DDoS attacks are the use of a group of controlled machines to attack a machine, so that the rapid attack is difficult to guard against, and therefore has a greater destructive. If the former network administrator against DOS can take the filter IP address method, then face the current DDoS many forged out of the address is no way. Therefore, it is more difficult to prevent DDoS attacks, how to take measures to effectively deal with it? Below we will introduce from two aspects.
First, look for opportunities to respond to attacks
If the user is under attack, the defensive work he can do will be very limited. Because of a catastrophic attack on the user that is not ready, it is likely that the network is paralyzed before the user returns to God. However, users can still seize the opportunity to seek a glimmer of hope.
(1) Check the source of the attack, usually hackers will attack through a lot of fake IP address, at this time, if the user can distinguish which is true IP and which is false IP address, and then understand these IP from which network segment, and then find network administrator to shut down these machines, so that the first time to eliminate attacks. If you find that these IP addresses are from the outside rather than within the company's internal IP, you can take a temporary filtering method, the IP address on the server or router filtered.
(2) Locate the route that the attacker has passed and block the attack. If hackers launch attacks from certain ports, users can block these ports to prevent intrusion. However, this method is only one of the company's network exports, but also by the external DDoS attack is not very effective, after all, the export port closed all computers can not access the Internet.
(3) Finally there is a more eclectic way is to filter out ICMP on the router. Although he cannot completely eliminate the intrusion during the attack, filtering out ICMP can effectively prevent the attack scale from escalating, or reduce the level of attack to some extent.
Second, prevention to ensure safety
DDoS attacks are the most common means of attack by hackers, and some of the usual ways to deal with them are listed below.
(1) Filtering all RFC1918 IP addresses
The RFC1918 IP address is the IP address of the intranet, such as 10.0.0.0, 192.168.0.0, and 172.16.0.0, which are not fixed IP addresses for a network segment, but rather a reserved regional IP address within the Internet that should be filtered out. This approach is not to filter the access of internal employees, but to fake a large amount of false internal IP filtering during an attack, which can also mitigate DDoS attacks.
(2) using enough machines to withstand hacker attacks
This is an ideal coping strategy. If the user has enough capacity and sufficient resources for hackers to attack, in its constant access to users, to capture user resources, their own energy is gradually lost, perhaps not so users were killed, hackers have been powerless to give a message. However, this method needs to invest more money, usually most of the equipment in idle state, and the current small and medium-sized network of actual operation does not match.
(3) To make full use of network equipment to protect network resources
The so-called network equipment refers to the routers, firewalls and other load balancing devices, they can effectively protect the network. When the network was attacked, the first to die was the router, but the other machines did not die. The dead routers return to normal after restarting, and start up quickly, with no loss. If other servers die, the data is lost, and restarting the server is a lengthy process. In particular, a company uses load-balancing devices so that when one router is attacked, the other will work right away. Thus minimizing the DDoS attacks.
(4) Configure the firewall in the backbone node
The firewall itself protects against DDoS attacks and other attacks. When the attack is discovered, the attack can be directed to some sacrificial hosts, which protects the real host from being attacked. Of course, these sacrifice hosts can choose unimportant, or Linux and UNIX and other vulnerabilities and natural defenses to attack excellent systems.
(5) Filtering unnecessary services and ports
You can use Inexpress, Express, forwarding and other tools to filter unnecessary services and ports, that is, to filter fake IP on the router. Cisco Express forwarding, for example, can compare and filter the packet source IP and routing table CEF. Opening only the service ports has become a popular practice for many servers today, such as the WWW server, which only opens 80 and shuts down all other ports or blocks on the firewall.
(6) Limit syn/icmp flow
The user should configure the maximum flow of syn/icmp on the router to limit the maximum bandwidth that the SYN/ICMP packet can occupy, so that when a large number exceeds the limited syn/icmp flow, it is not a normal network access, but a hacker intrusion. Early by limiting SYN/ICMP traffic is the best way to prevent DOS, although the current approach to DDoS effect is not obvious, but still can play a role.
(7) Regular scan
Periodically scan existing network master nodes, inventory potential security vulnerabilities, and clean up new vulnerabilities in a timely manner. The backbone of the computer because of high bandwidth, is the best place for hackers to use, so the host itself to enhance the security of the host is very important. and connecting to the network master node is a server-level computer, so it becomes more important to periodically scan for vulnerabilities.
(8) Check the source of the visitor
Use the unicast Reverse Path forwarding, and so on through a reverse router query to check whether the visitor's IP address is true, and if it is false, it will be blocked. Many hacker attacks often use fake IP address to confuse users, it is difficult to find out where it comes from. Therefore, the use of unicast Reverse Path forwarding can reduce the appearance of fake IP addresses and help improve network security.