A practical guide to defending against DDoS attacks hold your website _win server

One, why should DDoS?
With the increase of Internet network bandwidth and the continuous release of various DDoS hacker tools, DDoS attack is becoming more and more easy to implement. Out of commercial competition, retaliation and network blackmail and many other factors, resulting in a lot of IDC hosting rooms, business sites, game servers, chat networks and other network service providers have long been plagued by DDoS attacks, followed by customer complaints, with the virtual host users are implicated, legal disputes, business losses and a series of problems, Therefore, to solve the problem of DDoS attack is a network service provider must consider the first priority.
second, what is DDoS?
DDoS is the abbreviation of the English Distributed denial of service, meaning "distributed denial of service", then what is the denial of service (denial)? It can be understood that any behavior that causes legitimate users to not be able to access the normal network services is a denial of service attack. In other words, the purpose of the Denial-of-service attack is very clear, that is, to prevent legitimate users from accessing the normal network resources, so as to achieve the ulterior motives of the attackers. Although the same denial of service attack, however, DDoS and DOS are still different, DDoS attack strategy focused on many "zombie host" (by the attacker or indirect use of the host) to the victim host to send a large number of seemingly legitimate network packets, resulting in network congestion or server resources exhaustion caused by denial of service , once a distributed denial of service attack is implemented, attack network packets will flood into the victim host, so that the legitimate user's network packet sank, causing legitimate users can not normally access the server's network resources, therefore, denial of service attacks are called "flood attacks", the common means of DDoS attacks are SYN Flood, ACK Flood, UDP Flood, ICMP Flood, TCP Flood, Connections Flood, Script Flood, Proxy Flood, etc. While DOS focuses on the use of host-specific vulnerabilities caused by the network stack failure, system crashes, host crashes and can not provide normal network service functions, resulting in denial of service, common Dos attack means teardrop, land, Jolt, IGMP Nuker, Boink, Smurf, Bonk, OOB and so on. In terms of these two denial of service attacks, the main harm is mainly DDoS attacks, because it is difficult to prevent, as for Dos attacks, by patching the host server or install firewall software can be very good to prevent, after the text will specifically describe how to deal with DDoS attacks.
have you been DDoS?
There are two main types of DDoS manifestations, a kind of traffic attacks, mainly for network bandwidth attacks, that is, a large number of attack packets caused network bandwidth is blocked, the legitimate network packet was a false attack packet sank and could not reach the host, another for resource depletion attacks, mainly for server host attacks, This means that a large number of attack packets cause the memory of the host to be depleted or the CPU is occupied by the kernel and the application, which cannot provide network services.
How to determine if the site has suffered traffic attacks? Ping to test, if you find that ping timeout or packet loss is serious (assuming normal), you may suffer from traffic attacks, if found and your host on the same switch server can not access, the basic certainty is that the flow of attack. Of course, the premise of this test is that you go to the server host between the ICMP protocol is not blocked by routers and firewalls and other devices, otherwise you can take Telnet host server network service port to test, the effect is the same. But there is one thing to be sure, if you normally ping your host server and connected to the same switch on the host server is normal, all of a sudden ping did not pass or is a serious loss of packets, then if you can eliminate the network failure factors are certainly suffering from traffic attacks, and then a typical traffic attack is, Once a traffic attack occurs, it is found that connecting to the Web server with a remote terminal fails.
Relative to the traffic attack, resource depletion attacks to easily determine some, if peacetime ping site host and access to the site are normal, and found that suddenly the site visit is very slow or inaccessible, and ping can ping, it is likely to suffer from resource depletion attacks, at this time if the server with Netstat -na command observed a large number of syn_received, time_wait, fin_wait_1 and other states exist, and established very few, you can be determined to be a resource-exhausted attack. Another kind of resource exhaustion attack is that ping your own web site host ping or packet loss is serious, and Ping and its own host on the same switch on the server is normal, this is due to the site host after the attack caused the system kernel or some applications CPU utilization up to 100% Unable to respond to the ping command, in fact, there is still bandwidth, otherwise ping does not connect the host on the same switch.
There are currently three popular DDoS attacks:
1, Syn/ack flood attack: This attack method is the classic most effective DDoS method, can kill a variety of system network services, mainly by sending a large number of fake source IP and source port to the victim of the SYN or ACK packets, resulting in the host's cache resources are depleted or busy sending response packets caused by denial of service, Because the source is forged so it is difficult to track, the disadvantage is that the implementation of a certain degree of difficulty, the need for high bandwidth zombie host support. A small amount of this attack will cause the host server to be inaccessible, but can ping the pass, the Netstat-na command on the server will be observed a large number of syn_received state, a large number of such attacks will cause ping failure, TCP/IP stack failure, and will appear system solidification phenomenon , which does not respond to the keyboard and mouse. Most common firewalls cannot withstand this kind of attack.
2. TCP Full Connection Attack: This attack is to bypass the conventional firewall inspection and design, under normal circumstances, the conventional firewalls are mostly equipped with filtering teardrop, land and other Dos attacks, but for the normal TCP connection is spared, but many network services programs (such as: IIS, Apache and other Web servers can accept the number of TCP connections is limited, once a large number of TCP connections, even if it is normal, can lead to Web site access is very slow and even inaccessible, TCP full connection attack is through many zombie hosts constantly with the victim server to establish a large number of TCP connections, Until the server's memory and other resources are pulled across, resulting in denial of service, this attack is characterized by bypassing the general firewall protection to achieve the attack, the disadvantage is to find a lot of zombie hosts, and because the zombie host IP is exposed, so easy to be traced.
