Defends against denial-of-service attacks caused by additional traffic

Source: Internet
Author: User

Currently, a method circulating on the Internet is to use additional access traffic to reject service-type attacks. This attack only requires a file with just a few lines of code. Users who access this file can access this file, they bring dozens or even hundreds of times of access to your target without knowing it. When the access volume of this file reaches a certain number, the pressure on the other party will be terrible. Moreover, because these attacks are common users, they cannot be configured on the fire wall. However, it is difficult to maintain such attack methods, but it is absolutely not impossible to protect them. The following describes the defense methods.
1. using parameter transformation to protect database renewal rate: You can use parameter transformation for dynamic pages that use database or other file resources. For example, we set the function Encrypt (id) convert the id to the String parameter. Our page news. asp? Id = acehj. we can use Decrypt (string) to decode them and return them to the id. Therefore, it is difficult for customers to forge a valid parameter to access the page, when the page is decoded, the access of illegal customers is denied by using the verification code, which avoids access to malicious databases and ensures database access security by sacrificing a little CPU computing time. Let's take a look at several examples to see if we can guess the function transformation 139 <=> adkl.110 <=> abba.80 <=> hag.201734567890 <=> abdfhjlnprjs.
See it? The code for Encrypt and Decrypt is as follows:
The following is a code snippet:
<%
Function Encrypt (id)
StrR = ""
Chk = 0
For x = 1 to len (id)
StrR = StrR & chr (95 + x + cint (mid (id, x, 1 )))
Chk = Chk + Cint (mid (id, x, 1 ))
Next
Chk = Chk mod 26
StrR = StrR & chr (95 + chk)
Encrypt = StrR
End Function
Function Decrypt (str)
StrR = ""
For x = 1 to len (str)-1
U = (asc (mid (str, x, 1)-x-95)
StrR = ""
For x = 1 to len (str, x, 1)-x-95
U = (asc (mid (str, x, 1)-x-95)
StrR = StrR & u
Next
Chk = Chk mod 26
If right (str, 1) <> chr (95 + chk) then
Response. write "verification error"
Response. end
End if
Decrypt = StrR
End Function
%>


Call Encrypt (1235) to obtain acehj ("aech? "), Only? If it is set to j, the correct result 1234 is returned. If it is any character other than j, a "current verification error" is returned ".
Through such protection changes, the customer accesses news. asp? Id = acehj. you cannot see that the actual id is 1235, And the randomly generated id cannot pass the verification process. Therefore, you cannot use software simulation to create a valid multi-thread access, avoid dos because the database resources are exhausted due to unauthorized access. In addition, the SQL lnjection vulnerability is well protected under such protection.
This is just a demo code, and there are many improvements to this function:
1) increase the intensity of function changes and reduce the probability that a function is guessed to generate a specific process.
2) You can apply functions to cookies and make corresponding changes to cookies to increase the concealment of defense methods.
3) adding customer IP addresses to function operations not only saves function strength but also prevents leeching. Once you change the IP address or forge the COOKIE and ID, you will immediately find
4) adding time to function operations not only saves the storage space of the server, but also the server can determine the customer information by decoding the strings sent by the customer.
There are many ways to improve the program. Although the program can protect the server from many aspects, you should also pay attention to the use method, such as the Space saving mentioned in the fourth point, it is necessary to consider the comprehensive factors of space and time.
2: Improve the program running efficiency at the code layer, increase the server running capability, and reduce the possibility of DOS. The program code is very critical and implements the same function. The code quality and efficiency vary greatly. Here we have two codes for adding data for comparison:
Code 1
The following is a code snippet:
<%
SQL = "select * from users"
Rs. open SQL, conn.1.3
Rs. addnew
Rs ("username") = "TEST"
Rs ("password" = "123456"
Rs. updatw
Rs. close
%>
Code 2
<%
SQL = "insert into users (username, password) values ('test ','! 23456 ')"
Rs. open SQL, conn, 1, 3
%>
The efficiency of Code 2 is much higher than that of Code 2, especially when the database size is large or the efficiency of repeated operations is greatly improved, the code quality determines the program quality, the number of customers that the server can support, and the server's ability to combat DDOS.
3: restrict the access of proxy users: the access restriction of proxy users can effectively prevent hackers from using tools such as CC to attack, restrict the use of the proxy by hackers, and increase the possibility of exposure, therefore, disabling proxy access can reduce the possibility of attacks. This code can identify most of the proxy access. This code can be modified as required by the user and written in Conn. in asp, proxy can work. Of course, proxy is a double-edged sword, and proxy restrictions are the same. Disabling proxy access will not change the normal access of some users, therefore, you must consider using it later.
4: when using HTTPS protocol, it can be said that there are many benefits and the security of data transmission can be fully guaranteed. Due to the complexity of the HTTPS protocol, there are also a few attacks on the HTTPS protocol. If the non-standard port is used by the HTTPS protocol, it can basically prevent all proxy attacks, and avoid multi-thread download and reduce the server pressure, however, due to the complexity of the HTTPS protocol, the new server and the new server will be lower than the HTTPS protocol, which will improve the performance of customers' computers.
5: reduce the use of dynamic files and increase the use of Jingtai files. Dynamic files can bring a wide range of pages, achieving many functions and saving development time, but at the same time it is convenient to increase the consumption of server resources, therefore, many large forums make large posts static, and many article systems also use static pages [such as Wwww. cnhacks. coM] to increase the server's anti-attack capability.
6: properly set the firewall. The firewall can effectively detect functions and actively defend against attacks. However, if the anti-attack settings are unreasonable, the firewall may be inferior to the server, and the root cause of the denial of server attack may be the firewall.
7: Conditional servers can use the port redirection function. Port 80 is only responsible for page redirection. The specific port for service provision is determined dynamically by the system and forwards through port 80.
8: for servers already under attack, you can use the above methods to defend against attacks and increase the server cluster's service capabilities.
This is from the server perspective, of course there are other face-to-face, there are deficiencies please correct, welcome to visit http://www.cnhacks.com bounty hunters for technical exchange

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.