attackers may use “distributed reflection denial-of-service” (DRDoS) to trick other, unwitting systems into aiding in the attack by flooding the target with network traffic.

在这次攻击中, legitimate users and systems are denied access they normally have to other systems on the attacked network. 这种攻击的变种, 结果相似, involves altering (or bringing down) the network itself by targeting network infrastructure devices (e.g. 交换机、路由器、无线接入点等.) such that they no longer allow network traffic to flow to/from targeted systems as usual, leading to similar denial-of-service results without the need for flooding.

System-targeted拒绝服务

These attacks focus on undermining the usability of targeted systems. Resource depletion is a common attack vector, where limited system resources (e.g. memory, CPU, disk space) are intentionally “used up” by the attacker in order to cripple the target’s normal operations. For example, SYN flooding is a system-targeted attack which will use up all available incoming network connections on a target, preventing legitimate users and systems from making new network connections. Outcomes from a system-targeted attack can range from a minor disruption or slowdown to outright system crashes. While not common, a permanent denial-of-service (PDoS) attack can even damage a target to the point that it must be physically repaired or replaced.

Application-targeted拒绝服务

以应用程序为目标是DoS攻击的常用载体. 其中一些攻击使用现有的, usual behavior of the application to create a denial-of-service situation. 这方面的例子包括 锁定用户的帐户 or making requests that stress an integral component of the application (such as a central database) to the point where other users cannot access or use the application as intended or expected. 其他针对应用程序的攻击依赖于 应用程序中的漏洞, 例如触发导致应用程序崩溃的错误条件, or using an exploit that facilitates direct system access for bolstering the DoS attack further.

如何防止DoS攻击

The following suggestions may help reduce the attack surface of an organization and temper the potential havoc of a DoS attack:

审查应用程序架构和实现不要允许用户操作耗尽系统资源, 不要允许用户操作过度使用应用程序组件, and be sure to seek out resources available on the internet that have best-practice suggestions.

监控和警报:

• Network traffic for alerting on unexpected increases in network traffic/load can raise awareness of network-targeted DoS attacks. Analysis of traffic origin and type can provide additional insight.
• 系统运行状况和响应性 with frequent health checks of each system and its responsiveness to help identify system-targeted DoS attacks.
• 应用程序运行状况和响应性 with frequent health checks of application components and their ability to perform their designed “task” within an expected timeframe. 这有助于捕获针对应用程序的DoS攻击.

Many providers (both cloud and datacenter) already have monitoring solutions they can offer. Check with your provider and consider if their monitoring+alerting solutions may be a good fit for your needs.

是否有适当的缓解计划(和能力): Different attack types require different capabilities and strategies to mitigate. Denial-of-service attacks are a large enough issue that many providers now offer mitigation mechanisms and strategies. Consider if those offered by your provider may be a good fit for your needs.

拒绝服务攻击仍然是一个持续的威胁, 它们的影响可以通过深思熟虑的审查来减少, planning, and monitoring.