Introduction of several methods of preventing against DDoS

Keep your Web site Defensive DDoS attack guide, with the increase of Internet network bandwidth and the rapid development of multiple DDoS hacker tools, DDoS Denial-of-service attacks are becoming more and more easy, and DDoS attacks are on the rise. To solve the problem of DDoS attack, the network service provider must consider the top priority.

This paper mainly introduces several methods to prevent and defend against DDoS.

One, why should DDoS?

With the increase of Internet network bandwidth and the continuous release of multiple DDoS hacker tools, DDoS attack is becoming more and more easy to implement. Out of commercial competition, retaliation and network blackmail and many other factors, resulting in a lot of IDC hosting rooms, business sites, game servers, chat networks and other network service providers have long been plagued by DDoS attacks, followed by customer complaints, with the virtual host users are implicated, legal disputes, business losses and a series of problems, Therefore, to solve the problem of DDoS attack is a network service provider must consider the first priority.

Second, what is DDoS?

DDoS is the abbreviation of the English Distributed denial of service, meaning "distributed denial of service", then what is the denial of service (denial of services)? You can understand that. Any behavior that causes legitimate users to not be able to access normal network services is a denial of service attack. In other words, the purpose of the Denial-of-service attack is very clear, that is, to prevent legitimate users from accessing the normal network resources, so as to achieve the ulterior motives of the attackers.

Although the same denial of service attack, however, DDoS and DOS are still different, DDoS attack strategy focused on many "zombie host" (by the attacker or indirect use of the host) to the victim host to send a large number of seemingly legitimate network packets, resulting in network congestion or server resources exhaustion caused by denial of service , once the distributed denial of service attack is implemented, the attack network packet will flood to the victim host, which can drown the legitimate users ' network packets, and cause the legitimate users to not access the server's network resources normally, so the denial of service attack is called "flood attack".

The common methods of DDoS attack are SYN Flood, ACK Flood, UDP Flood, ICMP Flood, TCP Flood, Connections Flood, Script Flood, Proxy Flood, etc. While DOS focuses on the use of host-specific vulnerabilities caused by the network stack failure, system crashes, host crashes and can not provide normal network service functions, resulting in denial of service, common Dos attack means teardrop, land, Jolt, IGMP Nuker, Boink, Smurf, Bonk, OOB and so on. In terms of these two denial of service attacks, the main harm is mainly DDoS attacks, because it is difficult to prevent, as for Dos attacks, by patching the host server or install firewall software can be very good defense, the text will detail how to deal with DDoS attacks.

Have you been DDoS?

There are two main types of DDoS manifestations, a kind of traffic attacks, mainly for network bandwidth attacks, that is, a large number of attack packets caused network bandwidth is blocked, legitimate network packets are covered by a false attack packet can not reach the host, another for resource depletion attacks, mainly for server host attacks, This means that a large number of attack packets cause the memory of the host to be depleted or the CPU is occupied by the kernel and the application, which cannot provide network services.

How to determine if the site has suffered traffic attacks? Ping to test, if you find that ping timeout or packet loss is serious (assuming normal), you may suffer from traffic attacks, if found and your host on the same switch server can not access, the basic certainty is that the flow of attack.

Of course, the premise of this test is that you go to the server host between the ICMP protocol is not blocked by routers and firewalls and other devices, otherwise you can take Telnet host server network service port to test, the effect is the same. But there is one thing to be sure, if you normally ping your host server and connected to the same switch on the host server is normal, all of a sudden ping or is a serious loss of packets, then if you can eliminate the network failure factors are certainly suffering from traffic attacks, and then a typical traffic attack is, Once a traffic attack occurs, it is found that connecting to the Web server with a remote terminal fails.

Relative to the traffic attack, resource exhaustion attack to be easy to judge some, if peacetime ping the website host and visit the website are normal, found suddenly website visit is very slow or inaccessible, and ping can ping, it is likely to suffer from resource depletion attack, at this time if the server with Netstat -na command observed a large number of syn_received, time_wait, fin_wait_1 and other states exist, and established very few, you can be determined to be a resource-exhausted attack.

Another kind of resource exhaustion attack is that ping your own web site host ping or packet loss is serious, and Ping and its own host on the same switch on the server is normal, this is due to the site host after the attack caused the system kernel or some applications CPU utilization up to 100% Unable to respond to the ping command, in fact, there is still bandwidth, otherwise ping does not connect the host on the same switch.

There are currently three popular DDoS attacks:

1, Syn/ack flood attack: This attack method is the classic most effective DDoS method, can kill a variety of system network services, mainly by sending a large number of spoofed source IP and source port to the injured host SYN or ACK packets, resulting in the host's cache resources are depleted or busy sending response packets caused by denial of service , because the source is forged so it is difficult to track, the disadvantage is that the implementation of a certain degree of difficulty, the need for high bandwidth zombie host support.

A small amount of this attack will cause the host server to be inaccessible, but can ping the pass, the Netstat-na command on the server will be observed a large number of syn_received state, a large number of such attacks will cause ping failure, TCP/IP stack failure, and will appear system solidification phenomenon , which does not respond to the keyboard and mouse. Most common firewalls cannot withstand this kind of attack.

2, TCP full connection attack: This attack is to bypass the conventional firewall inspection and design, generally, the general firewall has a filter teardrop, land and other Dos attacks, but for the normal TCP connection is spared, but many network services programs (such as: IIS, The number of TCP connections that are acceptable to Apache and other Web servers is limited.

Once you have a large number of TCP connections, even if it is normal, it will cause Web site access is very slow or inaccessible, TCP full connection attack is through many zombie hosts constantly with the victim server to establish a large number of TCP connections, until the server's memory and other resources are being dragged across, resulting in denial of service, This attack is characterized by bypassing the general firewall protection to achieve the purpose of the attack, the disadvantage is to find a lot of zombie hosts, and because the zombie host IP is exposed, so easy to be traced.

3, Brush script scripts attack: This attack is mainly for the existence of ASP, JSP, PHP, CGI and other scripting programs, and call MSSQLServer, MySQLServer, Oracle and other databases of the Web site system design, characterized by the server to establish a normal TCP connection , and constantly to the script to submit queries, lists, and so a large number of resource-consuming database resources, typical of a small broad attack method.

In general, the cost of submitting a GET or post instruction to the client is almost negligible, and the server may have to trace a record from tens of thousands of records to handle the request, a process that is expensive for resources, A common database server can rarely support hundreds of of simultaneous query execution, which is easy for the client, so the attacker can simply send a large number of query instructions to the host server via proxy proxies and consume server resources in minutes to cause a denial of service.

Common phenomenon is that the site is slow, such as snail, ASP program invalidation, PHP connection database failure, database main program CPU high. This attack is characterized by a complete bypass of common firewall protection, easy to find some proxy proxy can be implemented to attack, the disadvantage is to deal with static pages only the effect of the site will be greatly compromised, and some proxies will expose the attacker's IP address.

The above is a description of the Defense DDoS attack guide and hopefully will give you some help in this regard.