First, why do you want DDOS? With the increase of Internet Internet bandwidth and the continuous release of a variety of DDOS hacking tools, DDoS refusal service attacks are increasing, and DDoS attack events are increasing. For commercial competition, combating retaliation and network extortion and other factors, there are many IDC managed rooms, business sites, game servers, chat networks and other network service providers have been troubled by DDOS attacks, followed by customers complaints. It is a series of problems such as virtual host users, legal disputes, and commercial losses. Therefore, solving DDo attack problems has become a major event that network service providers must consider.
Second, what is DDOS? DDOS is the abbreviation of English Distributed Denial of Service, meaning "distributed refusal service", then what is the Denial of Service? It can be so much appreciated that any behavior that can lead to legitimate users cannot access normal network services is a denial of service attack. That is to say, the purpose of rejecting the service attack is very clear, that is to prevent legal users from accessing the normal network resources, thereby reaching an attacker's non-marketed purpose. Although it is also a refusal service attack, DDoS and DOS still have different, and DDOS's attack strategy focuses on the victims of "zombie hosts" (hosts that are invaded by the attacker or indirectly). Network package, resulting in network blocking or server resources, resulting in denial of service, distributed denial service attack once implemented, attacking the network package is like flooding to the victims, thus putting legal users's networks, leading to legal Users cannot access the server's network resources, so the refusal of service attacks are called "flood attacks", common DDoS attack methods include Syn Flood, Ack Flood, UDP FLOOD, ICMP Flood, TCP Flood, Connections Flood, Script FLOOD, Proxy Flood, etc., while the DOS focuses on the use of attacks to host specific vulnerabilities, the system crashes, the system crashes, the host crash cannot provide normal network service functions, resulting in denial of service, common DOS attack means there is TEARDROP , LAND, Jolt, IGMP Nuker, Boink, Smurf, Bonk, Oob, etc. In terms of these two refusal service attacks, the main harm is mainly DDoS attack, because it is difficult to prevent it, as for DOS attack, by playing patching or installing firewall software by giving the host server, after detail How to deal with DDoS attacks.
Third, is DDOS? There are two ways in DDOS, one for traffic attacks, mainly for network bandwidth attacks, that is, a large number of attack packages cause network bandwidth being blocked, legal network package is submerged by false attacks and cannot reach the host; another For resource depleting attacks, mainly for the server host attack, that is, the host's memory is exhausted or the CPU is not allowed by the kernel and application, which cannot provide network services.
How to determine if the website has been attacked? It can be tested by ping commands. If you find ping timeout or loss of packet loss (assuming usually normal), it may suffer traffic attack. At this time, if you find that the server is discovered on the same switch, you can't get it. Basically, it can be determined that it suffers from traffic attacks. Of course, the premise of this test is that the ICMP protocol between the server host is not masked by devices such as routers and firewalls, otherwise the network service port of Telnet host servers can be tested, the effect is the same. However, there is a little sure, if you usually ping your host server and the host server on the same switch is normal, suddenly ping does not pass or have a serious packet, then if you can troubleshoot the network fault factor, it must be affected by it. The current attack, the typical phenomenon of another flow attack is that once the traffic attack is subjected to traffic attack, it will find that the website server with the remote terminal will fail. Compared to traffic attacks, resources depleting attacks should be easily judged. If the usual ping website host and access website are normal, it is found that sudden website access is very slow or unable to access, and ping can also ping, it is likely The resource depletion attack, at this time, if there is a large amount of SYN_RECEIVED, TIME_WAIT, FIN_WAIT_1, etc. in the server, and Established is very small, and it is definitely that it is definitely the resource exhaustion attack. There is also a phenomenon that belongs to the resource depletion attack. Ping your own website host ping is not done or is seriously lost, and the server that ping and its own host on the same switch is normal, resulting in this reason that the website host suffers from attack Resulting in the system kernel or some application CPU utilization to reach 100% unable to respond to the ping command, in fact, the bandwidth is still, otherwise ping is not connected to the host on the same switch.
There are currently three popular DDOS attacks:
1, SYN / ACK FLOOD Attack: This attack method is the most effective DDoS method, which can kill the network services of various systems, mainly by sending a large number of forgery source IP and source ports, SYN or ACK packages, Causes the host's cache resource is exhausted or busy to send a response package, which is more difficult to tracken due to the source of the forgery. The disadvantage is that there is a difficulty to be implemented, requiring high bandwidth zombie host support. A small amount of such an attack can cause the host server to be unable to access, but you can ping the passage, use the netstat -na command on the server to observe a large number of SYN_RECEIVED states, and a large number of this attack can cause ping failure, TCP / IP stack Failure, and the system is solidified, that is, no response to the keyboard and mouse. Most ordinary firewalls cannot resist such attacks.
2, TCP full connection attack: This attack is designed to bypass the inspection of conventional firewalls. Under normal circumstances, most of the conventional firewalls have the ability to filter TEARDROP, LAND and other DOS attacks, but for normal TCP connection is let go I don't know that many web servers (such as IIS, Apache, etc. Web Server) can accept the number of TCP connections, once there is a large number of TCP connections, even normal, will also cause website access very slow or even unacceptable, TCP The full connection attack is to establish a large number of TCP connections with the victim server through many zombie hosts until the resources such as the server are exhausted, resulting in denial of service. This attack is characterized by bypassing the general firewall. Protection to attack the purpose, the disadvantage is to find a lot of zombie hosts, and because the IP of the zombie host is exposed, it is easy to be tracked.
