How can Internet Startups defend against DDoS attacks?

How can Internet Startups defend against DDoS attacks?

Attackers control a large enough distributed cluster to launch attacks. All sorts of packages are available. You don't care what services you provide, and you don't have the patience to analyze what services you have. For example, even if you didn't activate any UDP Service at all, he just sent a bunch of UDP packets and occupied your bandwidth. What else can I do.

More than a decade ago, the OS could not cope with a large number of TCP concurrent connections, so there was a SYN flood attack in that era, that is, a lot of SYN packets tried to shake hands. In the modern era, the effect is not as good as before, but the communication capability of victims can still be blocked under heavy traffic. The more practical problem is that the total bandwidth of the data center is limited. When the IP address segment of your server is under attack, he will directly seek the superior access provider to discard the packets sent to you on the backbone network. At this time, although you know that you are being attacked by DDoS, the attack package is not in the data center, let alone the server, so you can only guard the server, no traffic, wait. Most of the upper-level access providers are monopolized by state-owned enterprises and have no patience to cooperate with you at any level. Direct packet loss is the simplest and most convenient method. At the same time, even if the attacker stops the attack, you do not know. If you want the upper-level access provider to re-enable packet forwarding to you, it will be a one-day process. Once an attack is detected, packet loss occurs immediately. When I was attacked in those years, I was also eager to find a solution. Try to deploy the website on the cloud computing platform and rely on the bandwidth redundancy provided by the other party. It may even be the cost of short-term bandwidth. At that time, cloud computing providers in China tried several and eventually refused us because they didn't have enough bandwidth to cope with the attack. They are all out of love for the fruit shell network and free help, it is not easy to achieve this step. Some people mentioned attack vulnerabilities. I feel that there are few attackers who really spend the effort to analyze them. However, most attacks will indeed avoid some obvious defensive advantages. For example, the homepage of many websites will be static, so it is not cost-effective to attack the homepage. Similarly, the CPU consumption is too small. Several common vulnerabilities: 1. logon authentication 2. Comment 3. User Dynamics 4. ajax api In short, it is suspected that database writing, Table query, and caching are good targets. So the answer is: there is no good way. Please wait. I read the solutions provided by several other answers and analyzed them separately: 1. Fight bandwidth: or fight soft sister coins, this is not a little money to deal with, the fruit shell network at that time only bought less than m of bandwidth, the total bandwidth of the early IDC is less than 40G, the attack bandwidth is less than 10 Gbit/s ). Assume that a cheap data center (definitely not in Beijing, Shanghai, Guangzhou, and Shenzhen) is billed at a bandwidth price of 100 RMB/M * months. You need to buy 10 Gbit/s of bandwidth, and the monthly fee is 1 million, 1 million ...... 2. Traffic cleaning and IP address blocking: As mentioned above, the premise is that the attack package must be at least in your IDC. The data center's self-protection measures cause the data packets to be unable to reach the data center without any solution.

3. CDN service: Modern CDN providers do not yet have a sound dynamic web page acceleration technology, so the result is that you can use CDN to keep the static homepage accessible at best, any other dynamic website functions can only be used.