How to deploy defense measures against DDos attacks

Source: Internet
Author: User

Author: Ion wing. sun Source: SCID

DDoS (Distributed Denial-of-Service) attacks are mainly used to flood the pipeline by means of traffic that exceeds the pipeline's processing capability or by means of tasks that exceed the processing capability to paralyze the system, therefore, in theory, as long as attackers can gain more powerful "power" than the target, the target will be attacked.

There are no 100% effective defense measures for DDoS attacks. However, the attacker must make more resources and efforts than the defender to have such "power". Therefore, as long as we have a better understanding of DDoS attacks and actively deploy defense measures, it can also mitigate and defend against such security threats to a large extent.

Enhance defense capability

An important element in defending against DDoS attacks is to enhance its defense capabilities. Using larger bandwidth and improving the performance of related devices is the most direct way to deal with DDoS attacks. Although this requires a certain amount of resources, it is enough for enterprises that place their survival on these online systems. We only need to grasp the appropriate principles when implementing such "Hard growth.

Because our resources are limited. If we increase the investment by 100%, we can only improve the correlation performance and anti-DDoS capability by 10%, which is obviously a way to handle the loss, after all, this is not our only choice. In addition, the attacker's resources are also limited. When we increase the defense intensity, it means that the attacker must collect a large number of attacks on the slave machine to carry out attacks, it also increases the risk exposed by attackers. However, it should be noted that the effective anti-DDoS protection is not in a vicious circle with the attacker, but should combine various methods to set enough obstacles for the attacker.

Target System Processing

The attacker's final target may be a host or a network device. In addition to enhancing the hardware capabilities of the target system, we should also make full use of the system's potential. Through targeted processing of the target system, we can effectively enlarge the energy of existing resources. The most basic task is to update patches. In particular, the communication protocol stack of some operating systems has problems, and it is easy to become the exploitation object of DoS attacks. The vulnerability-based DoS attacks are much easier than pure facility capabilities. If you cannot eliminate vulnerabilities that can be exploited by a Denial-of-Service attack, other defense work can only be performed.

Fortunately, the patch update speed of various systems is satisfactory. You only need to follow up the patch release status of the related systems based on your environment. Some frequently used methods also include limiting the length of the connection queue and reducing processing latency. The former can alleviate the depletion of system resources. Although it cannot completely avoid the occurrence of "denial of service", it at least reduces the possibility of system crash to a certain extent. The latter can enhance the processing capability of the system. By reducing latency, We can discard the waiting connections in the queue at a faster speed, instead of leaving them full of queues; however, this method is not always effective in all circumstances, because many DDoS attack mechanisms are not built on a method similar to SYN Flood that uses malformed connections to Flood queues.

Defense in depth

Attackers and the target are not directly connected. Therefore, they must pass through many network nodes to communicate with each other. Therefore, we can deploy effective barrier as much as possible before the protected system to relieve the pressure on the system. The most important tool to set the barrier is _ blank "> firewall, advanced _ blank"> Firewall Products can effectively identify and process the deep content of data packets, which helps us set more detailed filtering.

Many Firewall Products now integrate the anti-DDoS function to further improve the recognition of common DDoS attack packets. Such a product can greatly enhance the DDoS defense capability, and can detect "malicious behavior" without fully checking the data packets ". This is very helpful because the less DDoS attacks are processed, the less likely they are to be used up, which greatly increases the costs of attackers. Network devices, including many router products, have some _ blank "> firewall functions. We should make full use of them as much as possible.

In particular, the vro itself is responsible for guiding the data stream and should be placed in the "frontend" position as much as possible. In this way, the attacker can not only protect the enemy against attacks that are thousands of miles away, but also flexibly direct the attack packets to other harmless locations and even attack the nothingness. Of course, the attacker will also have a very shallow or deep understanding of these defense layers and will not blindly take the target system as the only attack point, they are likely to turn to the organization of attacks against these facilities after being blocked by these facilities, which requires us to dynamically adjust the defense facilities to adapt to the situation.

In addition to these basic methods and tools, there are also some more advanced techniques that can be used, for example, we can design redundancy, it can enable the emergency mechanism at any time when the system is paralyzed from an attack. It can also deploy some trap components, which can be used to attract attack traffic or confuse attackers.

Win by yourself

In fact, one of the most important factors in our security defense is our thorough understanding of the system. For example, we must clearly know which services are open to the system and which access is forbidden. At the same time, when there are signs of a DDoS attack, we should also determine which processing mechanisms the attack uses. Although we have heard of countless people repeatedly "shutting down unnecessary services", it is clear that its importance is not fully recognized.

Sometimes, when a port is not opened, we think it is in a safe state. In fact, this is not the case. In many cases, some closed ports still respond to certain queries due to design reasons, which is often used by DDoS attacks. Attackers can consume resources of the target system by sending massive queries to these seemingly sleeping ports. We often use one called Shields UP !! The Web interface-based tool checks the real status of the port. We can find the tool's access interface at http://www.grc.com.

We log on to the page of a networked workstation and perform the All Service Ports check. The returned results page lists the status of Ports 0 to 1055, A small green block indicates that the port is in the Stealth State and will not respond to the outside world. If a small block represents a dangerous red color, the port is open. If the small block is blue, the port is closed. Although most programs cannot use these ports, they do not represent absolute security. Using similar tools, we can better understand what we expose to the network, so that we can handle the problems effectively without ignoring the hidden risks.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.