How to deal with denial-of-service attacks in small and medium Web sites

DoS (Denial of service) is the use of a reasonable service request to occupy too much service resources, so that legitimate users can not get the service echoes of the network attacks.

The appearance of being invaded by DOS is roughly:

* There are many waiting TCP connections on the attacked host; * Invaded the host system resources are a lot of occupation, the formation of the system suspension; * The network is full of a lot of useless packets, the source address is a false address; * High flow of useless data makes the network congestion, the victim host can not normal communication with the outside; * Use the service provided by the victim host or the shortcomings of the transport protocol, repeat the high speed to announce a specific service request,

So that the injured host can not promptly dispose of all normal supplications; * When the severity of the system will form a panic.

So far, the prevention of DOS, especially DDoS attacks is still relatively difficult, but can still adopt some methods to reduce its damage. For small and medium sized websites, there are several aspects to be guarded against:

Host settings:

The reinforcement operation system is used to set up various operating system parameters to strengthen the stability of the system. Compiling or setting up some parameters in Linux and the kernel of operating systems such as the various BSD systems, Solaris, and Windows can, to a certain extent, improve the system's ability to resist aggression.

For example, what are the typical types of DOS incursions? SYN Flood, which uses TCP/IP protocol slots to send a lot of bogus TCP connection requests to form a network that is unable to connect users to service or disable the operating system. The invasion process involves some parameters of the system: the number of links that can be queued and the length of time to wait for packets. As a result, you can set the following:

* Closure of unnecessary service; * Modify the number of data packets from the default value of 128 or 512 to 2048 or greater to increase the length of each packet to reduce and digest more packets; * The connection timeout is set to a shorter time to ensure that the normal data packet interface, shielding illegal offensive packets; * Timely update system, installation patches.

This paper comes from http://www.mgddos.com (DDoS attack software)