How small websites defend against DDoS attacks

Source: Internet
Author: User
Tags control characters php database dedicated server high cpu usage

Ddos (Distributed Denial of Service), commonly known as flood attacks. It is a new and more destructive attack method based on traditional DoS attacks. Distributed Denial of Service (DoS) attacks refer to the combination of multiple or even hundreds of thousands of computers as attack platforms by means of the customer/server technology to launch DoS attacks against one or more targets, this improves the attack power exponentially. The damage caused by DDoS is huge. You cannot prevent hackers from launching DDoS attacks on your website unless you disconnect the Internet. If we cannot prevent such attacks, how can we protect our enterprise network to the maximum extent? 1. Understand that there are currently three popular DDoS attacks: 1.1SYN/ACKFlood attacks, which are the most effective and classic DDoS methods and can attack network services of various systems, A large number of SYN or ACK packets are sent to the affected host, causing a denial of service because the host's cache resources are exhausted or busy sending response packets, because the source IP address and source port are both forged, tracing is difficult. The disadvantage is that it is difficult to implement and requires support from high-bandwidth botnets. 1.2TCP full connection attack TCP full connection attack means that many zombie hosts continuously establish a large number of TCP connections with the affected server until the server's memory and other resources are exhausted and dragged across, this type of attack can bypass the protection of the general firewall to achieve the purpose of the attack. The disadvantage is that many zombie hosts need to be found, and the IP address of the zombie host is exposed, therefore, it is easy to be tracked. 1.3 Script scalping attacks these attacks are mainly designed for websites that have Script programs such as ASP, JSP, PHP, and CGI and call databases such as MSSQLServer, MySQLServer, and Oracle, it is characterized by establishing a normal TCP connection with the server, and constantly submitting queries, lists, and other calls that consume a large amount of database resources to the script program. A typical attack method is small-scale. Common phenomena are website slowness, such as snail ing, ASP program failure, PHP database connection failure, and high CPU usage of the database master program. This attack is characterized by completely bypassing common firewall protection and easily finding some Proxy agents to launch attacks. The disadvantage is that the effect of websites with only static pages is compromised, in addition, some proxies expose the attacker's IP address. 2. Rules are established in the network intrusion monitoring system based on the following abnormal phenomena to detect DDoS attacks more accurately. (1) According to the analysis, the attacker always needs to resolve the host name of the target before conducting a DDoS attack. The BIND Domain Name Server can record these requests. Because each attack server sends a PTR reverse query request before an attack, the domain name server receives a large number of PTR query requests for reverse resolution of the target IP host name before the DDoS attack. (2) When a DDoS attack is performed on a site, the maximum communication traffic will obviously exceed the normal operation of the network. The current technology can calculate the corresponding limit values for different source addresses respectively. When the limit value is significantly exceeded, it indicates that there is a DDoS attack communication. Therefore, you can establish ACL access control rules on the master router side to monitor and filter these communications. (3) Large ICP and UDP data packets. Normal UDP sessions generally use small UDP packets. Generally, the valid data content cannot exceed 10 bytes. Normal ICMP messages cannot exceed 64-128 bytes. Data packets of much larger sizes may be used to control information communication, mainly including the encrypted Destination Address and some command options. Once the control information communication is captured (not forged), the location of the DDoS server is exposed because the target address of the Control Information Communication packet is not forged. (4) TCP and UDP data packets that are not normally connected for communication. The most concealed DDoS tool randomly uses multiple communication protocols (including connection-based protocols) to send data through a connectionless channel. Excellent firewall and routing rules can discover these packets. In addition, packets that connect to ports higher than 1024 and are not the target ports of common network services are also very doubtful. (5) data segments contain only text and numeric characters (for example, data packets without spaces, punctuation marks, and control characters. This is often because the data is base64-encoded and only contains the characteristics of the BASE64 character set. The control information packet sent by TFN2K is of this type. The feature mode of TFN2K (and its variants) is A string of A character (AAA) in the data segment, which is the result of adjusting the Data Segment Size and encryption algorithm. If BASE64 encoding is not used, the continuous character "" is used for data packets using the encryption algorithm. (6) The data segment contains only binary and high-bit data packets. Although binary files may be transmitted at this time, if these packets are not normally valid for communication, it may be suspected that the data being transmitted is not BASE64 encoded but encrypted control information communication data packets (if such a rule is implemented, the data transmission on ports 20, 21, and 80 must be excluded ). 