3, brush Script script attack: This attack is mainly designed for Script programs such as ASP, JSP, PHP, CGI, and calls MSSQLSERVER, MYSQLSERVER, ORACLE and other databases, feature is to establish normal TCP connections with the server. And constantly submit a query, a list of a large amount of time-consuming database resource, and a typical attack method. In general, it is almost negligible to submit a GET or POST instruction to the client, and the server may have a record from tens of thousands of records to handle this request. The cost of resources is very large. Common database servers can support hundreds of query instructions at the same time, which is light for the client, so the attacker only needs to submit a lot to the host server through the Proxy agent. Query instructions, only a few minutes will consume server resources, and the common phenomenon is that the website is slow, the ASP program invalid, the PHP connection database fails, the database main program takes up the CPU high. This kind of attack is characterized by a completely bypassing of ordinary firewall protection. It is easy to find some proxy agents to implement attack. Dampoint is to deal with only the static page, the website effect will be greatly discounted, and some proxy will expose the IP address of the attacker. Fourth, how to resist DDOS?
Dealing with DDOS is a system engineering, trying to rely on some system or product to prevent DDoS is unrealistic, it is certain that completely eliminating DDoS is not possible, but through appropriate measures to resist 90% of DDoS attacks What to do, attack and defense have cost overhead. If the ability to resist DDOS is enhanced by an appropriate approach, it means to increase the attack cost of the attacker, then the vast majority of attackers will not continue. And give up, it is equivalent to the success of DDOS attack. The following is the experience and suggestion of the author to defend against DDOS for many years, and share it with you!
1. High performance network equipment
First of all, to ensure that the network device cannot be a bottleneck, so select the high-name reputation and good reputation when selecting a router, switches, hardware firewall. Then, if there is a special relationship or agreement with the network provider, it is very effective when you have a lot of attacks, and it is very effective to fight the traffic limit on the network contacts to fight certain types of DDOS attacks.
2, try to avoid NAT use
Whether it is a router or hardware protection wall device to avoid using network address conversion NAT usage, because this technology will reduce network communication capabilities, it is very simple, because NAT needs to turn back to the address, the network is required during the conversion The checksum of the package is calculated, so a lot of CPUs are wasted, but sometimes you have to use Nat, then there is no good way.
3, adequate network bandwidth guarantee
The network bandwidth directly determines the ability to resist attack. If there is only 10m bandwidth, it is difficult to fight the current SYNFLOOD attack, and at least the 100M shared bandwidth is currently, the best is of course hanging at 1000m. The trunk is on. However, it should be noted that the network card on the host does not mean that its network bandwidth is gigabit. If it is connected to the 100M switch, its actual bandwidth will not exceed 100m, and then it is connected to 100M The bandwidth is not equal to having a 100g bandwidth because the network service provider is likely to limit the actual bandwidth of 10m on the switch. This must be clear.
4, upgrade host server hardware
Under the premise of network bandwidth guarantees, please try to improve the hardware configuration. To effectively confirm 100,000 SYN attack packets per second, the configuration of the server should be at least: P4 2.4G / DDR512M / SCSI-HD, the key role is mainly CPU and memory, if there is a Zhiqiang double CPU, use it, memory must choose DDR's high-speed memory, the hard disk should try to choose SCSI, don't be less than enough, it is not expensive, otherwise it will pay high performance The price, then the NIC must choose a brand-name such as 3COM or Intel. If Realtek is still used on his own PC. 5, do the site into a static page
A lot of facts have proved that the website can be made as static page, not only greatly improve the anti-attacking ability, but also bring a lot of trouble to hacker invasion, at least to the overflow of HTML, have not appeared, see it! Sina, Sohu, Netease and other portals are mainly static pages. If you need a dynamic script call, then get another single host, and you will have an exhausted server when you suffer from attack. Of course, put some appropriate Doing a database calling script or can be, in addition, it is best to refuse to use the agent in the script that needs to call the database, as the experience indicates that the use of the agent access 80% of your website is malicious behavior.
6, enhance the TCP / IP stack of the operating system
The Win2000 and Win2003 are used as a server operating system. It has certain ability to resist DDOS attacks. It is only the default state without opening. If open, it can resist about 10,000 SYN attack packages. If no open, only hundreds can be resistant. How do you open it, go to Microsoft's article! "Strengthen TCP / IP Stack Security" - http://www.microsoft.com/china/technet/security/guidance/secmod109.mspx may ask, then what do I use Linux and FreeBSD? Very simple, let's do it according to this article! "Syn cookies" - http://cr.yp.to/syncookies.html
7, install professional anti-DDoS firewall
8, other defense measures
The above seven confrontation of DDOS suggestions, suitable for users with their own hosts, but if they still can't solve the DDoS problem after taking more measures, they may need more investment, increase the number of servers and use DNS wheel tufts or loads. Balance technology, even need to purchase seven-storey switch equipment, so that the anti-DDoS attack capability is improved, as long as investment is enough, there is always an attacker will give up, then you will succeed! :)
