DDoS attack (traffic attack) Defense steps

Source: Internet
Author: User

The DDoS full name is distributed denial of service (distributed denial-of-service attack), and many Dos attack sources attack a single server to form a DDoS attack, which dates back to 1996 initially and began to occur frequently in China in 2002, 2003 has begun to take shape.

Introduction to DDoS Attacks:

There are many types of DDoS attacks, and the most basic Dos attack is to use reasonable service requests to consume too many service resources, so that the server cannot handle the instructions of legitimate users.

A single Dos attack is usually one-to-many, when the target CPU speed is low, the memory is small or the network bandwidth is small, and so on, the performance is not high, its effect is obvious. With the development of computer and network technology, the computer's processing ability grows rapidly, the memory is greatly increased, and there are gigabit-level networks, which makes the Dos attack more difficult-the target has enhanced the "digestion ability" of the malicious attack package, for example, your attacking software can send 3,000 attack packets per second. , but my host and network bandwidth can handle 10,000 attack packets per second, so the attack will not have any effect.

This is when distributed denial of service (DDoS) attacks have emerged. If you understand a Dos attack, the principle is simple. If the computer and network processing power increased 10 times times, with a strike attack can no longer play a role, the attackers use 10 attack attacks at the same time? With 100 units? DDoS is the use of more puppet machines to launch attacks, in order to attack victims on a larger scale than before.

The high-speed, widely connected network has brought convenience to everyone, and has created extremely favourable conditions for DDoS attacks. In the low-speed network era, hackers occupy the attack with the puppet machine, will always give priority to the distance from the target network near the machine, because the number of hops through the router, the effect is good. And now the backbone of the telecommunications between the link between the G-level, larger cities can reach a 2.5G connection, which makes the attack can be launched from a farther place or other cities, the attacker's puppet machine location can be distributed in a larger range, the choice is more flexible.

DDoS attack principle:

interfere with or even block normal network traffic by overloading the network. Overload the server by submitting a large number of requests to the server. Block a user access server from blocking a service from communicating with a particular system or individual.

DDoS attack (traffic attack) Defense steps:

In fact, when it comes to webmaster headaches, there's nothing like ddos[distributed denial-of-service attacks. Unable to access the site but when an attacker makes a DDoS attack, many webmasters will say, "play with him, and when it's enough, it won't attack." That's the right idea. But it's deadly. No remedy is to be done. It's the biggest taboo.

But for real DDoS attacks. The number is huge. The processing method is as follows:

1, the use of tools: DDoS deflate. Automatic seizure of IP.

2, resolve the domain name to let the attackers themselves attack themselves [the price. The site is not accessible].

3. Close the site's Nginx or IIS Apache. Wait for the attack to open again.

4, high-speed anti-server (home use static page to improve processor speeds).

5, play with him, and so play enough will not attack.

6, conditional friends, you can consider doing CDN acceleration.

Understanding of DDoS Defense
To deal with DDoS is a systematic project, it is unrealistic to want to rely on a system or product to protect against DDoS, it is certain that it is impossible to completely eliminate DDoS, but it is possible to protect against 90% DDoS attacks with appropriate measures, based on the cost of attack and defense, If the ability to defend against DDoS is increased by the appropriate means, the attack cost of the attacker is increased, and the vast majority of attackers will not be able to continue to give up, which is tantamount to successfully defending against DDoS attacks.

Methods of DDoS Defense:

1, the use of high-performance network equipment

First of all to ensure that network equipment can not become a bottleneck, so choose routers, switches, hardware firewalls and other equipment should try to choose high-profile, good reputation products. And then, if there is a special relationship or agreement with the network provider, it is better, when a large number of attacks occur, it is very effective to ask them to make a traffic limit at the network point to fight against certain kinds of DDoS attacks.

2, try to avoid the use of NAT

Whether it is a router or a hardware protection wall device to avoid the use of Network address translation NAT, because this technology will greatly reduce network communication capability, in fact, the reason is very simple, because NAT needs to convert the address back and forth, the network packet checksum needs to be computed during the conversion, so a lot of wasted CPU time , but there are times when you have to use NAT, there is no good way.

3. Sufficient network bandwidth Guarantee

Network bandwidth directly determines the ability to resist attack, if only 10M bandwidth, no matter what measures are difficult to fight against the current Synflood attack, at least to choose 100M of shared bandwidth, the best of course is hung on the 1000M trunk. However, it is important to note that the network card on the host is 1000M does not mean that its bandwidth is gigabit, if it is connected to the 100M switch, its actual bandwidth will not exceed 100M, and then the bandwidth on the 100M also does not mean that there is a hundred trillion bandwidth, Because network service providers are likely to limit the actual bandwidth to 10M on the switch, this must be clear.

