No terrible denial of service through channels

"Yellow Emperor's Internal Classic": "The reason why people are born, the reason why people are ill, the reason why people are cured, and the reason why they are ill", the author is "Life and death, hundreds of diseases, adjust the actual situation, ", Cheng is the most important part of the human body. Once the meridians are disconnected, various diseases will be lost. From the perspective of its impact, Denial-of-Service/Distributed Denial-of-Service (DoS) is not the same as the external services of the entire website system. In this way, the website is almost "dead ".

The following is an example:

Mr. D, General Manager of the Information Technology Department of a mobile company in a province, recently encountered the trouble of DoS attacks: the user complained that the website access was too slow, and the connection was disconnected after the time-out. How can this problem be solved?

Speaking of denial of service attacks, I believe everyone is familiar with them. Among all the hacker attacks, such attacks seem to be quite maverick: because they are an attack that harms people and does not interest themselves.

Typical DoS performance: normal service requests cannot be met, such as slow access and no response. In severe cases, the server may even crash.

In addition to the commonly mentioned Denial-of-Service (DoS), there is also a more difficult way to prevent distributed denial-of-service. Distributed Denial-of-Service (DoS) refers to the use of client/server technology to combine multiple computers that can often reach tens of thousands. As an attack platform, a denial-of-service attack is initiated against the target, because the number of controlled attack machines is what we usually call a zombie machine) is huge, in extreme cases, even if each slave machine only sends normal service requests, the target machine may also be unable to provide services due to resource overload.

Some people think that denial-of-service is absolutely unavoidable. In fact, some Denial-of-Service can be avoided Based on the trigger reason. One situation is caused by incorrect configuration or System bugs. DoS attacks caused by misconfiguration can be avoided by modifying the configuration. DoS attacks caused by System bugs can be avoided by patching bugs.

Note:

1. incorrect configuration: the system configuration of a server supports simultaneous connection of 1000 users. However, the system software on the server does not limit the maximum number of user connections, resulting in an excessive number of connected users, slow server response.

2. system BUG: the system here may be software or protocol. The most famous system BUG that causes DoS attacks is TCP's three-way handshake, attackers can forge a large number of source addresses for continuous tcp syn requests, and do not respond when receiving ACK responses from the server, so that the server needs to maintain a large number of port listening conditions, resulting in DOS.

Depending on the type of the denial of service, the following common types are available:

Network bandwidth consumption attacks: DoS attacks are caused by a large number of network service requests occupying and consuming bandwidth resources. Packet Capture shows that a large number of packets exist in the network, reaching the upper limit of the network communication volume. Generally, you can modify the server configuration or use QoS devices to reduce the risk of such attacks.

Generally, configurations on the server include:

· Disable unnecessary services

· Limit the number of simultaneous Syn semi-connections

· Shorten the time out time of Syn semi-join

Configurations on the gateway device include:

Firewall

· Prohibit access to non-open services on hosts

· Limit the maximum number of Syn connections simultaneously opened

· Restrict access from specific IP addresses

· Enable the anti-DDoS attribute of the firewall

· Strictly restrict external access to open servers

Vro

· Cisco Express ForwardingCEF)

· Use unicast reverse-path

· Access Control List ACL) Filtering

· Set the Syn packet traffic rate

· Upgrade ISO with an excessively low version

· Create a log server for the vro

Generally, the optimal defense location for bandwidth-consuming Denial-of-Service/Distributed Denial-of-Service is at the carrier's location. The source IP address of the packet is verified on the router, if no matching item is found, it is discarded. This ensures that forged packets are not transmitted to the user's network over the Internet to the maximum extent. However, this method will greatly reduce the processing performance of the router, so there are not many applications.

Resource Depletion attacks: Using Processing defects to consume CPU and other processing resources by sending data packets, leading to service failure. The network traffic is not large, but the resource usage of the server is extremely high, such as 100% CPU time. Jolt2.c is such an attack.

Resource-consuming attacks are relatively easy to defend against. devices connected to the network can avoid such attacks as long as they can analyze and discard malformed data packets. Intrusion Prevention Products and even firewall products all have this function.

Some important websites, or during some major events, website access failure will have a very serious impact. Bandwidth-consuming Denial-of-Service (DoS) attacks, especially those that take advantage of large-scale botnets, cannot be prevented directly. In this case, better countermeasures are to increase service provision capabilities, such as increasing bandwidth, improving computing performance, redundant backup, and load balancing, common large portal websites use this method to respond to DoS threats.

Maintaining smooth channels and channels is a kind of nourishing attitude, which requires constant exercise to maintain a pleasant mood, exercise Qigong, and use foods that promote blood circulation and maintain Qi, and promptly handle exceptions; to prevent a website from being denied, you also need to increase the bandwidth and adjust the network device policy from multiple perspectives.

Edit recommendations]