3, Brush script attack: This attack is mainly for the existence of ASP, JSP, PHP, CGI and other scripting programs, and call MSSQLServer, MySQLServer, Oracle and other databases of the Web site system design, characterized by a normal TCP connection with the server, and constantly to the script to submit queries, lists, such as a large number of resource-consuming database resources, typical of a small broad attack method. In general, the cost of submitting a GET or post instruction to the client is almost negligible, and the server may have to trace a record from tens of thousands of records to handle the request, a process that is expensive for resources, Common database servers rarely support hundreds of of simultaneous query execution, which is easy for the client, so the attacker can simply submit a query to the host server via proxy proxies, consuming server resources in minutes and causing a denial of service. Common phenomenon is that the site is slow, such as snail, ASP program invalidation, PHP connection database failure, database main program CPU high. This attack is characterized by a complete bypass of common firewall protection, easy to find some proxy proxy can be implemented to attack, the disadvantage is to deal with static pages only the effect of the site will be greatly compromised, and some proxies will expose the attacker's IP address.
four, how to resist DDoS?
Dealing with DDoS is a systematic project, it is not realistic to rely solely on a system or product to prevent DDoS, and it is certain that it is not possible to completely eliminate DDoS at present, but it is possible to protect against 90% of DDoS attacks by appropriate measures, based on cost overhead for both attack and defense, If the ability to defend against DDoS is increased by appropriate means, the cost of attacking an attacker is increased, so the vast majority of attackers will not be able to go on and give up, which is equivalent to successfully defending against DDoS attacks. The following is the author for many years to resist DDoS experience and suggestions, and you share!
1, the use of high-performance network equipment
First of all to ensure that network equipment can not become a bottleneck, so select routers, switches, hardware firewalls and other equipment when you should try to choose the well-known high reputation, good products. Then if there is a special relationship or agreement with the network provider is better, when a large number of attacks to ask them to do at the network point of traffic restrictions to combat certain types of DDoS attacks is very effective.
2, try to avoid the use of NAT
Whether it is a router or a hardware wall device, try to avoid using Network address translation NAT, because this technology will greatly reduce network communication capabilities, the reason is very simple, because NAT needs to return to the address, the conversion process needs to the network packet checksum calculation, so wasted a lot of CPU time , but there are times when you have to use NAT, there is no good way.
3, sufficient network bandwidth to ensure
Network bandwidth directly determines the ability to resist attacks, if only 10M bandwidth, no matter what measures are difficult to combat the current Synflood attack, at least to choose 100M of shared bandwidth, the best of course is hanging on the 1000M trunk. But what needs to be stressed is that the NIC on the host is 1000M does not mean that its network bandwidth is gigabit, if it is connected to the 100M switch, its actual bandwidth will not be more than 100M, and then the bandwidth of the 100M is not equal to the bandwidth of hundreds of megabytes, Because ISPs are likely to limit the actual bandwidth to 10M on the switch, this must be clear.
4, upgrade the host server hardware
In the context of the network bandwidth guarantee, please try to upgrade the hardware configuration, to effectively combat 100,000 SYN attack packets per second, the server configuration should be at least: P4 2.4G/DDR512M/SCSI-HD, the key role is the main CPU and memory, if there is a strong dual-CPU, then use it, Memory must select the high speed memory of the DDR hard drive to choose SCSI, do not only greedy IDE price is still enough cheap, otherwise it will pay high performance costs, and then the network card must choose 3COM or Intel and other brands, if Realtek or used in their own PC it.
5, the site into a static page
A lot of facts confirmed that the site as far as possible to make static pages, not only can greatly improve the ability to attack, but also to the hacker to bring a lot of trouble, at least up to now the overflow of HTML has not appeared, look at it! Sina, Sohu, NetEase and other portals are mainly static pages, if you do not need dynamic script calls, then put it to another separate host to go, free from the attack when the main server, of course, put some do not do database call script is still possible, in addition, It is best to deny the use of proxy access in scripts that need to invoke the database, as experience shows that 80% of your site's use of proxies is a malicious act.
6, enhance the operating system of the TCP/IP stack
Win2000 and Win2003 as the server operating system, itself has a certain ability to resist DDoS attacks, but the default state is not open, if opened can resist about 10,000 SYN attack packets, if not open then only can resist hundreds of, specifically how to open, Go to see Microsoft's article yourself!
Guidance/secmod109.mspx
Maybe some people will ask, then I use Linux and FreeBSD how to do? Very simple, follow this article to do it!
7, the installation of professional anti-DDoS firewall
8. Other defensive measures
The above seven countermeasures against DDoS recommendations, suitable for the vast majority of users with their own host, but if the above measures can still not solve the DDoS problem, there are some trouble, may need more investment, increase the number of servers and the use of DNS round patrol or load balancing technology, even need to buy seven-tier switch equipment So that the ability to attack DDoS attacks multiplied, as long as the investment depth enough, there will always be attackers to give up, then you succeed! ：）