Network Management Security Log DDoS monitoring and defense

One day, when you find that your website is no longer accessible and the server cannot be remotely connected, the data center will inform you that the server traffic is very high, you have to be prepared. This may already target businesses on your servers, such as large commercial websites and games. When you get a certain profit, the "hackers" may also want to get a "protection fee" from you ". It may be that your server is under DoS/DDoS attacks.

Let's take a look at the knowledge of DoS and DdoS.

1. Introduction to DoS/DDoS

1. What is DoS)

DoS is short for Denial of Service. DoS attacks are called DoS attacks. The purpose of DoS attacks is to make computers or networks unable to provide normal services. The most common DoS attacks include computer network bandwidth attacks and connectivity attacks. Bandwidth attack means that the network is hit with a great deal of traffic, so that all available network resources are exhausted, and finally legal user requests cannot pass. A connection attack means that a large number of connection requests are used to impact the computer, so that all available operating system resources are exhausted and the computer cannot process legitimate user requests.

2. What is a Distributed Denial of Service (DDoS) attack)

DDoS: Distributed Denial of Service (DDoS) attacks refer to the combination of multiple slave machines as attack platforms (slave machines, generally, it is a hacker-controlled "zombie"), which initiates DoS attacks against one or more targets, thus exponentially increasing the power of DoS attacks. Generally, attackers intrude into a server and install the anti-DDoS master program on the server after obtaining certain permissions of the server, at a specified time, the master program will communicate with a large number of proxies, which have been installed on many servers controlled by hackers (including a large number of personal PCs obtained through other means ). When the agent receives the command, it will launch an attack. With the customer/server technology, the master program can activate hundreds of proxy programs in a few seconds.

For example:

A hacker controls one of the slave machines (or his own computer) to ensure security. Generally, he chooses a slave machine to control other slave machines ), use this slave machine to direct other slave machines to launch attacks on the target server. Of course, this is just a simple one. You can think more complicated: 10 or 20 slave computers under the control of hackers, then, thousands or even tens of thousands or even hundreds of thousands of machines were controlled by these ten machines and 20 machines to launch devastating attacks on the target.

An image rather than an appropriate metaphor: When two people fight, one of them cannot deal with the other. So he calls all his friends and handles one of them, you cannot deal with so many people.

Denial-of-Service (DoS) is an attack that uses massive data packets that exceed the processing capability of the target to consume available systems and bandwidth resources, paralyzing normal network services. Denial-of-Service (DoS) attacks use a single one-to-one method. When the CPU processing speed is low, the memory size is small, and the network bandwidth is small, the effect of DoS attacks is obvious.

However, with the rapid development of Internet technology and hardware technology, the current bandwidth is measured in Mbit/s and Gbit/s. Most of the CPUs are also dual-core or quad-core, the memory price can also be said to be cabbage now. In this environment, the difficulty of DoS attacks is increased.

In this way, distributed denial of service (DDoS) attacks occur. If you understand Denial of Service (DoS) attacks, Distributed Denial of Service attacks are not difficult to understand. If the ability of computers and networks to handle attacks is increased by 10 times and a slave machine can no longer be used for attacks, can an attacker use 10 slave machines to simultaneously attack the system? How about 100 machines? DDoS uses more bots to launch attacks to attack victims on a larger scale than before.

Ii. DoS/DDoS attacks

What is the DoS/DDoS attack on the server?

1. There are a large number of TCP connections waiting on the attacked host;

2. The network is filled with a large number of useless data packets, and the source address is a fake address or an address that may only appear in the private network;

3. create high-traffic useless data, resulting in network congestion, making the affected host unable to communicate with the outside world normally;

4. Make use of the service provided by the affected host or the defects in the transmission protocol to repeatedly send specific service requests at high speed, so that the affected host cannot process all normal requests in a timely manner;

5. In severe cases, the system may run slowly or falsely, or even crash;

Iii. DoS/DdoS attack types:

1. Synflood: the attack sends a SYN packet to the target host at multiple random source host addresses, but does not respond after receiving the syn ack from the target host, the target host creates a large number of connection queues for these source hosts, and has not received the ACK to maintain these queues, resulting in a large amount of resource consumption and cannot provide services to normal requests.

2. Smurf: This attack sends a packet with a specific request (such as an ICMP Response Request) to the broadcast address of a subnet, and disguise the source address as the host address to be attacked. All hosts on the subnet respond to the broadcast packet request and send packets to the attacked host, which causes the host to be attacked.

3. Land-based: the attacker sets both the source address and destination address of a package as the address of the target host, and then sends the package to the attacked host through IP spoofing, this type of package can cause the attacked host to fall into an endless loop by trying to establish a connection with itself, thus greatly reducing the system performance.

4. Ping of Death: According to TCP/IP specifications, the maximum length of a package is 65536 bytes. Although the length of a package cannot exceed 65536 bytes, the overlapping of multiple segments of a package can be achieved. When a host receives a packet larger than 65536 bytes, it is under the Ping of Death attack, which will cause host downtime.

