To combat DDoS (distributed denial of service) attacks, you need to have a clear understanding of what happened during the attack. In short, a DDoS attack can be accomplished by exploiting vulnerabilities on the server, or by consuming resources on the server, such as memory, hard disks, and so on. There are two main types of DDoS attacks: bandwidth exhaustion attacks and resource exhaustion attacks. To effectively contain these two types of attacks, you can follow the steps listed below:
1. If only a few computers are the source of the attack, and you have identified the IP addresses of those sources, you place an ACL (Access control list) on the firewall server to block these access from these IPs. If possible, change the IP address of the Web server for a period of time, but if an attacker resolves to your newly set IP by querying your DNS server, that measure is no longer valid.
2. If you are certain that the attack is from a particular country, consider blocking the IP from that country for at least a period of time.
3. Monitor incoming network traffic. This way you can know who is accessing your network, can monitor the abnormal visitors, and can analyze logs and source IPs afterwards. Before a large-scale attack, an attacker could use a small number of attacks to test the robustness of your network.
4. The most effective (and expensive) solution to deal with bandwidth-consuming attacks is to buy more bandwidth.
5. You can also use high-performance load balancing software, use multiple servers, and deploy them in different data centers.
6. While using load balancing for the web and other resources, the same policy is used to protect DNS.
7, optimize the use of resources to improve the load capacity of Web server. For example, using Apache, you can install the Apachebooster plug-in, which integrates with varnish and nginx to handle bursts of traffic and memory consumption.
8. Use highly scalable DNS devices to protect against DNS-based DDOS attacks. Consider buying a cloudfair business solution that can provide protection against DNS or TCP/IP3 to layer 7 DDOS attacks.
9, enable the router or firewall anti-IP spoofing feature. It is more convenient to configure this feature in CISCO's ASA firewall than in routers. Enable this feature in ASDM (Cisco Adaptive Security Device Manager) Just click "Firewall" in "Configuration", find "anti-spoofing" and click on Enable. You can also use ACLs (Access control list) in your router to prevent IP spoofing by first creating ACLs on the intranet and then applying them to the Internet interface.
10. Use third-party services to protect your site. There are a number of companies with services that provide high-performance infrastructure to help you protect against denial of service attacks. You just have to pay $ hundreds of per month.
11, pay attention to the security configuration of the server, to avoid the resource-exhausted DDOS attack.
12, follow the advice of experts, against the attack in advance to respond to the contingency plan.
13, monitor the network and web traffic. If it is possible to configure multiple analysis tools, such as Statcounter and Google analytics, you can more intuitively understand the patterns of traffic changes and get more information from them.
14, protect the DNS to avoid the amplification of DNS attacks.
15. Disable ICMP on the router. ICMP is only opened when testing is required. The following policies are also considered when configuring routers: Flow control, packet filtering, half-connection timeouts, garbage packet discards, source-forged packet discards, SYN thresholds, disabling ICMP and UDP broadcasts.
Finally, learn more about the types and means of DDOS attacks and develop contingency plans for each type of attack.
15 ways to protect against DDoS attacks