Ultimate Defense Guide DDOS Attack
Brief description: Due to the recent DDOS attack, this site invites our reputation technical consultant, and the experience of online security experts, the experience of the online security expert, and the experience of overriding DDOS attacks. This article is written in the text, but also explains the distributed refusal service. Attack DDOS concept, popular DDoS attack means and judgment whether it is attacked by DDoS, and also combines a comprehensive DDoS practical defense suggestion, I hope this article can help website webmasters to get rid of DDOS attacks as soon as possible, we Sincerely welcome DDOS related topics. First, why do you want DDOS? With the increase of Internet Internet bandwidth and the continuous release of a variety of DDOS hacking tools, DDoS refusal service attacks are increasing, and DDoS attack events are increasing. For commercial competition, combating retaliation and network extortion and other factors, there are many IDC managed rooms, business sites, game servers, chat networks and other network service providers have been troubled by DDOS attacks, followed by customers complaints. It is a series of problems such as virtual host users, legal disputes, and commercial losses. Therefore, solving DDo attack problems has become a major event that network service providers must consider. Second, what is DDOS? DDOS is the abbreviation of English Distributed Denial of Service, meaning "distributed refusal service", then what is the Denial of Service? It can be so much appreciated that any behavior that can lead to legitimate users cannot access normal network services is a denial of service attack. That is to say, the purpose of rejecting the service attack is very clear, that is to prevent legal users from accessing the normal network resources, thereby reaching an attacker's non-marketed purpose. Although it is also a refusal service attack, DDoS and DOS still have different, and DDOS's attack strategy focuses on the victims of "zombie hosts" (hosts that are invaded by the attacker or indirectly). Network package, resulting in network blocking or server resources, resulting in denial of service, distributed denial service attack once implemented, attacking the network package is like flooding to the victims, thus putting legal users's networks, leading to legal Users cannot access the server's network resources, so the refusal of service attacks are called "flood attacks", common DDoS attack methods include Syn Flood, Ack Flood, UDP FLOOD, ICMP Flood, TCP Flood, Connections Flood, Script FLOOD, Proxy Flood, etc., while the DOS focuses on the use of attacks to host specific vulnerabilities, the system crashes, the system crashes, the host crash cannot provide normal network service functions, resulting in denial of service, common DOS attack means there is TEARDROP , LAND, Jolt, IGMP Nuker, Boink, Smurf, Bonk, Oob, etc. In terms of these two refusal service attacks, the main harm is mainly DDoS attack, because it is difficult to prevent it, as for DOS attack, by playing patching or installing firewall software by giving the host server, after detail How to deal with DDoS attacks. Third, is DDOS? There are two ways in DDOS, one for traffic attacks, mainly for network bandwidth attacks, that is, a large number of attack packages cause network bandwidth being blocked, legal network package is submerged by false attacks and cannot reach the host; another For resource depleting attacks, mainly for the server host attack, that is, the host's memory is exhausted or the CPU is not allowed by the kernel and application, which cannot provide network services.
How to determine if the website has been attacked? It can be tested by ping commands. If you find ping timeout or loss of packet loss (assuming usually normal), it may suffer traffic attack. At this time, if you find that the server is discovered on the same switch, you can't get it. Basically, it can be determined that it suffers from traffic attacks. Of course, the premise of this test is that the ICMP protocol between the server host is not masked by devices such as routers and firewalls, otherwise the network service port of Telnet host servers can be tested, the effect is the same. However, there is a little sure, if you usually ping your host server and the host server on the same switch is normal, suddenly ping does not pass or have a serious packet, then if you can troubleshoot the network fault factor, it must be affected by it. The current attack, the typical phenomenon of another flow attack is that once the traffic attack is subjected to traffic attack, it will find that the website server with the remote terminal will fail. Compared to traffic attacks, resources depleting attacks should be easily judged. If the usual ping website host and access website are normal, it is found that sudden website access is very slow or unable to access, and ping can also ping, it is likely The resource depletion attack, at this time, if there is a large amount of SYN_RECEIVED, TIME_WAIT, FIN_WAIT_1, etc. in the server, and Established is very small, and it is definitely that it is definitely the resource exhaustion attack. There is also a phenomenon that belongs to the resource depletion attack. Ping your own website host ping is not done or is seriously lost, and the server that ping and its own host on the same switch is normal, resulting in this reason that the website host suffers from attack Resulting in the system kernel or some application CPU utilization to reach 100% unable to respond to the ping command, in fact, the bandwidth is still, otherwise