DDoS (penafian perkhidmatan yang diedarkan) dan DoS (penafian perkhidmatan) serangan boleh dikelaskan secara meluas kepada tiga kategori berdasarkan lapisan model OSI yang mereka sasarkan: lapisan rangkaian (Lapisan 3), Lapisan pengangkutan (Lapisan 4), dan lapisan aplikasi (Lapisan 7).

Lapisan 3 dan Lapisan 4 Serangan biasanya kurang kompleks–walaupun mereka mungkin sangat mencabar untuk mengurangkan–dan melibatkan banjir lapisan rangkaian dan pengangkutan dengan lalu lintas, membebankan sumber sistem sasaran dan menjadikannya tidak tersedia kepada pengguna yang sah. Serangan jenis ini boleh dilancarkan menggunakan pelbagai teknik seperti banjir ICMP, Banjir TCP SYN, atau banjir UDP.

Banjir ICMP misalnya, ialah Lapisan 3 serangan di mana sebilangan besar paket ICMP dibanjiri ke sistem sasaran, menjadikannya tidak bertindak balas. Banjir sindiket TCP, sebaliknya, ialah lapisan 4 attack which exploits the ways TCP connections are established.

In a SYN flood attack, the attacker sends many SYN packets to the target system, but never sends an ACK packet to complete the connection. This causes the system to allocate resources for each connection attempt which eventually overloading the system and making it unavailable to legitimate users. A UDP flood sends a large number of UDP packets to a target system, consuming its resources and making it unresponsive.

Serangan DDoS lapisan aplikasi

Application layer attacks are more complex and harder to mitigate than layer 3 and layer 4 attacks. These attacks target the application layer (layer 7) of the target system and exploit vulnerabilities in the application itself. Lapisan 7 attacks can do more damage because they can directly impact applications and underlying infrastructure. Anda tidak akan dapat mengurangkan lapisan 7 Serangan DDoS dengan lapisan 3 atau lapisan 4 Alat seperti dengan Firewall rangkaian.

Banjir HTTP, Serangan slowloris, dan serangan amplifikasi DNS ialah Layer 7 penafian serangan perkhidmatan. Serangan ini memerlukan pertahanan yang lebih canggih seperti firewall lapisan aplikasi, sistem pencegahan pencerobohan, dan CDN (Rangkaian penghantaran kandungan).

Banjir HTTP

Serangan banjir HTTP dilakukan menggunakan permintaan GET atau POST untuk membanjiri pelayan sasaran. Serangan banjir menggunakan permintaan GET biasanya lebih mudah dan memerlukan sumber yang lebih sedikit kerana mereka hanya meminta maklumat daripada pelayan. Permintaan POST, sebaliknya, biasanya memerlukan penghantaran sejumlah besar data.

Salah satu sebab serangan banjir HTTP sukar dikurangkan adalah bahawa mereka sering dilancarkan dari sebilangan besar sumber, making it difficult to identify and block all malicious traffic. Additionally, attackers can use techniques such as IP spoofing to disguise their true identities and make it even more difficult to trace the source of their attacks.

Defending against HTTP flood attacks can be complicated. Different types of attacks require different mitigation strategies. Common defenses against HTTP flood attacks include rate limiting, blacklisting, and web application firewalls. However, these techniques can be resource-intensive and may not be sufficient to thwart more sophisticated attacks.

Serangan slowloris

Slowloris is a type of flooding attack in which the way web servers handle client connections is targeted. This attack works by opening a large number of connections to the server, but sending the requests at a slow rate, keeping each connection open as long as possible. This type of attack can consume all available resources of the server and allows attackers to consume CPU, memory, or network bandwidth, Dll. without even triggering the typical rate limiting and traffic filtering mechanisms commonly used to detect and block other types of DDoS attacks.

To carry out a Slowloris attack, attackers typically use scripts or tools that send HTTP requests to a server, but deliberately delay sending subsequent requests. The request is designed to look like a legitimate request, but with an incomplete header that keeps the connection open indefinitely. Over time, the server will have many open connections waiting for additional data from the client, causing the server to stop responding to legitimate traffic.

