servicepipe — knowledge base

Terms used on the site

IP TRANSIT

IP transit is the transfer of data between two points of connection of a customer to an IP backbone network, supporting the customer's chosen class of service. In simpler terms, IP transit is “wholesale traffic”, and it is interesting, first of all, to telecom operators.

GRE ТУННЕЛЬ

GRE (Generic Routing Encapsulation) is a network packet tunneling protocol developed by Cisco Systems. Its main purpose is to encapsulate network layer packets of the OSI network model into IP packets. The protocol number in IP is 47. Tunneling implies three protocols: passenger - encapsulated protocol (IP, CLNP, IPX, AppleTalk, DECnet Phase IV, XNS, VINES and Apollo) encapsulation protocol (GRE) transport protocol (UDP)

SYN FLOODS

SYN flood is one of the types of network denial-of-service attacks, which consists in sending a large number of SYN requests (TCP connection requests) in a fairly short time (RFC 4987). According to the TCP "three-time handshake" process, the client sends a package with the SYN (synchronize) flag set. In response, the server MUST respond with a SYN + ACK (acknowledges) flag combination.

After that, the client must respond with a packet with the ACK flag, after which the connection is considered established. The principle of the attack is that the attacker, by sending SYN requests, overflows the server (attack target) the connection queue. At the same time, it ignores the SYN + ACK packets of the target, not sending response packets, or forges the packet header in such a way that the response SYN + ACK is sent to a non-existent address. The so-called half-open connections appear in the connection queue, waiting for confirmation from the client. After a certain timeout, these connections are dropped.

The attacker's task is to keep the queue full in such a way as to prevent new connections. Because of this, non-malicious clients are unable to establish communications or have significant delays in establishing communications. The attack is based on the operating system resource limitation vulnerability for half-open connections, described in 1996 by the CERT group, according to which the queue for such connections was very short. (for example, Solaris allowed no more than eight connections), and the connection timeout was long enough (according to RFC 1122 - 3 minutes).

DNS QUERY FLOODS

A type of UDP flood aimed at a DNS service. During the DNS Flood process, a huge number of DNS requests from a wide range of IP addresses are sent to the attacked DNS server. The victim server is unable to determine which of the packets came from a real client and which did not, and responds to all requests. Thus, DNS Flood takes up all the network resources and bandwidth of the DNS server, causing it to fail. DNS Flood is a very sophisticated type of DDoS attack: the contents of the packets are organized exactly like in real DNS requests. Such an attack cannot be traced through deep analysis: every request will appear legitimate. With a large range of attacking IP addresses, a fraudster can easily bypass most traffic anomaly detection algorithms.

UDP FLOODS

The attacker sends a large number of UDP packets to the victim to different ports on the host system. The victim's system tries unsuccessfully to check the applications listening on the port and eventually sends an ICMP Destination Unreachable packet. Since the attacker transmits numerous UDP packets, the web service becomes unavailable to real clients.

SSL FLOODS

Forged SSL requests: checking SSL encrypted packets is very resource-intensive, attackers use SSL for HTTP attacks on the victim's server.

SSL RENEGOTIATION

The SSL / TLS renegotiation allows parties to stop communication in order to re-initiate it for security. There are some cases in which renegotiation must be initiated by the server, but there is no known need to allow the client to initiate renegotiation. In addition, it can make it easier to organize a DDoS attack on your servers.

ICMP/PING FLOODS

Ping-flood (from the English ping-flood, literally: flood requests) - a type of attack on network equipment, aiming at denial of service. A key feature (compared to other types of flood attacks) is the ability to carry out an attack with “household tools” (programs and utilities included in home / office versions of operating systems).

ICMP FRAGMENTATION ATTACKS

A variation of ICMP Flood. The attacker sends a stream of fragmented ICMP packets of the maximum size to the victim server. As a result, in addition to the occupation of the band by "garbage" traffic, there is a danger of exhaustion of the server's computing resources during the accumulation and processing of fake fragments. Recommended control methods are the same as for regular ICMP Flood.

TEARDROP TCP FRAGMENTATION ATTACKS

This type of attack has a lot in common with fragmented packet attacks. Fragmented packets are sent to the victim server, which it cannot parse due to a vulnerability in TCP / IP. Packages overlap each other, overloading the victim server. One of the fields in the IP header "Fragment offset" indicates the starting position or offset of the data in the fragmented packet relative to the real packet. If the sum of the offsets and the size of one fragmented packet differs from the next fragmented packet, the packets are superimposed. When this happens, the server is unable to parse the incoming packets and crashes. These actions place the server in a denial-of-service state. Most of the time this happens on legacy operating systems such as Windows 3.1x, Windows NT, Windows 95 and Linux with a kernel version below 2.1.63.

SIP ТРАФИК

Session Initiation Protocol (SIP) is a data transfer protocol that describes a method for establishing and terminating a user's Internet session, including the exchange of multimedia content (IP telephony, video and audio conferences, instant messages, online games) The protocol describes how a client application (for example, a softphone) can request the start of a connection from another, possibly physically remote client, located on the same network, using its unique name.

The protocol defines a way of negotiating between clients about the opening of exchange channels based on other protocols that can be used to directly transfer information (for example, RTP). It is allowed to add or remove such channels during an established session, as well as connect and disconnect additional clients (that is, more than two parties can participate in the exchange - conference calls). The protocol also determines the order in which the session ends.