4. Upgrading the host server hardware

In the premise of network bandwidth guarantee, please try to improve the hardware configuration, to effectively counter 100,000 SYN attack packets per second, the server configuration should be at least: P4 2.4G/DDR512M/SCSI-HD, the key role is mainly CPU and memory, if you have strong dual CPU, then use it, Memory must choose the DDR of high-speed memory, hard disk to choose SCSI, do not just greedy IDE price is not expensive enough to be cheap, otherwise it will pay high performance cost, and then must choose 3COM or Intel and other brands, if Realtek or use on their own PC bar.

5, the site into a static page

A large number of facts proved that the site as far as possible to make static pages, not only can greatly improve the anti-attack ability, but also bring a lot of trouble to hackers, at least until now, the overflow of HTML has not appeared, see it! Sina, Sohu, NetEase and other portals are mainly static pages, if you do not need dynamic script calls, it will get to another separate host to go, free from the attack when the main server, of course, appropriate put some do not do database call script is still possible, in addition, It is a good idea to deny access to proxies in scripts that need to invoke the database, because experience shows that using proxies to access 80% of your site is a malicious act.

6, enhance the TCP/IP stack of the operating system

Win2000 and Win2003 as the server operating system, itself has a certain ability to resist DDoS attacks, but the default state is not open only, if the open can withstand about 10,000 SYN attack packets, if not opened can only withstand hundreds of, how to open, Go and see Microsoft articles yourself! "Hardening TCP/IP stack security".

Perhaps some people will ask, then I use Linux and FreeBSD how to do? Very simple, follow this article to do it! "SYN-Cookies".

7, installation of professional anti-DDoS firewall

Green Union black Hole: X86 architecture, Linux kernel and proprietary anti-Syn-flood algorithm. Fighting against a single type of syn,udp,icmp dos works fine, but the effect is slightly worse when mixed with multiple mixes. The advantage is the update is fast, the technical support is better, in 100M environment has the absolute superiority to the syn-flood. The disadvantage is the lack of documentation and information, while the work (both hardware and software) is not very stable.

Golden Shield anti-denial service system: Golden Shield anti-Denial Service series, application of self-developed anti-denial of service attack algorithm, to SYN flood,udp flood,icmp flood,igmp flood,fragment flood,http Proxy flood,cc Proxy Flood,connection exhausted and other common attack behavior can be effectively identified, and through the integrated mechanism of these attacks in real-time processing and blocking, to protect the service host from the damage caused by the attack. Built-in web protection mode and game protection mode, to completely solve the two applications of the DOS attack mode. Golden Shield anti-Denial Service series products, in addition to provide professional dos/ddos attack detection and protection, but also provides a general rule-oriented message matching function, can be set up the domain including address, port, flag, keywords, etc., greatly improve the versatility and protection efforts. At the same time, a number of pre-defined rules, including LAN protection, vulnerability detection and many other functions, easy to use.

Skynet Firewall: The first based on the OpenBSD kernel, X86 architecture, now should also be the Linux kernel. The anti-Syn-flood feature was added early, and should actually be an improved or enhanced version of Syn-cache/syn-cookie. The actual test SYN Flow 64B packet resistance limit is probably about 25M. When it is less than 20M, you can still see the effect. At the same time, the combination of good firewall policy should also be targeted at udp/icmp and other types of restrictions.

A humble opinion: Firewall generally or let it as their professional use (access control) is better, of course, the network business is not very important production enterprises, buy a firewall at the same time have a simple anti-SYN function is also good.

8. Other defensive measures

Several of the above DDoS recommendations are suitable for the vast majority of users with their own hosts, but if you do not resolve the DDoS problem after taking these steps, you may need to invest more, increase the number of servers, use DNS round-patrol or load-balancing technology, or even purchase a seven-tier switch device. This makes the ability to resist DDoS attacks multiply, as long as the investment is deep enough.

Ensure safety by prevention
DDoS Coping methods
DDoS attacks are the most common means of attack by hackers, and the following are some common ways to deal with them.

(1) Regular scan

Periodically scan existing network master nodes to inventory possible security vulnerabilities and clean up new vulnerabilities in a timely manner. Because of the high bandwidth, the computer of the backbone node is the best place for hackers to take advantage of, so it is very important for these hosts to strengthen the host security. and connecting to the network master node is a server-level computer, so it becomes more important to periodically scan for vulnerabilities.

(2) Configuring the firewall on the backbone node

The firewall itself protects against DDoS attacks and other attacks. When the attack is discovered, the attack can be directed to some sacrificial hosts, which will protect the real host from attack. Of course, these sacrificial hosts can choose unimportant, or Linux and UNIX and other vulnerabilities and inherently prevent attacks excellent system.

(3) Use enough machines to withstand hacker attacks

This is a more ideal coping strategy. If the user has sufficient capacity and sufficient resources to the hacker attack, in its constant access to users, seize the user resources, their own energy is gradually lost, perhaps not waiting for users to be attacked, hackers have been unable to give a weapon. However, this method needs to invest more money, usually most of the equipment in the idle state, and the current small and medium-sized enterprises network actual operation of the situation does not match.