Serangan slowloris boleh menjadi sukar untuk dikesan kerana reka bentuk rahsia mereka dan lebar jalur yang agak rendah. Ini menjadikannya alat yang berkesan untuk penyerang yang ingin mensabotaj pelayan mereka tanpa mencetuskan amaran atau menimbulkan syak wasangka. Untuk mempertahankan diri daripada serangan Slowloris, pelayan web boleh melaksanakan beberapa tindakan balas. Sebagai contoh, hadkan bilangan sambungan yang boleh diwujudkan daripada satu alamat IP atau tetapkan tamat masa untuk permintaan tidak lengkap. Beberapa firewall aplikasi web dan perkhidmatan pengurangan DDoS mempunyai perlindungan terbina dalam terhadap serangan Slowloris, menggunakan algoritma yang boleh mengesan dan menyekat lalu lintas tersebut dalam masa nyata.

Lapisan 7 Pengurangan DDoS

Had kadar

Rate limiting involves setting a threshold on the number of requests that can be made from a specific IP address or user agent in a specific period of time. The concept is very similar to rate limiting in layer 3 but it has to be implemented at layer 7.

The purpose of rate limiting is to prevent an attacker from overloading the web application with a large number of requests, causing server disruption. Rate limiting can be implemented at various layers of your web application architecture, on a web server, load balancer, or application firewall. Implementations typically involve tracking the number of requests made by a particular IP address or user agent and blocking further requests when a predefined threshold is reached.

Pendekatan biasa untuk melaksanakan had kadar dalam aplikasi web adalah dengan menggunakan perisian tengah atau pemalam yang menjejaki bilangan permintaan yang dibuat oleh setiap pelanggan dan menyekat permintaan selanjutnya apabila ambang melebihi. adalah untuk Plugin ini boleh dikonfigurasikan untuk menggunakan dasar mengehadkan kadar yang berbeza berdasarkan faktor-faktor seperti jenis permintaan, ejen pengguna, atau alamat IP pelanggan.

Sebagai contoh, dasar mengehadkan kadar mudah boleh mengehadkan permintaan dari satu alamat IP kepada maksimum 10 permintaan seminit. Sekiranya pelanggan melebihi ambang ini, Permintaan seterusnya disekat sehingga tempoh tamat.

Produk yang mengehadkan kadar lapisan aplikasi tersedia untuk pelayan web dan perkhidmatan awan yang popular, Termasuk:

Apache

Apache mempunyai beberapa modul yang boleh digunakan untuk mengehadkan kadar, Seperti mod_limitipconn, which limits the number of simultaneous connections from a given IP address, Dan mod_qos, which provides various quality of service controls including rate limiting.

Furthermore, ModSecurity Web Application Firewall has a rate limiting feature that can block clients exceeding a defined threshold. In addition to the modules mentioned above, Apache also provides mod_evasive. This is a module that can be used to rate limit and block clients that exceed a defined threshold. Detect and block rogue clients using a variety of techniques, including IP and user-agent tracking.

Nginx

Nginx provides ngx_http_limit_req module. This can be used to limit the request rate from certain clients based on IP address or other factors. This module uses a token bucket algorithm to allocate tokens to each client based on a rate limiting policy. Besides ngx_http_limit_req module, Nginx also provides ngx_http_limit_conn module. This can be used to limit the number of connections from specific clients or IP addresses. This module uses a token bucket algorithm to allocate tokens based on rate limiting policies.

IIS

Microsoft’s Internet Information Services (IIS) includes a dynamic IP limiting module that can be used for rate limiting. This module can be configured to block requests from IP addresses that exceed predefined thresholds and can also provide alerts and logs for monitoring. In addition to the Dynamic IP Limiting module, IIS also provides a Request Filtering module that can be used to limit the request rate of specific clients based on various criteria such as IP address, ejen pengguna, and request method.

AWS

Amazon Web Services (AWS) offers several services that can be used for rate limiting, Termasuk AWS WAF with rate limiting as a feature.