UDP ТРАФИК

UDP (User Datagram Protocol) is one of the key elements of the set of network protocols for the Internet. With UDP, computer applications can send messages (in this case, called datagrams) to other hosts over an IP network without the need for prior communication to establish special transmission channels or data paths. The protocol was developed by David P. Read in 1980 and formally defined in RFC 768. The UDP uses a simple transmission model, without implicit handshakes, to ensure data reliability, ordering, or integrity. Thus, UDP provides an unreliable service, and datagrams may arrive out of order, duplicate, or disappear altogether without a trace. UDP implies that error checking and fixing is either unnecessary or must be performed in the application. Time-sensitive applications often use UDP because dropping packets is preferable to waiting for delayed packets, which may not be possible in real-time systems. If it needs to fix errors at the network layer of the interface, the application can use TCP or SCTP designed for this purpose.

The nature of UDP as a stateless protocol is also useful for servers responding to small requests from a large number of clients, such as DNS and streaming media applications such as IPTV. Voice over IP, IP tunneling protocols and many online games.

TCP ТРАФИК

Transmission Control Protocol (TCP) is one of the main data transmission protocols of the Internet, designed to control data transmission. In the TCP / IP protocol stack, it performs the functions of the transport layer of the OSI model. The TCP mechanism provides a data stream with a pre-connection, performs re- request data in case of data loss and eliminates duplication when two copies of the same packet are received, thereby guaranteeing, unlike UDP, the integrity of the transmitted data and notifying the sender of the transfer results. TCP implementations are usually built into the operating system kernels. There are user-space implementations of TCP. When there is computer-to-computer transmission over the Internet, TCP runs at the top level between two end systems, such as a browser and a web server. TCP reliably transfers a stream of bytes from one process to another. TCP implements flow control, congestion control, handshake, reliable transmission.

SMURF ATTACKS

Smurf attacks are somewhat similar to ping floods in that they are both performed by sending multiple ICMP echo request packets. However, unlike a normal ping stream, Smurf is a boosted vector attack whose destructive potential is amplified by the use of In a typical attack scenario, host A sends an ICMP echo request (ping) to host B, causing an automatic response. The time it takes to receive a response is used as a measure of the virtual distance between two nodes. In an IP broadcast network, a ping request is sent to each node, requesting a response from each of the recipients. Attackers use this feature to amplify attack traffic.

WAF

A web application firewall (WAF) is a collection of monitors and filters designed to detect and block network attacks on a web application. WAFs refer to the application layer of the OSI model. A web application can be protected by the developers of the application itself without using WAF. This requires additional development costs. For example, the content of the information security department. WAF has incorporated the ability to protect against all known information attacks, which allows it to delegate the protection function. This allows developers to focus on implementing the business logic of the application without worrying about security.

LOW-AND-SLOW ATTACKS

Low-volume slow DDoS attacks.

HTTP FLOODS

HTTP GETHTTP (S) GET request is a method that requests information from the server. This request can ask the server to send a file, image, page or script to display in the browser. HTTP (S) GET flood - an application layer DDoS attack method (7) of the OSI model, in which the attacker sends a powerful stream of requests to the server in order to overflow its resources. As a result, the server cannot respond not only to hacker requests, but also to requests from real clients. An HTTP POSTHTTP (S) POST request is a method in which data is placed in the body of a request for further processing on the server. The HTTP POST request encodes the submitted information and places it on the form, and then submits this content to the server. This method is used when it is necessary to transfer large amounts of information or files. HTTP (S) POST flood is a type of DDoS attack in which the number of POST requests overwhelms the server so that the server is unable to respond to all requests. This can lead to an extremely high use of system resources, and, as a result, to an emergency stop of the server. Each of the above HTTP requests can be transmitted over the secure HTTPS protocol. In this case, all data sent between the client (the attacker) and the server is encrypted. It turns out that "security" here plays into the hands of cybercriminals: in order to identify a malicious request, the server must first decrypt it. Those. the entire stream of requests has to be decrypted, of which a lot is received during a DDoS attack. This puts additional load on the victim server.

WORDPRESS XMLRPC FLOODS

DDoS attack through the interface for remote platform control via Post requests using the XML-RPC protocol, which is enabled by default and is used to publish materials on a WP site when it is impossible to enter the admin panel.

ARBOR PEAKFLOW

Arbor Peakflow. A solution designed for telecom operators and deployed by more than 70% of the world's leading operators, it ensures the integrity and availability of data transmission networks and protects them from the most dangerous modern threats - distributed denial of service attacks.

МОДЕЛЬ OSI

The Open Systems Interconnection (OSI) model is the skeleton, foundation, and base of all networked entities. The model defines network protocols by distributing them into 7 logical layers. It is important to note that in any process, network transmission control moves from layer to layer, sequentially connecting protocols at each of the layers.

FLOWSPEC

One of the most common types of prefirewall filters is BGP Flowspec, which is widely used both within the same domain and at the inter-domain level, and allows using BGP protocol signaling (AFI flow) to transmit the described rules to remote nodes in the network, where they are executed by the Firewall ... More detailed in RFC5575, with additions to RFC7674, and an accompanying number of documents with Internet-Draft status.

Is your business under attack?

Fill out the form, we will restore the availability of your web resources within 15 minutes

Enable protection

Thinking about cyber defense, but it seems that nothing threatens you?

Get a free expert consultation or download a detailed presentation of our solutions for free

Download presentation
Get a free consultation