Author: lonely swordsman
Yijian Xilai Note: I don't know how much money Alibaba Cloud ice shield has given the author? Haha.
Summary: As recent DDOS attacks have become more and more widespread, this site invites our honorary technical consultant and network security expert Mr. Lonely jianke to write this article exclusively based on years of experience in defending against DDOS attacks, this article not only elaborates on the concept of Distributed Denial of Service (DDOS) attacks, popular DDOS attack methods, and methods to determine whether a DDOS attack has been launched, we also provide comprehensive anti-DDOS solutions based on the actual situation. We hope this article will help webmasters to get rid of DDOS attacks as soon as possible. We sincerely welcome you to discuss DDOS-related topics.
Keywords: ddos synflood Firewall
1. Why DDOS attacks?
With the increase in Internet bandwidth and the continuous release of a variety of DDOS hacking tools, DDOS denial-of-service attacks are becoming more and more prone, and DDOS attacks are on the rise. Due to business competition, retaliation, network extortion, and other factors, many network service providers such as IDC hosting equipment rooms, commercial sites, game servers, and chat networks have been plagued by DDOS attacks for a long time, as a result, customer complaints, confusions with VM users, legal disputes, and business losses are a series of issues. Therefore, solving DDOS attacks becomes a top priority for network service providers.
2. What is DDOS?
DDOS is short for Distributed Denial of Service, which means "Distributed Denial of Service". What is Denial of Service? It can be understood that all behaviors that can cause legal users to fail to access normal network services are denial-of-service attacks. In other words, the purpose of a Denial-of-Service attack is to prevent legal users from accessing normal network resources and achieve the ulterior motives of attackers. Although it is also a Denial-of-Service attack, DDOS and DOS are still different. DDOS attack policies focus on using many "zombie hosts" (hosts that have been intruded by attackers or can be indirectly used) A large number of seemingly valid network packets are sent to the affected host, resulting in network congestion or server resource depletion resulting in Denial of Service. Once a distributed denial of service attack is implemented, the attack network package will flow to the affected host like a flood, so that the network package of Valid users is drowned, so that legal users cannot normally access the network resources of the server. Therefore, doS attacks are also called flood attacks ", common DDOS attacks include SYN Flood, ACK Flood, UDP Flood, ICMP Flood, TCP Flood, Connections Flood, Script Flood, and Proxy Flood; DOS focuses on the denial of service caused by the failure of the network stack, system crash, and host crash caused by attacks against specific host vulnerabilities, common DOS attacks include TearDrop, Land, and Jolt. IGMP Nuker, Boink, Smurf, Bonk, OOB, etc. In terms of these two types of denial-of-service attacks, DDOS attacks are the main cause of great harm, which is difficult to prevent. As for DOS attacks, patch the host server or install firewall software to prevent DDOS attacks.
3. Have you been victimized by DDOS?
There are two main types of DDOS attacks: Traffic attacks, which are mainly attacks against network bandwidth, that is, a large number of Attack Packets Cause network bandwidth to be blocked, legitimate network packets are flooded with false attack packets and cannot reach the host. The other is resource depletion attacks, which are mainly attacks against server hosts, that is to say, the host memory is exhausted by a large number of attack packets or the CPU is occupied by the kernel and applications, resulting in the failure to provide network services.
How can I determine whether a website is under Traffic attack? You can use the Ping command to test whether the Ping times out or the packet loss is serious (assuming it is normal at ordinary times), the Ping may be attacked by traffic, if you find that the server connected to the same vswitch with your host cannot be accessed, you can be sure that the server is under a traffic attack. Of course, the premise of this test is that the ICMP protocol between you and the server host is not blocked by routers, firewalls, and other devices. Otherwise, you can use the network service port of the Telnet host server to test, the results are the same. However, it is certain that, if the Ping to your host server and the host server connected to the same vswitch are normal at ordinary times, the Ping will suddenly fail or cause serious packet loss, if we can eliminate the network fault, we will certainly be under a traffic attack. Another typical phenomenon of a traffic attack is that once it is under a traffic attack, A remote connection to the website server may fail.
Compared with traffic attacks, resource depletion attacks are easy to judge. If you Ping the website host and access the website normally, you may find that the website access is very slow or cannot be accessed, ping can also be pinged, which is likely to suffer from resource depletion attacks. At this time, if a large number of SYN_RECEIVED, TIME_WAIT, FIN_WAIT_1, and other statuses are observed using the Netstat-na command on the server, if the number of ESTABLISHED instances is small, it can be determined that the instance has suffered a resource depletion attack. Another attack is caused by resource depletion: Ping your website host fails or packet loss is serious, while Ping the server on the same switch as your host is normal, this is because the system kernel or some applications cannot respond to the Ping command when the CPU usage reaches 100% after the website host is attacked. In fact, the bandwidth is still available, otherwise, the host on the same vswitch cannot be pinged.
