15 methods against DDoS attacks, ddos15
This article mainly introduces 15 methods against DDoS attacks. There are two main types of DDoS attacks: bandwidth depletion attacks and resource depletion attacks. In order to effectively curb these two types of attacks, you can follow the steps listed in this article. For more information, see
To defend against DDoS (Distributed Denial of Service) attacks, you must have a clear understanding of what happened during the attack. in short, DDoS attacks can be achieved by exploiting server vulnerabilities or consuming server resources (such as memory and hard disks. There are two main types of DDoS attacks: bandwidth depletion attacks and resource depletion attacks. to effectively curb these two types of attacks, you can follow the steps listed below:
1. if only a few computers are the source of the attack and you have identified the IP addresses of these sources, you can place an ACL (Access Control List) on the firewall server) to block access from these IP addresses. If possible, change the IP address of the web server for a period of time. However, if an attacker queries your DNS server and resolves the IP address to your new IP address, this action is no longer effective.
2. If you are sure that the attack is from a specific country, you can block the IP address from that country, at least for a period of time.
3. Monitor inbound network traffic. In this way, you can know who is accessing your network, monitor abnormal visitors, and analyze logs and source IP addresses afterwards. Before large-scale attacks, attackers may use a small number of attacks to test the robustness of your network.
4. For bandwidth-consuming attacks, the most effective (and expensive) solution is to buy more bandwidth.
5. You can also use high-performance Server Load balancer software, use multiple servers, and deploy them in different data centers.
6. Use the same policy to protect DNS while using Server Load balancer for web and other resources.
7. optimize resource usage to improve the load capacity of web server. For example, apache can be used to install the apachebooster plug-in. This plug-in is integrated with varnish and nginx to cope with sudden increases in traffic and memory usage.
8. Use highly scalable DNS devices to protect against dns ddos attacks. You can purchase a commercial Cloudfair solution that provides protection against DDOS attacks from the DNS or TCP/IP3 to Layer 7.
9. Enable the anti-IP spoofing function of the router or firewall. It is easier to configure this function in CISCO's ASA firewall than in a vro. To enable this feature in ASDM (Cisco Adaptive Security Device Manager), just click firewall in configuration, find anti-spoofing, and click Enable. You can also use the access control list (ACL) in the vro to prevent IP spoofing. First, create an ACL for the Intranet and then apply the ACL to the interface on the Internet.
10. Use third-party services to protect your website. Many companies have such services that provide high-performance infrastructure to help you defend against DoS attacks. You only need to pay several hundred dollars per month.
11. Pay attention to server security configurations to avoid resource depletion DDOS attacks.
12. Follow the advice of experts to prepare emergency solutions for attacks in advance.
13. Monitor network and web traffic. You can configure multiple analysis tools, such as Statcounter and Google analytics, to learn more about the traffic change mode.
14. Protect DNS to avoid DNS amplification attacks.
15. Disable icmp on the vro. Only Enable ICMP when testing is required. When configuring a vro, you should also consider the following policies: Traffic Control, packet filtering, semi-connection timeout, garbage package discard, source spoofing packet discard, SYN threshold value, and Disable ICMP and UDP broadcast.
Finally, I will learn more about the types and methods of DDOS attacks and develop emergency solutions for each attack.