Denial of Service Attacks

DDoS attacks, so far without a particularly perfect solution

DDOS distributed denial of service, full name distributed denial of service.

Simply speaking is an attack of exhaustion of resources, the system as long as the "limited" resources, can be unlimited abuse, resulting in normal users can not be used.

Network layer:

TCP three handshake, when a forged request does not make the last ACK acknowledgement, the server retries and waits for a SYN time to discard the request after a timeout.

A large number of such requests would deplete the server resources, resulting in a normal request being unresponsive.

Anti-Syn flood method, 1syn cookies 2syn Proxy 3 can set the SYN time to shorter

1, syn cookies, for each IP assigned a cookie, and statistics of each IP address access frequency, if a short period of time received a large number of packets from the same IP address, it is considered to receive the attack, the packet of this IP is discarded

But there will be a lot of "broiler" or "Puppet machine", the above method is compromised

3. Set the time-out period of SYN to be shorter and may affect some actions of normal users

Application layer:

CC attacks, for some of the resource-intensive application pages continue to initiate normal requests to meet the consumption of server resources of the parent.

For querying the database, read/write hard disk files and other operations, relatively consumption of resources. Or use some hack technology to direct most traffic to a site that could lead to a denial of service to the target site

Solutions with high frequency data in memcache;

Or some configuration changes to Apache can also mitigate the application layer of DDoS attacks, such as Mod_qos configuration, mod_evasive configuration

Denial of Service Attacks