Network military drills: Anti-DDOS drills

Users no longer seem familiar with this topic. In today's network, users can often hear such incidents, such as the Tangshan hacker incident two months ago, the hacker technology used is DDOS attacks. What makes this attack method terrible is that users cannot provide external services. A long time may affect network traffic and cause serious economic losses to users. The main cause of this type of attack is business competition, retaliation, network extortion, and other factors. In reality, DDOS cannot be completely prevented, however, users must take measures to prevent DDOS attacks to the maximum extent, so that the loss after a user suffers a DDOS attack can be minimized.

DOS stands for "Denial of Service", and DDOS stands for "Distributed Denial of Service attack ". So what is dos? It can be understood that all behaviors that can cause legal users to fail to access normal network services are denial-of-service attacks. In other words, the purpose of a Denial-of-Service attack is to prevent legal users from accessing normal network resources and achieve the ulterior motives of attackers. It can be said that DOS is the predecessor of DDOS. In order to make it more efficient, this distributed denial-of-service attack is generated, which is what users usually call DDOS attacks. However, DDOS and DOS are different. DDOS attack policies focus on using many "zombie hosts" (hosts that have been intruded by attackers or can be indirectly used) A large number of seemingly valid network packets are sent to the affected host, resulting in network congestion or server resource depletion resulting in Denial of Service. Once a distributed denial of service attack is implemented, the attack network package will flood to the affected host, so that the network package of Valid users is drowned, so that legal users cannot access the network resources of the server.

There are two main types of DDOS attacks: Traffic attacks, which are mainly attacks against network bandwidth, that is, a large number of Attack Packets Cause network bandwidth to be blocked, legitimate network packets are flooded with false attack packets and cannot reach the host. The other is resource depletion attacks, which are mainly attacks against server hosts, that is to say, the host memory is exhausted by a large number of attack packets or the CPU is occupied by the kernel and applications, resulting in the failure to provide network services.

How can I determine whether a website is under Traffic attack? You can use the Ping command to test whether the Ping times out or the packet loss is serious (assuming it is normal at ordinary times), the Ping may be attacked by traffic, if you find that the server connected to the same vswitch with your host cannot be accessed, you can be sure that the server is under a traffic attack. Of course, the premise of this test is that the ICMP protocol between you and the server host is not blocked by routers, firewalls, and other devices. Otherwise, you can use the network service port of the Telnet host server to test, the results are the same. However, it is certain that, if the Ping to your host server and the host server connected to the same vswitch are normal at ordinary times, the Ping will suddenly fail or cause serious packet loss, if we can eliminate the network fault, we will certainly be under a traffic attack. Another typical phenomenon of a traffic attack is that once it is under a traffic attack, A remote connection to the website server may fail.

Compared with traffic attacks, resource depletion attacks are easy to judge. If you Ping the website host and access the website normally, you may find that the website access is very slow or cannot be accessed, ping can also be pinged, which is likely to suffer from resource depletion attacks. At this time, if you use the Netstat-an command on the server to find a large number of SYN_RECEIVED, TIME_WAIT, FIN_WAIT_1, and other statuses, if the number of ESTABLISHED instances is small, it can be determined that the instance has suffered a resource depletion attack. Another attack is caused by resource depletion: Ping your website host fails or packet loss is serious, while Ping the server on the same switch as your host is normal, this is because the system kernel or some applications cannot respond to the Ping command when the CPU usage reaches 100% after the website host is attacked. In fact, the bandwidth is still available, otherwise, the host on the same vswitch cannot be pinged.

The following are typical DDOS Attacks:

Figure 1

The attack software xdos is used to simulate DDOS Attacks:

◆ Application platform ◆

Windows2000 pro and IIS5.0.

◆ Practical process ◆

1. Determine the target

Ii. attack target

Iii. Defense methods

◆ Application tools ◆

Xdos: a typical DDOS attack tool under Dos.

◆ Implementation steps ◆

　　1. Determine the target

Here is the local environment, as shown in:

Figure 2

You can use the ping command in cmd to obtain the ip address of the target site to determine the target. The method is as follows:

1. Click Start> Run and press enter to open the cmd window.

2. Enter ping in Cmd.Www. **** .com.cnYou can get the ip address of the *** website, as shown in:

Figure 3

Pinging antares. ***** .com.cn [218.30.66.65] with 32 bytes of data:

218.30.66.65 is the IP address of the *** website.