AWS Shield offers DDoS protection including rate-based rules that can block requests from IP addresses above a certain threshold. Additional to AWS WAF and AWS Shield, AWS also offers AWS Elastic Load Balancer. It includes various rate limiting policies that can be configured to block clients over predefined thresholds.

Azure

Microsoft Azure offers several services that can be used for rate limiting, including Azure Application Gateways. It includes a web application firewall that can be configured to limit the rate of incoming requests. Additionally, Azure Front Door offers a rate limiting feature that can block requests from IP addresses above a predefined threshold. In addition to Azure Application Gateway and Azure Front Door, Azure also offers Azure Firewall. This can be used to rate limit and block clients exceeding a defined threshold.

GCP

Google Cloud Platform (GCP) offers Cloud Armor, a web application firewall with rate-limiting capabilities that can block requests from clients that exceed a defined threshold.

These application-layer rate-limiting products can effectively mitigate HTTP flood attacks by limiting the number of requests from rogue clients. However, it is important that they are properly configured to not block legitimate traffic and used in conjunction with other security measures such as firewalls and DDoS mitigation services to provide comprehensive protection against DDoS attacks.

Timeouts for incomplete requests

Below are some Slowloris application layer mitigation methods which are listed for Apache, Nginx, and IIS web-servers, and load-balancers and additional features for AWS, Azure, and GCP services:

Apache

In addition to the modules mentioned above, Apache also provides a module, mod_reqtimeout, that can be used to set a timeout for incoming requests. If the client sends a request that takes longer than the specified timeout, the server will close the connection. This will prevent slowloris attacks.

Nginx

Besides ngx_http_limit_conn module and ngx_http_limit_req module, Nginx also provides his ngx_http_request module. This can be used to limit the time it takes for the upstream server to process the request. If the upstream server takes longer than the specified timeout, Nginx will close the connection.

IIS

Additional to the Dynamic IP Restrictions and Request Filtering modules, IIS also provides a kernel mode driver HTTP.sys. This allows you to set a timeout for incoming requests. If the client sends a request that takes longer than the specified timeout, the server will close the connection.

AWS

In addition to AWS WAF and AWS Shield, AWS additionally gives Elastic Load Balancer, which incorporates numerous connection timeout rules that may be configured to shut connections that take longer than a predefined threshold.

Azure

In addition to Azure Application Gateway and Azure Front Door, Azure additionally gives Azure Load Balancer, which incorporates a configurable idle timeout characteristic that may be used to shut connections which might be idle for a predefined period.

GCP

Google Cloud Platform (GCP) gives numerous connection timeout alternatives for its services, which include Cloud Load Balancing, which incorporates a configurable timeout characteristic that may be used to shut connections that take longer than a predefined threshold.

Conclusion

In conclusion, DDoS and DoS attacks can be classified based on the layers of the OSI model they are targeted at, such as the network layer (Lapisan 3), Lapisan pengangkutan (Lapisan 4), dan lapisan aplikasi (Lapisan 7).

While layer 3 and layer 4 attacks flood the network and transport layers with traffic, layer 7 attacks are more complex and exploit vulnerabilities in the applications themselves. HTTP floods and Slowloris attacks are examples of layer 7 penafian serangan perkhidmatan. Countermeasures against these attacks include rate limiting, blacklisting, and web application firewalls. Identifying and containing attacks in real time requires a comprehensive, multi-layered defense strategy that includes monitoring, detection, and response capabilities.

Additionally, Penyerang boleh menyesuaikan teknik mereka dan menyesuaikan serangan mereka untuk mengelakkan pengesanan dan mengelakkan langkah keselamatan. Itu, Adalah penting bahawa organisasi melaksanakan menyeluruh, multi-layered defense strategy that includes monitoring, detection, dan keupayaan tindak balas untuk mengenal pasti dan membendung serangan dengan cepat dalam masa nyata. Ini mungkin termasuk menggunakan algoritma pembelajaran mesin canggih dan analisis tingkah laku untuk mengesan dan menyekat corak trafik berniat jahat.