How small and medium websites deal with DoS attacks (intermediate)

DoS (Denial of Service) is a network attack that uses a reasonable amount of service resources to prevent legal users from receiving service responses.

DoS attacks may occur in the following ways:
* The attacked host has a large number of TCP connections waiting;
* The system resources of the attacked host are heavily occupied, causing system pauses;
* The network is filled with a large number of useless data packets. The source address is a fake address;
* Network congestion is caused by heavy traffic and useless data. The affected host cannot communicate with the outside world normally;
* The victim host fails to process all normal requests in a timely manner by repeatedly sending specific service requests at High Speed Based on the service or transmission protocol defects provided by the victim host;
* In severe cases, the system crashes.

So far, it is still difficult to prevent DoS attacks, especially DDoS attacks, but some measures can still be taken to reduce their hazards. For small and medium websites, you can prevent them from the following aspects:

Host settings:

That is, reinforce the operating system and set various operating system parameters to enhance the stability of the system. Re-compiling or setting some parameters in Linux and various BSD systems, Solaris and Windows operating system kernels can improve the system's anti-attack capability to a certain extent.

For example, for a typical DoS attack type-SYN flood, it uses the TCP/IP protocol vulnerability to send a large number of forged TCP connection requests, resulting in the network being unable to connect to user services or paralyze the operating system. This attack involves some system parameters: the number of links to the data packets that can be waited and the length of time for the data packets that have timed out. Therefore, you can perform the following settings:

* Disable unnecessary services;
* Change the number of connections of data packets from the default value 128 or 512 to 2048 or greater to lengthen the length of the data packet queue processed each time to ease and digest the connections of more data packets;
* Set the connection timeout time to a short value to ensure normal data packet connection and shield illegal attack packets;
* Promptly update the system and install patches.

Firewall settings:

Taking SYN flood as an example, you can perform the following settings on the firewall:

* Access to non-open services on the host is prohibited;
* Limit the maximum number of connections of simultaneously opened data packets;
* Restrict access from specific IP addresses;
* Enable the anti-DDoS attribute of the firewall;
* Strictly restrict external access to external servers to prevent your servers from being used as tools to attack others.

You can also use the following methods:

* Random drop algorithm. When the traffic reaches a threshold, the subsequent packets are discarded according to the algorithm rules to maintain the processing capability of the host. The disadvantage is that normal data packets will be lost by mistake, especially in the case of large-volume data packets, normal data packets are like a dime, and are easily rejected outside the network as illegal data packets;
* The SYN Cookie algorithm uses six handshakes to reduce the attack rate. The disadvantage is that the query is based on the list. When the data traffic increases, the list expands sharply and the calculation workload increases, which may lead to response latency or even system paralysis.

Because of the large variety of DoS attacks, the firewall can only defend against a limited number of attacks.

Router settings:

Take a Cisco router as an example. The following method can be used:

* Cisco Express Forwarding (CEF );
* Use unicast reverse-path;
* Access control list (ACL) filtering;
* Sets the packet traffic rate;
* The upgraded version is too low for IOS;
* Create a log server for the vro.

When using Cef and unicast settings, pay special attention to the situation. improper use may cause a serious reduction in the efficiency of the router. Exercise caution when upgrading IOS.
　　
A vro is the core device of the network and needs to be carefully configured. It is recommended that you do not save it after modification to view the effect. The Cisco router has two types of configurations: startup config and running config. When you modify the configurations, you can change the configurations to run for a period of time, save the configuration to startup config. If you are not satisfied with the configuration, use copy start run.

No matter whether the firewall or the router is an external interface device, while setting anti-DDoS, you must weigh the cost of the normal services that may be sacrificed accordingly and proceed with caution.

Using Server Load balancer Technology:

It is to distribute application services to several different servers, or even different locations. The cyclic DNS service or hardware router technology is used to distribute requests from the system to multiple servers. This method requires a large investment and high maintenance costs. medium-sized websites can be considered if necessary.

The above methods are effective in preventing DoS attacks with low traffic, strong pertinence, and simple structure. For DDoS attacks, it is necessary to take measures and technologies to cope with large traffic volumes, and to integrate multiple algorithms and functions of network devices.

In recent years, there have also been some products that use such integration technologies, such as captus IPS 4000, Mazu enforcer, top layer attack mitigator, domestic Green Alliance black hole, Eastern Dragon Horse Terminator, etc, it can effectively resist SYN flood, UDP flood, ICMP flood, stream flood, and other large-volume DDoS attacks, and also has routing and switching network functions. For competent websites, directly using these products is a more convenient way to prevent DDoS attacks. However, the reliability and availability of its technical applications still need to be further improved, for example, to improve the high availability, processing speed and efficiency of the equipment and the integration of functions.

Finally, we will introduce two emergency methods to quickly restore services when the website suffers DoS attacks and the system does not respond:

* If there are surplus IP resources, you can change a new IP address and direct the website domain name to the new IP address;
* Disable port 80, and use port 81 or other ports to provide HTTP Services. Direct the website domain name to IP address 81.