In the face of increasingly complex network environments, various potential security problems, and no-attack attacks, our network is at any time in a dangerous place. In today's information age, ensuring stable and efficient server operations and preventing and controlling these malicious attacks have overwhelmed network administrators. In particular, DDOS, a simple and very rapid attack method, has almost overwhelmed many webmasters and network administrators. Here we will focus on anti-DDOS protection.
The short form of DDOS distributed denial of service attack is one of the most popular and effective ways to kill a server on the network. For his prevention and control, it can be said that only passive prevention and control can be achieved, and only after the fight is done, how can we establish an early warning mechanism?
First, build a mechanism to actively defend against DDOS attacks.
Guard and Detector were acquired by CISCO this year and modularized as one of the most popular modules. Their Anti-DDOS protection can be said to be a previous product with high efficiency. When the Guard module is not subject to DDOS attacks, the Guard module is in sleep or Offline state. When the Detector receives a message sent to a protected terminal, it determines the attack through algorithm analysis and policy matching. In this case, the Detector will establish a connection with Guard using SSH, and activate Guard to protect the terminal. Guard will also analyze policies and algorithms, give appropriate solutions to discard illegal data packets, limit the rate, and send data packets analyzed by policies and algorithms to the destination. The entire defense process is over. At the same time, this module also has the smart learning function to make the defense more precise. The setting of this module is very simple because it can be used for graphical operations, so I will not go into details here.
Of course, it is still possible to defend against DDOS attacks on routers without Guard modules. For example, you can use the most common ip address verfy unicast reverse-path interface command to discard disguised packets, the simplest criterion is whether there are any routes required for data packets to be transmitted in reverse mode. All the addresses in RFC1918 are filtered through the ACL, and RFC1918 is the set of all LAN addresses, such as 10. *. *. *, 192. *. *. *, 172. *. *. * This type of reserved address.
Come later, release DDOS attack alert
Of course, when the hacker succeeds due to negligence, the network administrator must first kill the attacker. To kill the attacker, the attacker must make a correct judgment, which is a false IP address, those are real and find the real IP address to shield them. The advantage of this method is that they can immediately remove criminals, however, some innocent users may be identified as attack sources. Of course, you can also shield the attacker's route. Although you can also clearly understand the attack, the probability of accidental injury increases, and the entire access through this route will be blocked, however, this can only be done for a more stable service environment. In addition, the method that limits the traffic rate of ICMP and SYN packets can effectively control DDOS attacks.
Here, we only provide an idea of prevention and control. Users who use CISCO routes believe that this write operation is very simple, in fact, in the battle of preventing and controlling DDOS attacks, attackers can only make breakthroughs in reducing the attack level and effect, reducing the damage of DDOS attacks and changing their attacks, the Guard Module of CSICO may be the most effective way to find attackers at any time, more research on policy formulation may lead to more breakthroughs.