DDoS attacks and prevention

Attack methods and principles:

1 by forging IP addresses

2 vulnerability via TCP connection I'm connected.

3 Large requests for ICMP

Prevention

1) Regular scan
Periodically scan existing network master nodes to inventory possible security vulnerabilities and clean up new vulnerabilities in a timely manner. Because of the high bandwidth, the computer of the backbone node is the best place for hackers to take advantage of, so it is very important for these hosts to strengthen the host security. and connecting to the network master node is a server-level computer, so it becomes more important to periodically scan for vulnerabilities.

(2) Configure the firewall at the backbone node.
The firewall itself protects against DDoS attacks and other attacks. When the attack is discovered, the attack can be directed to some sacrificial hosts, which will protect the real host from attack. Of course, these sacrificial hosts can choose unimportant, or Linux and UNIX and other vulnerabilities and inherently prevent attacks excellent system.

(3) use enough machines to withstand hacking attacks
This is a more ideal coping strategy. If the user has sufficient capacity and sufficient resources to the hacker attack, in its constant access to users, seize the user resources, their own energy is gradually lost, perhaps not waiting for users to be attacked, hackers have been unable to give a weapon. However, this method needs to invest more money, usually most of the equipment in the idle state, and the current small and medium-sized enterprises network actual operation of the situation does not match.

(4) Make full use of network equipment to protect network resources ( do a fake let others attack )
The so-called network equipment refers to routers, firewalls and other load balancing devices, they can effectively protect the network. When the network is attacked, the first to die is the router, but the other machines are not dead. The dead router will return to normal after the reboot, and start up quickly, there is no loss. If other servers die, the data is lost, and restarting the server is a lengthy process. In particular, a company uses a load-balancing device so that when one router crashes, the other one will work immediately. This minimizes DDoS attacks.

(5) filtering unnecessary services and ports
You can use tools such as Inexpress, Express, forwarding, and so on to filter out unnecessary services and ports, that is, filtering fake IPs on routers. For example, Cisco's CEF (Cisco Express Forwarding) can be compared and filtered for packet source IP and routing table. Opening a service port only becomes a popular practice for many servers today, such as the WWW server opening only 80 and shutting down all other ports or blocking policies on the firewall.

(6) Check the source of your visitors
Use the unicast Reverse Path forwarding to check if the IP address of the visitor is true and, if it is false, it will be masked by a reverse router query method. Many hacking attacks often confuse users with fake IP addresses, and it's hard to find out where it comes from. Therefore, the use of unicast Reverse Path forwarding can reduce the emergence of fake IP addresses and help improve network security.

(7) filter all RFC1918 IP addresses
The RFC1918 IP address is the IP address of the intranet, such as 10.0.0.0, 192.168.0.0, and 172.16.0.0, which are not fixed IP addresses for a network segment, but are reserved regional IP addresses within the Internet and should be filtered out. This approach does not filter the access of internal employees, but it will also reduce the number of fake internal IP filters that are forged during the attack, which can mitigate DDoS attacks.

(8) Limit syn/icmp traffic (keep it up for a long time)
The user should configure SYN/ICMP maximum traffic on the router to limit the maximum bandwidth that the SYN/ICMP packet can occupy, so that when a large number of SYN/ICMP traffic exceeds the limit, the description is not normal network access, but a hacker intrusion. Early by restricting syn/icmp traffic is the best way to prevent DOS, although the current method for DDoS effect is not obvious, but still can play a role.

DDoS attacks and prevention