ACK attack

ACK Flood The attack was TCP After the connection is established , All the transmitted TCP All messages have ACK Flag bit packets .

The receiving end receives a message with ACK Flag bit of the packet when , You need to check if the connection quadruple represented by the packet exists , If it exists, check whether the state represented by the packet is legal , Then pass the packet to the application layer .

If the data packet is found to be illegal during the inspection , If the destination port pointed to is not open , Then the operating system protocol stack will respond RST The packet tells the other party that the port does not exist .

When an attacker sends... Every second ACK The message rate reaches a certain level , In order to make the load of the host and firewall change greatly . When the contracting rate is very high , The host operating system will spend a lot of energy receiving messages 、 Judge the state , At the same time, take the initiative to respond RST message , Normal packets may not be processed in time . At this point, the client （ With IE For example ） The performance is that the response to visiting the page is very slow , High packet loss rate . This is it. ACK attack .

At this point, the server needs to do two actions , Table lookup and response ack/rst.

This type of attack does not syn flood The impact on the server is great ( because syn flood Occupied connection ), Such attacks must use large traffic ack Small packet impact will affect the server .

according to tcp Protocol stack principle , Random source IP Of ack The packet should be server Quickly discarded , Because on the server tcp These are not in the stack ack Status information of the package .

In the actual test, some tcp The service is right ack flood Is more sensitive .

about Apache perhaps IIS Come on , Dozens of kpps Of ack flood Not a threat , But a higher number ack flood The impact will cause the network card to interrupt too frequently and stop responding when the load is too heavy .

jsp server In a small number of ack Under the impact of small bags jsp server It is difficult to handle normal connection requests .

therefore ack flood Not only harm routers and other network equipment , And it also has a great impact on the application on the server .

Attack harms

attacker Use botnets to send a large number of ack message , Can cause the following three hazards ：

1、 With a very large load ack flood attack , It will lead to link congestion .
2、 The attack packets arrive at the server and cause the processing performance to be exhausted , Thus refusing normal service .
3、 Very high rate variable source variable port ack flood attack , It is easy to cause the forwarding performance of devices that rely on session forwarding to degrade or even cause network paralysis .

Defense principle

resist D The device pairs based on the destination address ack Statistics of message rate , When ack The message rate exceeds the threshold and starts the source authentication defense .

The authentication source defense process is shown in the figure ：

explain

1、 Start when the attack traffic reaches the threshold ack protective .
2、 The real message goes through ack After retransmission , The client relaunches the connection , At this point will pass syn Add the white list trust after the verification algorithm passes .
3、 fake ack The message is directly discarded by querying the session table .