There are currently three popular DDOS Attacks:
1. SYN/ACK Flood attack: This attack method is the most effective and classic DDOS method. It can kill network services of various systems, A large number of SYN or ACK packets are sent to the affected host, causing a denial of service because the host's cache resources are exhausted or busy sending response packets, it is difficult to trace the source because it is forged. The disadvantage is that it is difficult to implement it and requires support from high-bandwidth botnets. A small number of such attacks will cause the host server to be inaccessible, but can be pinged. Using the Netstat-na command on the server, we will see a large number of SYN_RECEIVED states, A large number of such attacks will cause Ping failure, TCP/IP stack failure, and system solidification, that is, do not respond to the keyboard and mouse. Most common firewalls cannot defend against such attacks.
2. TCP full-connection attacks: these attacks are designed to bypass the inspection of conventional firewalls. Generally, conventional firewalls are capable of filtering DOS attacks such as TearDrop and Land, however, for normal TCP connections, we do not know that many network service programs (such as IIS, Apache, and other Web servers) can accept a limited number of TCP connections, once a large number of TCP connections exist, even normal access to the website may be very slow or even inaccessible, TCP full-connection attack means that many zombie hosts constantly establish a large number of TCP connections with the affected server until the server's memory and other resources are exhausted and dragged across, resulting in DOS, this attack is characterized by bypassing the protection of the general firewall to achieve the purpose of the attack. The disadvantage is that many zombie hosts need to be found, and the IP address of the zombie host is exposed, so it is easy to track.
3. Script-based attacks: these attacks are mainly designed for websites that have ASP, JSP, PHP, CGI, and other Script programs and call databases such as MSSQLServer, MySQLServer, and Oracle, it is characterized by establishing a normal TCP connection with the server, and constantly submitting queries, lists, and other calls that consume a large amount of database resources to the script program. A typical attack method is small-scale. Generally, submitting a GET or POST command almost ignores the client consumption and bandwidth usage, the server may need to find a record from tens of thousands of records to process this request. This processing process consumes a lot of resources, common Database servers rarely support the simultaneous execution of hundreds of query commands, which is easy for the client. Therefore, attackers only need to submit a large number of query commands to the host server through the Proxy, it takes only a few minutes to consume server resources and cause a denial of service. A common phenomenon is that the website is slow, such as snail ing, ASP program failure, PHP database connection failure, and the CPU usage of the database master program is high. This attack is characterized by completely bypassing common firewall protection and easily finding some Proxy agents to launch attacks. The disadvantage is that the effect of websites with only static pages is compromised, in addition, some proxies expose the attacker's IP address.
4. How to defend against DDOS attacks?
Anti-DDOS is a system engineering. It is unrealistic to rely solely on a system or product to prevent DDOS attacks. It is certainly impossible to completely prevent DDOS attacks, however, appropriate measures can be taken to defend against 90% of DDOS attacks. Because both attacks and defenses have cost-effectiveness, if appropriate measures are used to enhance the ability to defend against DDOS attacks, this means that the attacker's attack cost is increased, so the vast majority of attackers will not be able to continue and give up, which is equivalent to successfully resisting DDOS attacks. The following are my experiences and suggestions on defending against DDOS attacks over the years!
1. Use high-performance network devices
First, we must ensure that network devices do not become bottlenecks. Therefore, when selecting routers, switches, hardware firewalls, and other devices, we should try our best to choose products with high reputation and good reputation. In addition, it would be better if there is a special relationship or protocol with the network provider, when a large number of attacks occur, it is very effective to ask them to limit the traffic at the network point to defend against some types of DDOS attacks.
2. Try to avoid using NAT
Whether it is a router or a hardware protection wall device, try to avoid the use of network address translation NAT, because the use of this technology will greatly reduce network communication capabilities, in fact, the reason is very simple, because NAT needs back-and-forth address translation, the network packet checksum and calculation are required during the conversion process, which wastes a lot of CPU time, but sometimes you must use NAT, then there is no good way.
3. Adequate network bandwidth assurance
Network bandwidth directly determines the ability to defend against attacks. If there is only 10 Mbps of bandwidth, No matter what measures are taken, it is difficult to defend against the current SYNFlood attack. At present, at least Mbps of shared bandwidth should be selected, of course, the best thing is hanging on a m trunk. However, if the NIC on the host is m, it does not mean that the network bandwidth is 1 Gigabit. If you connect it to a m switch, the actual bandwidth is no more than 100 M, and the bandwidth connected to M is not equal to the bandwidth of MB, because the network service provider may limit the actual bandwidth of 10 M on the switch, this must be clarified.
4. Upgrade host server hardware
In the premise of network bandwidth guarantee, please try to improve the hardware configuration, to effectively defend against 0.1 million SYN Attack Packets per second, the server configuration should be at least: P4 2.4G/DDR512M/SCSI-HD, the key role is the CPU and memory. If there is a strong dual-CPU, use it. The memory must be DDR high-speed memory, and the hard disk should be SCSI as much as possible, don't just greedy for the price of IDE, the price is not expensive and the price is low, otherwise it will pay a high performance price, and the NIC must choose a brand name such as 3COM or Intel, if Realtek is used, use it on your own PC.
5. Make the website a static page
A large number of facts have proved that making websites as static pages as much as possible can not only greatly improve the anti-attack capability, but also cause a lot of trouble for hackers to intrude into the website. At least until now, the HTML overflow still appears. Let's take a look! Portal websites such as Sina, Sohu, and Netease are mainly static pages.