Resolving DNS attack problems using Dnscrypt

Although large websites are often attacked, and under overloaded load, these companies and networks are still doing their best to divert these attacks, and the most important thing is to keep their web sites up to normal browsing. Even if you manage a small site, such as a small company or a small web site of this size, you still don't know when someone will hand you a black hand. So next, let's look at some of the details and attack patterns behind DDoS, so that we can make our network more secure.

Multiple approaches to DDoS attacks

Denial of service was once a very simple way of attacking. Some people start running ping commands on their computers, locking the target address, making it run at a high speed, trying to send flood-like ICMP request instructions or packets to the other end. Of course, because of the speed of transmission here, the attacker needs a greater bandwidth than the other site. First, they move to a place with a mainframe, a place with large bandwidth like a university server or a research institute, and then attack from here. But modern botnets are almost always available under any circumstances, and relatively simple to operate, making the attack completely distributed and more covert.

In fact, because of the malware maker, the operation of Botnets has become a distinct industrial chain. Actually they've started renting out the meat machines and charging them by the hour. If someone wants to bring down a website, just pay the attackers enough money, and then there will be thousands of zombie computers attacking the site. An infected computer may not be able to bring down a site, but if more than 10000 computers send requests at the same time, they will "fill" the unprotected server.

Multiple attack types

You can use the ping command to perform an operation on an ICMP request that is very easy to cause a network jam. DDoS attacks can be done in a variety of ways, and ICMP is just one of them.

In addition, there is a SYN attack that launches this attack by actually simply opening a TCP link and then usually connecting to a Web site, but the key is that the operation does not complete the initial handshake and leaves the attached server.

Another clever approach is to use DNS. There are many network vendors that have their own DNS servers, and allow anyone to query, and even some are not their customers. and general DNS uses UDP,UDP is a connectionless transport layer protocol. With the above two conditions as the basis, it is very easy for those attackers to launch a denial-of-service attack. All attackers have to do is to find an open DNS parser, make a virtual UDP packet and forge an address, and send it to the DNS server on the target site. When the server receives the request sent by the attacker, it will believe it and send a request response to the spoofed address. In fact, the target site received a group of open DNS parser requests and replies on the Internet, thus replacing the botnet attack. In addition, this kind of attack has very large scalability, because you can send a UDP packet to the DNS server, request one side of the dump, causing a large traffic response.

How to Protect your network

As you can see, DDoS attacks are all sorts of things, and when you want to build a defensive system against DDoS, you need to master the mutation patterns of these attacks.

The stupidest defense is to spend a great deal of money on more bandwidth. Denial of service is like a game. If you use 10,000 systems to send 1Mbps of traffic, that means you are sending your server 10Gb of data traffic per second. This can cause congestion. In this case, the same rule applies to normal redundancy. At this point, you need more servers, data centers across the globe, and better load-balancing services. Spread traffic to multiple servers, to help you flow balance, more bandwidth can help you deal with a variety of large traffic problems. But modern DDoS attacks are getting crazier and more bandwidth is needed, and your finances simply don't allow you to invest more money. In addition, most of the time, your site is not the main target, many administrators forget this point.

The most critical piece of the network is the DNS server. It is absolutely undesirable to keep the DNS parser open, and you should lock it down to reduce the risk of a portion of the attack. But after doing this, will our servers be secure? The answer is no, even if your site, no one can link to your DNS server, help you resolve domain names, which is also very bad thing. Most of the domain names that are registered require two DNS servers, but this is far from enough. You want to make sure that your DNS servers and your Web site and other resources are in a load-balanced state of protection. You can also use the redundant DNS provided by some companies. For example, many people use content distribution networks (distributed state) to send files to customers, which is a good way to defend against DDoS attacks. Many companies offer this enhanced DNS protection if you need it.

If you manage your network and data yourself, then you need to focus on protecting your network layer and configuring it for many. First make sure that all of your routers are able to block spam packets and eliminate some unused protocols, such as ICMP. Then set up the firewall. Obviously, your site will never allow random DNS servers to be accessed, so it is not necessary to allow UDP 53-port packets to pass through your server. In addition, you can ask your provider to help you with some of the boundary network settings, to prevent some useless traffic, to ensure that you can get a maximum of the most unobstructed bandwidth. Many network providers provide this service to the enterprise, you can contact the network operations center, let them help you optimize the flow, to help you monitor whether you are in the attack.

Similar to SYN attacks, there are many ways to block it, such as by giving TCP a backlog, reducing the syn-receive timer, or using a SYN cache, and so on.

Finally, you have to figure out how to intercept these attacks before they reach your site. For example, modern web sites have applied many dynamic resources. Bandwidth is easier to control when attacked, but it is the database or the script you run that is often lost. You can consider using a caching server to provide as much static content as possible, and quickly replace dynamic resources with static resources and ensure that the detection system is functioning properly.

The worst case scenario is that your network or site is completely paralyzed, and you should be ready for the attack just before it starts. Because once the attack begins, it is very difficult to stop DDoS from the source. Finally, you should figure out how to make your infrastructure more reasonable and secure, and focus on your network settings. These are all very important.