Experience on website anti-DDOS protection for Old Boys

The old boy was busy recently because he wanted to train students and correct his homework. He had to write books and videos frequently. He had a bad idea. He was invited by a friend to participate in a forum, after a while, I would like to share some of my thoughts on DDOS attacks. If you are interested in in-depth discussions, contact me. Okay, enable the following:
 
1. To defend against DDOS attacks, you must understand DDOS technology. Such as: DDOS principles, attack types, attack software, attack characteristics, detection and protection software and solutions. As an O & M personnel, you should have some knowledge in this area before you begin to learn or participate in organizational training. If not, read this article carefully. Digress: When the apprentice is about to go down the hill, the master must at least tell the sinister things and rules of the rivers and lakes! This is what old boys must talk about before they start to work during linux training. --- The content in this article is called "know and know ".
 
2. Perform a DDOS stress test on the website. Perform appropriate common DDOS stress tests on your website like normal stress tests at work (during periods of low access), and then use detection tools to find vulnerabilities in the website architecture, optimize and make up for them, the old boy calls it a "military drill" (Database, storage, and other backups must actually be used for recovery simulation drills, as is the case for High Availability of Server Load balancer ). Only by taking precautions and simulating practical drills at ordinary times can the problem be solved calmly. As O & M personnel, we should fully consider these issues and solve the problems from various aspects. We do not rule out applying for funds from the company and purchasing the armed equipment O & M department.
 
3. if you choose a data center with good reputation, good service, and better security protection, your data center has its own high price. This must be instilled in the old idea, so don't stop buying cheap data centers, in fact, the general direction can be said to be the company's business considerations. A small aspect can be understood as your own exemption from problems in the future. In addition, when you select an IDC, you can talk about these things when you purchase the bandwidth of the IDC. Are there firewall and power redundancy equipment, can temporary emergency problems help us (for example, temporarily increasing the bandwidth from 1000 M to M ). There are also some related questions, which are tricky here. It is better to refer to the experience of the veteran.
 
4. The website architecture should be deployed without a single point of time for High Availability of clusters, and multiple caches should be set up at the front and back ends. Internet cache is everywhere (either in the website architecture or on hardware devices ). --- The content in this article is called "to make cache everywhere ".
 
5. the system (including web and db) has its own optimization and Security Configuration. If you do not need to change the configuration to, the 10-ton car must be marked with goods capable of loading 20 tons. If the 20-ton car comes, the car will change to scrap iron directly. There must be a limit on the number of server service connections, so that the server will not be overwhelmed by large attack traffic and it will not be too slow. You can check the problem on the connection. --- In this article, old boys call it "quantitative ".
 
6. at ordinary times, we reserve resources that can support sudden increases of more than 30% of traffic, including bandwidth, servers, and architecture concurrency capacity. To speak through data. Everyone can observe that the sharing of portal friends is based on data and can be analyzed in a qualitative and quantitative manner. In fact, this is the basic knowledge of project management. Risk Control is not only reflected here, but also involves risk control in all aspects of human affairs, such as dating with beautiful women, from to, we have to calculate the time of traffic jams and so on. --- In this article, old boys call it "Confidant ".
 
7. website architecture optimization (the old boy posted a 7-layer architecture optimization idea and used cache, such as WEB and DB cache content). For details, refer to the old boy's blog post (illustrated ): how can we achieve high concurrent Website access? Http://oldboy.blog.51cto.com/2561410/615721
 
8. Put more content or content on CDN. Ask "tiger" for help! For example, you can add the www.etiantian.org homepage, second-level navigation page, and other static pages to cdn, JS, CSS, images, and videos. Of course, this requires a good website architecture similar to the seven points. --- The content of this article is called by the old boy "!
 
9. Companies with funds for traffic can use DNS to implement cross-IDC policies. If they cannot beat them, they can run. CDN companies often suffer from dozens of Gbit/s of traffic attacks, and the entire data center may crash. What should I do? Switch and distribute services and schedule resources. Digress: when a senior website architect maintains a website, it feels like the Chairman was strategizing thousands of miles away. It is really a sense of accomplishment! Switch services internally, switch data centers, and divert large-sized enemies to break through small-sized shares, and then divert them again! --- In this article, the old boy calls it the plan, which is the best strategy "!
 
10. Hardware and Software Protection. Apache and nginx have corresponding anti-DDOS modules, iptables, and limits the concurrency, traffic, syn, and some attacks of a single IP address. Hardware anti-DDOS firewall black hole and yundun can be used. (here, we should be careful not to cheat or offend security vendors. For example, if you try a device and then have no reason not to buy it, the negative effects of many problems are inadvertently buried ). Digress: It is not what the company sees, nor what we expect, to save money and maintain websites without spending money. It is perfect to spend money to do a good job.
 
11. Keep all kinds of attack evidence and logs. If possible, 110 alarms will be triggered, and large-scale attacks will not be useless. Industry Competition, malicious competition, and extortion all have cases. These auxiliary means can not wait to die after the alarm, or rely on 110 to solve the problem. At present, many attacks are still difficult to solve by law. We hope they will be better in the future.
 
12. Do not post aggressive and conspicuous comments in groups, forums, and blogs. In particular, the company's address and other information cannot be exposed.
 
13. In the event of a DDOS attack, do not take the initiative to report to the leadership immediately, and seek more resource assistance. Many O & M personnel have this problem.
 
14. there are many suspected DDOS attacks, such as server poisoning outbound traffic. CDN switches to the data center and data center to catch data and steal the content chain (once a day, 1-2 images ran 20 TB of traffic, A judgment method is required. For example, if a patient has caught a cold and is not treated with SARS, it is estimated that a good patient may be cured. Many suspected DDOS attacks can be solved in a short time. The key is how to quickly determine the attack source and type, this is what O & M personnel need to improve (in terms of their own capabilities and O & M awareness ).
 
15. I usually interact with some O & M experts and cool people around you. When a problem occurs, a single phone call may solve the problem that you cannot solve for half a day. Old Boys often receive various help calls from IT friends! These include the help of DDOS attacks and suspected DDOS attacks. Do not block yourself as a king. You should build your own cars with closed doors and isolate yourself! Low-handed, medium-handed, Master are all the same, old boys are no exception! Threesome!
 
16. Learn about "yourself" and learn how to develop strengths and circumvent weaknesses. A website with a good architecture is actually vulnerable. We need to hide vulnerabilities, such as bbs search pages for common websites and dynamically and directly calling database and stored program addresses. If vulnerabilities are discovered, hackers can make the website fatal at a low cost. There are many examples in the animal world.
 
17. In ancient times, we talked about changing the color of cancer. In our Internet world, we talked about changing the color of DDOS. Many of my friends have said, "If DDOS attacks cannot be prevented, it will be discouraged "! The old boy wants to say that there is only something unexpected and there is nothing that can't be done! As O & M personnel, we must first do our best to ourselves. The protection is well optimized, and the reminder is sent to the boss. Think about problems in advance, make solutions suitable for your company, and select equipment from the data center. Let the boss pick up their ideas. In this way, the problem is not your problem. You should do it, And the reminder (not verbal) appears in the form of a solution. It is best to send professional solutions to the boss and related core technologies. Otherwise, the boss will not recognize the account.
 
In fact, although DDOS is common, there are not many real threats. Therefore, we ask readers not to be vulnerable to DDOS attacks. You can do it yourself.