How do Internet startups defend against DDoS attacks?

Wen/gashero

In the Shell Network Service has experienced multiple DDoS attacks. The despair of the mood, still vividly. The problem is not what you can do, but the computer room decides that you can't do anything.

Attackers are controlling a large enough distributed cluster to launch an attack, and all kinds of assorted packages will be available. Don't care what service you open, nor the patience to analyze what service you have. For example, even if you do not open any UDP services, but he is a large pile of UDP packets, to fill your bandwidth. What else can we do?

More than 10 years ago the OS was still unable to handle a large number of TCP concurrent connections, so there was a SYN flood attack in that era, a bunch of SYN packets trying to shake hands. Modern also has, the effect is not as good as before, but still can block the communication ability of the victim under the big flow.

The more realistic problem is that the total bandwidth of the machine room is limited. When your server IP segment is under attack, he will directly find the upper access provider will send you the package on the backbone of the lost. At this time although know oneself is being DDoS attack, but the attack packet did not go to the engine room, let alone server, so can only be guarding the server, no flow, wait.

Most of the upper-level access providers are monopoly state-owned enterprises, do not have the patience to do any deep cooperation with you, the direct loss of the package is the most simple and convenient method. At the same time, even if an attacker stops attacking at this point, you don't know. It is a day's process to want a higher-level access provider to restart the packet forwarding to you. Once the attack is discovered, it is lost.

When they were attacked in those years, they huoshaohuoliao to find a way. Try to deploy the Web site to the cloud computing platform, relying on the bandwidth redundancy provided by the other side to the top. It may even be just a fee for short-term bandwidth. At that time, the domestic cloud computing provider tried several, and ultimately refused us because there was not enough bandwidth to respond to the attack. They are all out of love for the shell network and free help, can do this step is also very difficult.

Some people mention attack weaknesses, and I feel that the attackers who really spend their energy trying to analyze them are rare. But most attacks do avoid some of the obvious attacks, such as a good point, such as the home page of many sites will be static, so the attack on the home page is not cost-effective. Images are too small for CPU consumption.

Several common weaknesses:

1, Login Certification

2. Comments

3, User dynamic

4, Ajax API

In short, suspected of writing database, linked table query, caching is a good target.

So, the answer is: there is no good way, wait patiently.

Read a few other answers to provide the program, analyzed separately:

1, spell bandwidth: or spell soft sister coins, this is not a little money can be done, the shell net when only bought less than 100M bandwidth, the early room of the total bandwidth is less than 40G, attack bandwidth has not seen less than 10G (computer room People later told me). Suppose a cheap computer room (certainly not northward wide deep), the bandwidth price is 100 yuan/m* month, the monthly peak billing. To buy 10G bandwidth to the top, the required monthly fee is 1 million, 1 million ...

2, Flow cleaning & IP: As mentioned above, to do so is the premise of the attack package to at least to your room. and the machine room self-protection measures led to the data packet can not get to the room, no solution

3, CDN Service: The modern CDN provider has not completed the Dynamic Web page acceleration technology, so the result is that you at best use CDN to keep the static homepage can be accessed, any other Dynamic Web site function can only hehe.