DDoS Network Attack Simulation

1. Experiment

1.1 Knowledge points

This experiment mainly uses 2 Alibaba Cloud ECS servers to simulate the server side suffering from a DDoS network attack. In the experiment, the attacker uses DoS software to simulate a hacker’s attack requests, while the packet capture tool Wireshark is deployed on the server side to capture the requests.

This lab is a demonstration for DDoS attacks only, and won’t involve anti-ddos product itself, please be noted in advance

1.2 Experiment process

• Use Wireshark to monitor data packets
• Use DoS software to send data packets

1.3 Cloud resources required

• ECS

1.4 Prerequisites

• Understand ECS and SLB concepts

2. Start the experiment environment

Click Start Lab in the upper right corner of the page to start the experiment.

.

After the experiment environment is successfully started, the system has deployed resources required by this experiment in the background, including the ECS instance, RDS instance, Server Load Balancer instance, and OSS bucket. An account consisting of the username and password for logging on to the Web console of Alibaba Cloud is also provided.

After the experiment environment is started and related resources are properly deployed, the experiment starts a countdown. You have two hours to perform experimental operations. After the countdown ends, the experiment stops, and related resources are released. During the experiment, pay attention to the remaining time and arrange your time wisely. Next, use the username and password provided by the system to log on to the Web console of Alibaba Cloud and view related resources:

Go to the logon page of Alibaba Cloud console.

Fill in the sub-user account and click Next.

Fill in the sub-user password and click Log on.

After you successfully log on to the console, the following page is displayed.

3. DDoS attack principles

DDoS is short for Distributed Denial of Service.

To understand the basic principles of this network attack, it is necessary to start from the establishment of a TCP connection.

Step 1, the requesting side (client) sends a TCP message containing the SYN (synchronize) flag, and the message indicates the port used by the client and the initial sequence number of the TCP connection.

Step 2, after receiving the SYN message from the client, the server will return a “SYN + ACK (acknowledgment) message” indicating that the client’s request has been accepted, and the TCP sequence number incremented by one.

Step 3, the client also returns an ACK message to the server. Similarly, the TCP sequence number increments by one, and a TCP connection is established.

The problem lies in the third TCP handshake. If a user suddenly crashes or drops after sending a SYN message to the server, the server sends the “SYN + ACK” response message to the client, but the client isn’t able to return the final ACK (the third TCP handshake fails). In this case, the server generally retries (send “SYN + ACK” to the client again), eventually dropping the incomplete connection after a period of time, the duration of which is called SYN Timeout. If a malicious attacker repeatedly simulates this situation, the server will consume significant CPU time and memory resources in order to maintain a very large partial-connection list. This results in the server lacking resources to process normal users’ requests, and those clients may think that the server is unresponsive.

4. Use Wireshark to monitor data packets

Select Elastic Compute Service.

Referring to the figure below, it can be seen that two ECS instances have been created automatically.

Both ECS instances are using Windows, but different versions. One is version 2008 and the other is version 2012. In order to facilitate the subsequent experiment, change the name of the version 2008 ECS instance to “attack-ecs” as shown in the following figure.

Then change the name of the version 2012 ECS instance to “server-ecs”.

Select the instance “server-ecs”, and click Connect.

The first time you log on, a remote connection password will appear, ignore it, and click Close.

Then a dialog box requiring VNC password appears. Click Cancel.

Click Modify VNC Password in the top right corner.

Reset the password to “123456” as shown below, and click OK.

Click Connect VNC as follows.

Enter your password, and click OK.

It will be in the Sleep status upon first logon. Send the command request as shown below.

Enter the administrator account and password

Account name: Administrator

Password: nkYHG890..

After successful remote connection, you can see the Wireshark software on the desktop. It is a common network capture tool.

Double-click the icon to open the Wireshark client.

Enter the filter conditions for capturing packets as shown below. Enter the following into the filter box. Note: Replace YOUR-ATTACK-ECS-PRIVATE-IP with the private IP address of the user’s own attack-ecs.

How to obtain YOUR-ATTACK-ECS-PRIVATE-IP.

ip src YOUR-ATTACK-ECS-PRIVATE-IP

After entering, click the small icon in the upper left corner of the above image to start monitoring the network.

When the red icon is lit, the monitoring has started.

5. Use DoS software to send data packets

Then go back to the ECS console, select the instance attack-ecs, and click Connect.

The logon process is similar to server-ecs logon. Similarly, reset the logon password to “123456”, and log on.

After successful logon, as shown below, you can see the DoS software on the desktop.

Double click the icon, the client opens as follows. Due to the resolution, the right part of the client is not shown, which does not affect the experiment.

Use the settings shown in the following screenshot. The IP address is the private IP address of server-ecs.

Once set, click the button indicated by the arrow in the image above to send the request.

Go back to the server-ecs remote connection page. The remote connection may be disconnected when logging on again, and the user can enter the remote password again to log on.

After successful logon, you can see that Wireshark has captured the sent request packet.

<font color='red'>Users can cut off the above result picture when they are doing the experiment and send it to the teacher, indicating that the current experiment has been completed.</font>

Reminder:
Before you leave this lab, remember to log out your Alibaba RAM account before you click the ‘stop’ button of your lab. Otherwise you’ll encounter some issue when opening a new lab session in the same browser:

6. Experiment summary

As you can see from the experiment, the DDoS attack generates a large number of packets, which may cause the application or server to crash. You may also notice that these attack packets are generated by tools and have several similar characteristics. In practice, we can effectively protect servers based on these characteristics.