arrow

DDoS Network Attack Simulation

1. Experiment

1.1 Knowledge points

This experiment mainly uses 2 Alibaba Cloud ECS servers to simulate the server side suffering from a DDoS network attack. In the experiment, the attacker uses DoS software to simulate a hacker’s attack requests, while the packet capture tool Wireshark is deployed on the server side to capture the requests.

This lab is a demonstration for DDoS attacks only, and won’t involve anti-ddos product itself, please be noted in advance

1.2 Experiment process

  • Use Wireshark to monitor data packets
  • Use DoS software to send data packets

1.3 Cloud resources required

  • ECS

1.4 Prerequisites

  • Understand ECS and SLB concepts

2. Start the experiment environment

Click Start Lab in the upper right corner of the page to start the experiment.

image desc.

After the experiment environment is successfully started, the system has deployed resources required by this experiment in the background, including the ECS instance, RDS instance, Server Load Balancer instance, and OSS bucket. An account consisting of the username and password for logging on to the Web console of Alibaba Cloud is also provided.

image desc

After the experiment environment is started and related resources are properly deployed, the experiment starts a countdown. You have two hours to perform experimental operations. After the countdown ends, the experiment stops, and related resources are released. During the experiment, pay attention to the remaining time and arrange your time wisely. Next, use the username and password provided by the system to log on to the Web console of Alibaba Cloud and view related resources:

openCole

Go to the logon page of Alibaba Cloud console.

image desc

Fill in the sub-user account and click Next.

image desc

Fill in the sub-user password and click Log on.

image desc

After you successfully log on to the console, the following page is displayed.

image desc

3. DDoS attack principles

DDoS is short for Distributed Denial of Service.

To understand the basic principles of this network attack, it is necessary to start from the establishment of a TCP connection.

Step 1, the requesting side (client) sends a TCP message containing the SYN (synchronize) flag, and the message indicates the port used by the client and the initial sequence number of the TCP connection.

Step 2, after receiving the SYN message from the client, the server will return a “SYN + ACK (acknowledgment) message” indicating that the client’s request has been accepted, and the TCP sequence number incremented by one.

Step 3, the client also returns an ACK message to the server. Similarly, the TCP sequence number increments by one, and a TCP connection is established.

The problem lies in the third TCP handshake. If a user suddenly crashes or drops after sending a SYN message to the server, the server sends the “SYN + ACK” response message to the client, but the client isn’t able to return the final ACK (the third TCP handshake fails). In this case, the server generally retries (send “SYN + ACK” to the client again), eventually dropping the incomplete connection after a period of time, the duration of which is called SYN Timeout. If a malicious attacker repeatedly simulates this situation, the server will consume significant CPU time and memory resources in order to maintain a very large partial-connection list. This results in the server lacking resources to process normal users’ requests, and those clients may think that the server is unresponsive.

4. Use Wireshark to monitor data packets

Select Elastic Compute Service.

image desc

Referring to the figure below, it can be seen that two ECS instances have been created automatically.

image desc

Both ECS instances are using Windows, but different versions. One is version 2008 and the other is version 2012. In order to facilitate the subsequent experiment, change the name of the version 2008 ECS instance to “attack-ecs” as shown in the following figure.

image desc

Then change the name of the version 2012 ECS instance to “server-ecs”.

image desc

Select the instance “server-ecs”, and click Connect.

image desc

The first time you log on, a remote connection password will appear, ignore it, and click Close.

image desc

Then a dialog box requiring VNC password appears. Click Cancel.

image desc

Click Modify VNC Password in the top right corner.

image desc

Reset the password to “123456” as shown below, and click OK.

image desc

Click Connect VNC as follows.

image desc

Enter your password, and click OK.

image desc

It will be in the Sleep status upon first logon. Send the command request as shown below.

image desc

Enter the administrator account and password

Account name: Administrator

Password: nkYHG890..

image desc

After successful remote connection, you can see the Wireshark software on the desktop. It is a common network capture tool.

image desc

Double-click the icon to open the Wireshark client.

image desc

Enter the filter conditions for capturing packets as shown below. Enter the following into the filter box. Note: Replace YOUR-ATTACK-ECS-PRIVATE-IP with the private IP address of the user’s own attack-ecs.

How to obtain YOUR-ATTACK-ECS-PRIVATE-IP.

image desc

ip src YOUR-ATTACK-ECS-PRIVATE-IP

image desc

After entering, click the small icon in the upper left corner of the above image to start monitoring the network.

When the red icon is lit, the monitoring has started.

image desc

5. Use DoS software to send data packets

Then go back to the ECS console, select the instance attack-ecs, and click Connect.

image desc

The logon process is similar to server-ecs logon. Similarly, reset the logon password to “123456”, and log on.

After successful logon, as shown below, you can see the DoS software on the desktop.

image desc

Double click the icon, the client opens as follows. Due to the resolution, the right part of the client is not shown, which does not affect the experiment.

image desc

Use the settings shown in the following screenshot. The IP address is the private IP address of server-ecs.

image desc

image desc

Once set, click the button indicated by the arrow in the image above to send the request.

Go back to the server-ecs remote connection page. The remote connection may be disconnected when logging on again, and the user can enter the remote password again to log on.

image desc

After successful logon, you can see that Wireshark has captured the sent request packet.

image desc

<font color='red'>Users can cut off the above result picture when they are doing the experiment and send it to the teacher, indicating that the current experiment has been completed.</font>

Reminder:
Before you leave this lab, remember to log out your Alibaba RAM account before you click the ‘stop’ button of your lab. Otherwise you’ll encounter some issue when opening a new lab session in the same browser:

image descimage desc

6. Experiment summary

As you can see from the experiment, the DDoS attack generates a large number of packets, which may cause the application or server to crash. You may also notice that these attack packets are generated by tools and have several similar characteristics. In practice, we can effectively protect servers based on these characteristics.