Ii. attack target

Xdos is used to attack this website. The format of this software is xdos ip port-t times-s *. Here, we will explain to you that the ip address is the ip address you need to attack, the port is the port to be attacked. This is the Web Service Attack. Therefore, port 80 is used.-t is followed by the number of attacks. Generally, it can be 5-10, -s is a random counterfeit attack ip address. The complete command is as follows:

Xdos 127.0.0.1 80-t 5-s *

As shown in the following figure, the attack is in progress:

Figure 4

Later, the user will look at the attacked website, as shown in:

Figure 5

The site has shown that too many connected users are prohibited from accessing the site, which means the attack is successful.

TIPS: Currently, there are three types of DDOS attack technologies:

1. SYN/ACK Flood Attack

2. TCP full connection attack

3. Script flooding attacksIii. Defense methods

I have explained a lot of information about the DDOS attack technology. How can users prevent DDOS attacks and minimize their losses in DDOS attacks? First, users should clarify a problem, that is, DDOS attacks cannot be completely eliminated. They can only minimize the attack intensity, and cannot prevent DDOS attacks through some security products alone, users need to take preventive measures from multiple aspects to defend against DDOS attacks to the greatest extent possible. The following are the most effective measures concluded by the predecessors who have been resisting DDOS attacks for many years:

1. Use high-performance network devices: first, ensure that network devices do not become bottlenecks. Therefore, when selecting routers, switches, hardware firewalls, and other devices, we should try to choose products with high-profile and good reputation. In addition, it would be better if there is a special relationship or protocol with the network provider, when a large number of attacks occur, it is very effective to ask them to limit the traffic at the network point to defend against some types of DDOS attacks.

2. try to avoid NAT: whether it is a router or a hardware protection wall device, try to avoid the use of network address translation NAT, because the use of this technology will greatly reduce network communication capabilities, in fact, the reason is very simple, because NAT needs back-and-forth address translation, the network packet checksum and calculation are required during the conversion process, which wastes a lot of CPU time, but sometimes you must use NAT, then there is no good way.

3. adequate network bandwidth guarantee: network bandwidth directly determines the ability to defend against attacks. If there is only 10 Mbps of bandwidth, it is difficult to defend against current SYNFlood attacks no matter what measures are taken, currently, You must select at least Mbps of shared bandwidth. Of course, the best option is to stick the Mbps trunk. However, if the NIC on the host is m, it does not mean that the network bandwidth is 1 Gigabit. If you connect it to a m switch, the actual bandwidth is no more than 100 M, and the bandwidth connected to M is not equal to the bandwidth of MB, because the network service provider may limit the actual bandwidth of 10 M on the switch, this must be clarified.

4. upgrade host server hardware: if the network bandwidth is guaranteed, upgrade the hardware configuration as much as possible. to effectively defend against 0.1 million SYN Attack Packets per second, the server configuration should be at least: p4 2.4G/DDR512M/SCSI-HD, the key role of the main is the CPU and memory, if there is a strong Dual CPU, then use it, the memory must choose DDR high-speed memory, try to choose SCSI for hard disks. Don't just greedy for the low-cost and low-cost IDE. Otherwise, you will have to pay a high performance cost. In other words, you must choose brands such as 3COM or Intel for the NIC, if Realtek is used, use it on your own PC.

5. turning a website into a static page: a large number of facts prove that making a website as a static page as much as possible can not only greatly improve the anti-attack capability, but also cause a lot of trouble for hacker intrusion, at least until now, HTML overflow has not appeared. Take a look at Sina, Sohu, Netease, and other portal websites, which are mainly static pages. If you do not need dynamic script calls, you can get it to another single host, the primary server is not affected by attacks. Of course, it is okay to place some scripts that do not call the database. In addition, it is best to deny access using the proxy in the scripts that need to call the database, experience shows that 80% of your website accesses by proxy are malicious.

6. enhance the TCP/IP stack of the operating system: as server operating systems, Win2000 and Win2003 have the ability to defend against DDOS attacks, but they are not enabled by default, if it is enabled, it can defend against about 10000 SYN Attack Packets. If it is not enabled, it can only defend against hundreds of SYN Attack Packets. How to enable it? Let's take a look at Microsoft's article:

Http://www.microsoft.com/china/technet/security/guidance/secmod109.mspx

Some may ask, what should I do if I use Linux and FreeBSD? It's easy to follow this article:

Http://cr.yp.to/syncookies.html

7. Install a professional anti-DDOS Firewall

The above seven anti-DDOS suggestions are suitable for the vast majority of users with their own hosts. However, if the above measures still fail to solve the DDOS problem, it will be a little troublesome and more investment may be required, increase the number of servers and adopt DNS round-robin or Server Load balancer technology. You even need to purchase layer-7 switch devices to multiply the anti-DDOS capability.