3. How should we survive and continue to provide normal services when dealing with DDoS attacks? As we can see from the previous introduction, if the hacker attack scale is much higher than your network bandwidth, device or host capability, it is actually difficult to resist the attack, however, there are still some ways to mitigate the impact of attacks. The first is to investigate the attack source. As hackers are attacked by botnets, they may not be able to directly find out where the hackers are launching the attack. They must push back from the target step by step, first, investigate which vbrs are responsible for the attack. In the previous step, check which vrouters are responsible for the attack and contact the managers of these vrouters (maybe an ISP or telecommunications company) and ask them to help block or find out the source of the attack. If the target of an attack is only a single IP address, attempting to change the IP address and change its DNSmapping may be the fastest and most effective way to avoid the attack. However, the purpose of the attack is to make normal users unable to use the service. Although the IP address change method avoids the attack, the hacker has also achieved his goal from another perspective. In addition, if the attack method is simple and the rule can be identified by the Generated Traffic, the ACLs (AccessControlLists) or firewall rules of the router may be blocked, if you can find that the traffic is from the same source or core router, You can temporarily block the traffic over there. Of course, this may block both normal and abnormal traffic, but at least other sources can get normal services, which is also a last resort. In addition, you can also consider adding machines or bandwidths as the buffer for attacks, but this is only a temporary solution. The most important thing is to immediately initiate an investigation and coordinate with relevant units to resolve the issue. 4. Prevention of DDoS attacks the prevention of DDoS attacks must be addressed through the joint cooperation of various groups and users on the network to develop stricter network standards. Each network device or host must update its system vulnerabilities, disable unnecessary services, install necessary anti-virus and firewall software, and pay attention to system security at any time, avoid being attacked by hackers and automated DDoS programs. Network administrators can take the following measures to prevent such attacks. 4.1 node scanning network administrators should regularly scan network nodes, analyze and discover possible security vulnerabilities, and promptly fix new vulnerabilities. In particular, the computers at the Backbone Node need to occupy a high bandwidth. Therefore, it is very important for these hosts to enhance host security. Moreover, server-level computers connect to the master node of the network. Therefore, regular vulnerability scanning becomes more important. 4.2 configure the firewall itself to defend against some DDoS attacks. When an attack behavior is detected, you can sacrifice the backup device to guide the attack data stream, which can reduce or avoid the smooth operation of normal services. Of course, if enterprises or users have high network requirements, I suggest setting up a dedicated server to prevent DDoS attacks. 4.3 fully utilize network equipment to protect network resources. Reasonably configure and use vrouters, firewalls, and other network devices to effectively protect the network. Compared with server restart, it is much easier to restart network devices such as network routers, and server data will not cause too much loss. The use of Server Load balancer technology can automatically balance the use of devices when an attack occurs to minimize DDoS attacks. 4.4 filtering services and ports by default, many ports on the server are open. Users can use firewalls or some management software to filter unnecessary services and ports. Opening only the service port is a popular practice to ensure network security. For example, you may often see that only port 80 is open for one server. 4.5 check the visitor's source by querying the reverse router to check whether the visitor's IP address is true. If a false IP address is found, immediately block it. Hackers often use fake IP addresses to hide themselves in attacks. Therefore, it is necessary for the network administrator to know the user access information on the network. 4.6 filter all reserved IP addresses. We know that IP addresses like,, and are not fixed IP addresses of a specific CIDR block, but regional IP addresses retained within the Internet, the network administrator should filter out the reserved IP addresses. 4.7 to limit SYN/ICMP traffic, you should configure the maximum SYN/ICMP traffic on the firewall to limit the maximum bandwidth that SYN/ICMP can occupy. When a large number of SYN/ICMP traffic exceeds the limit, the administrator needs to immediately identify whether illegal attacks exist. Limiting SYN/ICMP is also the most commonly used method in the past to defend against DDoS attacks. According to relevant reports, telecom-level operators have begun to work actively and are preparing to launch a series of value-added security services. IDC server providers have also taken active actions to prevent users from DDoS attacks, security vendors are actively studying the principles and defense measures of DDoS attacks, and strive to minimize DDoS attacks. I believe that it is difficult for any individual to defend against massive data stream attacks. Only when operators, enterprises, and security vendors work together can we better overcome the harm that DDoS brings to users.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.