(4) Make full use of network equipment to protect network resources

The so-called network equipment refers to routers, firewalls and other load balancing devices, they can effectively protect the network. When the network is attacked, the first to die is the router, but the other machines are not dead. The dead router will return to normal after the reboot, and start up quickly, there is no loss. If other servers die, the data is lost, and restarting the server is a lengthy process. In particular, a company uses a load-balancing device so that when one router crashes, the other one will work immediately. This minimizes DDoS attacks.

(5) Filtering unnecessary services and ports

Filtering unnecessary services and ports, i.e. filtering fake IPs on routers ... Opening a service port only becomes a popular practice for many servers today, such as the WWW server opening only 80 and shutting down all other ports or blocking policies on the firewall.

(6) Check the source of the visitor

Use the unicast Reverse Path forwarding to check if the IP address of the visitor is true and, if it is false, it will be masked by a reverse router query method. Many hacking attacks often confuse users with fake IP addresses, and it's hard to find out where it comes from. Therefore, the use of unicast Reverse Path forwarding can reduce the emergence of fake IP addresses and help improve network security.

(7) Filter all RFC1918 IP addresses

The RFC1918 IP address is the IP address of the intranet, such as,, and, which are not fixed IP addresses for a network segment, but are reserved regional IP addresses within the Internet and should be filtered out. This approach does not filter the access of internal employees, but it will also reduce the number of fake internal IP filters that are forged during the attack, which can mitigate DDoS attacks.

(8) Limit SYN/ICMP traffic

The user should configure SYN/ICMP maximum traffic on the router to limit the maximum bandwidth that the SYN/ICMP packet can occupy, so that when a large number of SYN/ICMP traffic exceeds the limit, the description is not normal network access, but a hacker intrusion. Early by restricting syn/icmp traffic is the best way to prevent DOS, although the current method for DDoS effect is not obvious, but still can play a role.

Anti-DDoS products major manufacturers
Green Alliance Technology
Green Alliance Technology began in May 2001 for DOS attack product development, the following year, the company completed the anti-denial of service attack buster-"black hole Collapasar" all the research and development work, and applied for national invention patents.

Zhong Xin Golden Shield
Anhui New Software Co., Ltd. was founded in 2002, is a network security products, hardware and software development of high-tech companies. Company for DDoS attack products independent research and development, production of Golden Shield series security products include shield firewall, Golden Shield anti-denial service system, flow traction equipment, information filtering system. Since its inception has been in the market to obtain a good, solid reputation.

Proud Shield
Proud Shield Safety net of the well-known brand "proud Shield Firewall" is a comprehensive, innovative, high security and high-performance network security system. Proud Shield DDoS Firewall with DDoS, DOS attack defense, Nat address translation function, unique TCP flag bit detection function, the proud Shield DDoS firewall has the world's leading data flow fingerprint detection technology, independent development of high efficiency system core features, is a domestic one can completely resist ACK, DOS, DDOS, SYN, FLOOD, Fatboy and various variants such as land,teardrop,smurf,ping of the Death,fatboy and other attacks of security defense security products, committed to a large enterprise, Business organizations and network service providers to provide complete information security solutions and comprehensive technical support services.

Ice Shield

Ice Shield anti-DDOS firewall (Bing ton anti-ddos Firewall) from IT technology world-class Silicon Valley in the United States, by the Chinese students Mr.binglewang and Mr.buick Zhang Design and development, Using the international leading bio-genetic identification technology to identify various DDoS attacks and hacking behavior, firewalls using Mircrokernel micro-core and activedefeense Active Defense engine technology, work at the lowest level of the system, give full play to the CPU's performance, Get amazing processing performance with just a little memory. The high-strength attack test shows that: in anti-DDoS attack, work on 100M network card Ice Shield can withstand 250,000 SYN packet attacks per second, work on 1000M network card Ice Shield can withstand 1.6 million SYN attack packets; in anti-hacker intrusion, the ice shield can intelligently identify the port scan, Unicode malicious encoding, SQL injection attacks, Trojan Trojan uploads, exploit exploits and more than 2000 kinds of hacking and automatic blocking, is by far the most powerful anti-DDoS firewall products.

Sky Eagle

Eagle DDoS Firewall "anti-DDoS Firewall": is currently the most defensive attack type, the most efficient professional anti-DDoS firewall. Unique "Eagle Network behavior Analysis" Patented technology makes the Eagle anti-DDoS firewall completely different from other similar products: not only can accurately defend the known network attacks, but also have the ability to defend against unknown attacks, outstanding defense capability and operational efficiency, so that the Eagle anti-DDoS firewall to become the world's largest Chinese website " Sina, the domestic top anti-hacker technology website "Hacker Defense", the internationally renowned community chat site "CamFrog World" and many influential, visionary well-known sites of the unanimous choice.

DDoS attack (traffic attack) Defense steps

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.