How to minimize DDoS attack hazards

There is no way to eradicate ddos. Even hard defense is actually a way to mitigate it.

Most networks are vulnerable to various types of hacker attacks, but we can use a set of security specifications to prevent hacker attacks to the maximum extent.

However, distributed denial of service (DDoS) attacks are completely different. You cannot prevent hackers from launching DDoS attacks on your website unless you disconnect the internet.

If we cannot prevent such attacks, how can we protect the enterprise network to the maximum extent?

First, you should clearly understand the three stages of DDoS attacks, and then learn how to minimize the harm of such attacks.

Understanding DDoS attacks

A DDoS attack is generally divided into three stages. The first stage is target validation: hackers will lock the IP address of an Enterprise Network on the Internet. The locked IP address may represent the enterprise's Web server, DNS server, and Internet gateway. These targets can be used to launch attacks for a variety of purposes, such as making money (someone will pay hackers to attack some sites) or simply making damage.

The second stage is the preparation stage: At this stage, hackers will intrude into a large number of computers on the Internet that do not have a good protection system (basically the home computer on the network, (DSL broadband or wired cable ). Hackers will implant the tools needed to attack the target in these computers.

The third stage is the actual attack stage: hackers send attack commands to all intruded computers (I .e. botnets, and command these computers to use pre-embedded attack tools to continuously send packets to the attack target, so that the target cannot process a large amount of data or the bandwidth is full.

Smart hackers will also allow these botnets to forge IP addresses that send attack packets and insert the IP addresses of the attack targets into the original IP addresses of the packets. This is called a reflection attack. The server or router will forward (reflection) to the original IP address to receive a response after seeing the data package, which increases the data flow of the target host.

Therefore, we cannot prevent such a DDoS attack, but with the principle of this attack, we can minimize the impact of this attack.

Reduce attack impact

Ingress filtering is a simple security policy that should be implemented by all network service providers. On the edge of your network (for example, each vro directly connected to the Internet), you should establish a routing description to mark all data from the source IP address as the packet of the current network address and discard it. Although this method does not prevent DDoS attacks, it can prevent DDoS reflection attacks. (Read on the next page)

Mitigate DDoS attack hazards

However, many large ISPs refuse to implement intrusion Filtering for various reasons. Therefore, we need other methods to reduce the impact of DDoS attacks. Currently, the most effective method is backscatter traceback method ).

To use this method, we should first determine that the current attack is caused by external DDoS attacks, rather than from Intranet or routing problems. Next, we need to configure the external interfaces of all Edge Routers as soon as possible to reject all data flows to DDoS attack targets.

In addition, you must configure these edge router ports to discard all the data source IP addresses that are invalid or cannot be located. For example, the following address:

10.0.0.0-10.20.255.255

172.16.0.0-172.31.255.255

192.168.0.0-192.168.255.255

After a vro is set to reject these packages, the vro sends an Internet Control Message Protocol (ICMP) packet each time it rejects data packets, and package the "destination unreachable" Information and rejected packets to the source IP address.

Next, open the vro log and check that the vro receives the most attack packages. Then, based on the recorded data packet source IP address, determine which network segment has the largest data volume. On this vro, adjust the IP address range of the vro to "black hole" and isolate the IP address range by modifying the subnet mask.

Then, find the owner information of the CIDR Block, contact your ISP and the ISP of the data transmission CIDR Block, report the attack to them, and request assistance. Whether they are willing to help or not, it is nothing more than a phone call.

Next, in order to allow the service and legal traffic to pass through, you can restore some vrouters with lower attack conditions to normal, only keep the vrouters that bear the heaviest attack, and reject the largest network segment of the attack source. If your ISP and the other ISP are very responsible for blocking attack packets, your network will quickly return to normal.

Conclusion

DDoS attacks are tricky and difficult to prevent, but you can reduce the impact of such attacks on the network in a timely manner using the above methods. In the face of attacks, you only need to quickly respond to and use the correct method to promptly discover and block attack data streams.


When I saw this article, I remembered that at the time of the hacking alliance, a company had to pay a very high price to attack a competitor at all costs. It would take six months for the DDOS service provider to pay a high price, if this cannot be found, the company must be a junk company?

This article is well written. I like this article. DDOS cannot be prevented for the time being, but you can minimize your losses. What we do is not just a simple defense, but there are a lot of DDOS attacks, once baidu was attacked by a large-scale distributed denial-of-service attack, causing great losses?

We still have a long journey, which is more difficult than you think.