How to protect against DDoS attacks from the root cause

As DDoS attacks become more frequent, how to combat DDoS attacks becomes a challenge for many enterprises. Live platforms, video sites, e-commerce, financial websites and other competitive websites are struggling to cope.

650) this.width=650; "style=" border:medium none; src= https://cbu01.alicdn.com/img/ibank/2016/781/917/3445719187_ 102768608.jpg "alt=" 3445719187_102768608.jpg "/>

x86 and a number of industry customers [these customer business is basically due to development or outbreak] exchange found that most users suffer from DDoS attacks often found that their DDoS attack protection service providers can clean 3-4 layer volume (traffic type) DDoS attacks, However, there is no particularly effective solution to protect against targeted volume or application DDoS attacks.

The reason for this is that DDoS attack protection providers are unable to understand the user's business characteristics or use extensive protection methods for targeted DDoS attacks (extensive protection algorithms have a high rate of manslaughter for normal business traffic).

For example, most DDoS attack protection service providers use threshold triggering to intercept the traffic of this kind of triggering threshold for the UDP protocol or the ICMP protocol or the private protocol DDoS attack protection.

There is also a DDoS attack protection algorithm for UDP or ICMP protocol or private protocol, which is TCP reverse source authentication.

650) this.width=650; "style=" border:medium none; src= https://cbu01.alicdn.com/img/ibank/2016/137/366/3445663731_ 102768608.jpg "alt=" 3445663731_102768608.jpg "/>

UDP protection algorithm using TCP reverse source authentication

DDoS protection algorithm using TCP reverse source authentication The attack on the UDP protocol may cause some clients that do not support TCP to be killed, and will lead to a high rate of bounce authentication, usually up to 8 times times, which will make most DDoS attack protection providers unable to support large upstream bandwidth charges! (10Gbps pure 64-byte packet attack, will cause the firewall to bounce 80Gbps TCP packets)

Here Shanshan (SEEDMSSP) uses the more advanced machine learning (ml) method to learn and protect UDP and ICMP or private protocol traffic, which can effectively protect UDP and ICMP and private protocol DDoS attacks. and to ensure that the normal flow of users to the manslaughter rate is always at the lowest level (manslaughter rate averaged around 5%).

Back to the topic, grabbing packet analysis messages to protect against DDoS attacks is very effective for large IT companies (such as the size of bat), because large IT companies tend to be equipped with ultra-high-performance routers and ultra-high-performance firewalls.

What if my business is a start-up IT company? I can't afford a hundreds of thousands of millions of-dollar router and a high-performance firewall, so how do I protect against such targeted DDoS attacks?

Very simple, first you have to have a grab kit, you can use tcpdump or Wireshark to crawl the current device's network messages when you suffer from such DDoS attacks.

The captured messages are then analyzed using a message analysis tool, such as using Wireshark.

Below x86 a brief introduction, if an attacker uses a large number of chickens to attack a website, attack using a fixed URI parameter, and this URI parameter is not useful for normal visitors in the case of DDoS attack protection method.

First, the hacker attacked Http://123.1.1.2/test.php?mynameis=ddos.

650) this.width=650; "style=" border:medium none; src= https://cbu01.alicdn.com/img/ibank/2016/364/917/3445719463_ 102768608.jpg "alt=" 3445719463_102768608.jpg "/>

Then we use the grab tool to crawl a certain number of messages within the attacked server and then use Wireshark to analyze the packet.

650) this.width=650; "style=" border:medium none; src= https://cbu01.alicdn.com/img/ibank/2016/692/827/3445728296_ 102768608.jpg "alt=" 3445728296_102768608.jpg "/>

We can see that there is a set of Get/test.php?mynameis=ddos characters in the message. Then we just need to extract the Mynameis=ddos set of URI parameters as a feature.

If you use Nginx as a Web Server, you can protect it by adding the following parameters to the Nginx configuration file:

if ($args ~* "Mynameis=ddos") {

return 444;

}

However, if the attack request is up to tens of thousands of or tens of millions of times per second, Nginx may not be able to keep up, perhaps you need to intercept the DDoS attack traffic before entering your server.

At this time x86 June suggested Sir try Seedmssp unique v-ads fine-grained cleaning model.

650) this.width=650; "style=" border:medium none; src= https://cbu01.alicdn.com/img/ibank/2016/492/437/3445734294_ 102768608.jpg "alt=" 3445734294_102768608.jpg "/>

V-ads Virtual Firewall (fine-grained cleaning section)

The V-ads virtual firewall can provide Sir with a message level DDoS attack protection, Sir can define the protection feature model of DDoS attack, and V-ads will intercept, release, speed limit according to the characteristics of the message fingerprint and the frequency or related model behavior of the customer.

Just now the DDoS attack hacker uses the Mynameis=ddos URI parameter to launch a DDoS attack against the Web server, where the user can turn on the V-ads HTTP flood protection module for one-click protection, if Sir is a geek, Then Sir can use the V-ads cleaning granularity model to clean up such DDoS attacks.

The hexadecimal of Mynameis=ddos is: 6d796e616d6569733d64646f73

650) this.width=650; "style=" border:medium none; src= https://cbu01.alicdn.com/img/ibank/2016/763/437/3445734367_ 102768608.jpg "alt=" 3445734367_102768608.jpg "/>

Flag bit information for TCP messages

The flags in the TCP message are 0x18, which means that the flags for TCP can be checked for PSH and ACK (only packets containing PSH and ACK flags will be matched), and V-ads will match all messages if Sir unchecked.

Then Sir can fill in the V-ads cleaning granularity model with the following content:

650) this.width=650; "style=" border:medium none; src= https://cbu01.alicdn.com/img/ibank/2016/216/527/3445725612_ 102768608.jpg "alt=" 3445725612_102768608.jpg "/>

Once you click Save, once again access Http://123.1.1.2/test.php?mynameis=ddos, V-ads will immediately intercept the message containing this feature.

650) this.width=650; "style=" border:medium none; src= https://cbu01.alicdn.com/img/ibank/2016/492/737/3445737294_ 102768608.jpg "alt=" 3445737294_102768608.jpg "/>

The visit was intercepted.

The access was intercepted. If Sir your brain, you can also use this v-ads fine-grained cleaning model to fully fit your business features, reducing the manslaughter rate to a minimum or even 0 manslaughter!

For example, "national husband" Panda TV, if the DDoS attack, in order to ensure the rate of manslaughter second-level cleaning, so even if the attack on the smoothness of the broadcast, the user experience is no negative impact.

Finally x86 June to say is, v-ads cleaning is the line speed yo ~ ~ ~

PS: Shanshan is a cloud security service provider focused on DDoS attack protection, and the company has been working to develop the tracking and protection of DDoS attacks over the years. With the vision of "focus on business, safety and security", Shanshan is continuously innovating to provide customers with leading cloud security products and solutions. In the good and bad DDoS protection market, Shanshan is worthy of your favor!www.seedmssp.com

How to protect against DDoS attacks from the root cause