ping is not connected to the host on the same switch. There is currently three popular DDoS attacks: 1. SYN / ACK FLOOD attack: This attack method is the classic most effective DDoS method, which can kill a variety of network services, mainly by sending a large amount of forged source IP to the victim host. And the SYN or ACK package of the source, causing the host's cache resource to be exhausted or busy sending a response package, causing a rejection service, because the source is falsified, the tracking is more difficult, the disadvantage is to implement a certain difficulty, need high bandwidth Zombie host support. A small amount of such an attack can cause the host server to be unable to access, but you can ping the passage, use the netstat -na command on the server to observe a large number of SYN_RECEIVED states, and a large number of this attack can cause ping failure, TCP / IP stack Failure, and the system is solidified, that is, no response to the keyboard and mouse. Most ordinary firewalls cannot resist such attacks. 2, TCP full connection attack: This attack is designed to bypass the inspection of conventional firewalls. Under normal circumstances, most of the conventional firewalls have the ability to filter TEARDROP, LAND and other DOS attacks, but for normal TCP connection is let go I don't know that many web servers (such as IIS, Apache, etc. Web Server) can accept the number of TCP connections, once there is a large number of TCP connections, even normal, will also cause website access very slow or even unacceptable, TCP The full connection attack is to establish a large number of TCP connections with the victim server through many zombie hosts until the resources such as the server are exhausted, resulting in denial of service. This attack is characterized by bypassing the general firewall. Protection to attack the purpose, the disadvantage is to find a lot of zombie hosts, and because the IP of the zombie host is exposed, it is easy to be tracked.
3, brush Script script attack: This attack is mainly designed for Script programs such as ASP, JSP, PHP, CGI, and calls MSSQLSERVER, MYSQLSERVER, ORACLE and other databases, feature is to establish normal TCP connections with the server. And constantly submit a query, a list of a large amount of time-consuming database resource, and a typical attack method. In general, it is almost negligible to submit a GET or POST instruction to the client, and the server may have a record from tens of thousands of records to handle this request. The cost of resources is very large. Common database servers can support hundreds of query instructions at the same time, which is light for the client, so the attacker only needs to submit a lot to the host server through the Proxy agent. Query instructions, only a few minutes will consume server resources, and the common phenomenon is that the website is slow, the ASP program invalid, the PHP connection database fails, the database main program takes up the CPU high. This kind of attack is characterized by a completely bypassing of ordinary firewall protection. It is easy to find some proxy agents to implement attack. Dampoint is to deal with only the static page, the website effect will be greatly discounted, and some proxy will expose the IP address of the attacker. Fourth, how to resist DDOS? Dealing with DDOS is a system engineering, trying to rely on some system or product to prevent DDoS is unrealistic, it is certain that completely eliminating DDoS is not possible, but through appropriate measures to resist 90% of DDoS attacks What to do, attack and defense have cost overhead. If the ability to resist DDOS is enhanced by an appropriate approach, it means to increase the attack cost of the attacker, then the vast majority of attackers will not continue. And give up, it is equivalent to the success of DDOS attack. The following is the experience and suggestion of the author to defend against DDOS for many years, and share it with you! 1. The use of high-performance network devices must first ensure that network devices cannot be a bottleneck. Therefore, when devices such as routers, switches, hardware firewalls are selected, they should use high-name reputation and good reputation. Then, if there is a special relationship or agreement with the network provider, it is very effective when you have a lot of attacks, and it is very effective to fight the traffic limit on the network contacts to fight certain types of DDOS attacks. 2, try to avoid NAT's use of routers or hardware protective wall devices to avoid using network address conversion NAT usage, because this technology will reduce network communication capabilities, in fact, because NAT needs to turn the address back and forth During the conversion process, the verification and calculation of the network package is required, so a lot of CPUs are wasted, but sometimes you have to use NAT, then there is no good way. 3, adequate network bandwidth guarantee that the network bandwidth directly determines the ability to resist attacks. If there is only 10m bandwidth, it is difficult to fight the current SYNFLOOD attack, and there is at least 100M shared bandwidth, best Of course, it is hanging on a 1000m trunk. However, it should be noted that the network card on the host does not mean that its network bandwidth is gigabit. If it is connected to the 100M switch, its actual bandwidth will not exceed 100m, and then it is connected to 100M The bandwidth is not equal to having a 100g bandwidth because the network service provider is likely to limit the actual bandwidth of 10m on the switch. This must be clear.