5. Teardrop: When an IP packet is transmitted over the network, the packet can be divided into smaller segments. Attackers can perform TearDrop attacks by sending two (or more) packets. The offset of the first package is 0, the length is N, and the offset of the second package is less than N. To merge these data segments, the TCP/IP stack allocates unusually large resources, resulting in a lack of system resources or even machine restart.

6. PingSweep: use ICMP Echo to poll multiple hosts.

7. Pingflood: the attack sends a large number of ping packets to the target host in a short time, resulting in network congestion or depletion of Host resources.
4. How to defend against DoS/DdoS attacks

One day, when you log on to the server, you may feel that the server is running slowly, or even cannot connect remotely. The data center staff will notify you that the server traffic is very high. At this time, you have to analyze whether it must have been under DoS/DDoS attacks.

I have discussed a lot of theoretical things above. You may not be able to "Digest" them all.

Here we will tell you a simple and easy-to-understand command to determine whether the server is under DoS/DdoS Attacks:

Run netstat-an at the command prompt to check all external connections of the current server. If a large number of SYN_RECEIVED, TIME_WAIT, and FIN_WAIT_1 statuses exist, but few ESTABLISHED instances exist, it can be determined that the attack has been exhausted by resources.

If your server is hosted in a relatively Qualified Data Center and the company has anti-DoS/DdoS devices, but as far as I know, currently, anti-DoS/DDoS attack devices in most data centers are not free of charge.

How to obtain the anti-DoS/DDoS attack device is not described in detail here. It may be a device in the data center. If you have any conditions, you can purchase the device yourself.

This method can only defend against a small number of attacks, because there are many types of DoS/DDoS attacks, and new variant attack methods are also emerging.

When your anti-DoS/DDoS device cannot identify those new DoS/DDoS attacks, or the Anti-DoS/DdoS attack device itself cannot normally affect the attack, even the attack bandwidth has far exceeded the total bandwidth of the data center egress. At this time, no anti-attack device can be installed.

I believe that after you understand the true meaning of Dos/DDoS attacks, you should understand what I mean by that sentence.

In this case, you have to ask the data center to notify the upper-level ISP operators to temporarily filter out your server IP addresses on their upper-level routes. In addition, you need to keep in touch with the data center in real time, so that they can get the latest information from the upper-level ISP carrier in time, so that your server IP address can be unblocked immediately.

Finally, I would like to give you some good suggestions:

1. Use high-performance network devices

First, we must ensure that network devices do not become bottlenecks. Therefore, when selecting routers, switches, hardware firewalls, and other devices, we should try our best to choose products with high reputation and good reputation. In addition, it would be better if there is a special relationship or protocol with the network provider, when a large number of attacks occur, it is very effective to ask them to limit the traffic at the network point to defend against some types of DDOS attacks.

2. Try to avoid using NAT

Whether it is a router or a hardware protection wall device, try to avoid the use of network address translation NAT, because the use of this technology will greatly reduce network communication capabilities, in fact, the reason is very simple, because NAT needs back-and-forth address translation, the network packet checksum and calculation are required during the conversion process, which wastes a lot of CPU time, but sometimes you must use NAT, then there is no good way.

3. Adequate network bandwidth assurance

Network bandwidth directly determines the ability to defend against attacks. If there is only 10 Mbps of bandwidth, No matter what measures are taken, it is difficult to defend against the current SYNFlood attack. At present, at least Mbps of shared bandwidth should be selected, of course, the best thing is hanging on a m trunk. However, if the NIC on the host is m, it does not mean that the network bandwidth is 1 Gigabit. If you connect it to a m switch, the actual bandwidth is no more than 100 M, and the bandwidth connected to M is not equal to the bandwidth of MB, because the network service provider may limit the actual bandwidth of 10 M on the switch, this must be clarified.

4. Upgrade host server hardware

In the premise of network bandwidth guarantee, please try to improve the hardware configuration, to effectively defend against 0.1 million SYN Attack Packets per second, the server configuration should be at least: P4 2.4G/DDR512M/SCSI-HD, the key role is the CPU and memory. If there is a strong dual-CPU, use it. The memory must be DDR high-speed memory, and the hard disk should be SCSI as much as possible, don't just greedy for the price of IDE, the price is not expensive and the price is low, otherwise it will pay a high performance price, and the NIC must choose a brand name such as 3COM or Intel, if Realtek is used, use it on your own PC.

5. Make the website a static page

A large number of facts have proved that making websites as static pages as much as possible can not only greatly improve the anti-attack capability, but also cause a lot of trouble for hackers to intrude into the website. At least until now, HTML overflow has not appeared. Let's take a look! Portal websites such as Sina, Sohu, and Netease are mainly static pages. If you do not need dynamic script calls, you can get it to another single host, when the master server is not attacked