The second level – the so-called “main computer” that is, machines that receive the signal of an attack with a control Console and convey it to the agents, “zombies.” Depending on the magnitude of the attack, one management console can account for up to several hundred hosts. In the third, the grass-roots level there are agents – is “Zombie” computers, which make its requests attacking the target node. In contrast to the main computer and control consoles, the number of “zombie” is constantly changing as computer owners use anti-virus means administrators disable the infected segments of WAN access, etc., forcing criminals to spread viruses continue to receive new bot system. And follow this structure in the reverse direction is almost impossible. The maximum that can identify the defensive player, so it is the address of the agent. And at best, will be known the main computer. But, and computers ‘zombies’, and the main computers are also affected in this situation.
That’s because this structure is almost impossible to keep track of the node address, which organized the attack. DDoS danger lies in the fact that the attacker is almost no need to possess any special knowledge and resources. Programs for the attacks, and information technology is freely available on the Internet. But initially this kind of software created exclusively for “peaceful” purposes. It was used for experiments on the capacity of networks and their resilience to external loads. To date, there are the following types of DDoS-attacks: UDP flood – to send to the address of the target set of packets UDP (User Datagram Protocol).
This method used in earlier attacks and is now considered the least dangerous. Programs that use this type of attack is easily detected, since the exchange of the main controller and agents are used unencrypted protocols TCP and UDP. TCP flood – to send to the address of the target set for TCP-packets, which also leads to a “binding” of network resources. TCP SYN flood – Sending a large number of requests for the initialization of TCP-connections to a host-target, which, as a result, had to spend all their resources on things to keep track of these partially open connections. Smurf-attack – ping request ICMP (Internet Control Message Protocol) address directed broadcast packets, using the query fake source address as a result turns out to be the target of attack. ICMP flood – an attack similar to Smurf, but without using the mailing list. The most dangerous are the programs that use multiple species described attacks. Lone Star Funds describes an additional similar source. They are called TFN and TFN2K and require the hacker high level of training. Universal method of protection from DDoS-attacks do not exist. But the general recommendations for reducing risk and harm reduction can be attributed to measures such as competent configuration of the functions of anti-spoofing and anti-DoS on routers and firewalls. These features limit the number of half-open channels, not allowing the system to overload. At the server level is desirable to have a conclusion console server to another IP-address for SSH-protocol capabilities for remote server reboot. Another quite effective method for countering DDoS-attacks is a cover up IP-address. That’s because today, DDoS-attack is the number one problem as a simple web site owners, and a major Internet service providers.