Tips Against DoS Attacks

At present, there is an attack on the network that makes the network administrator the most headache, namely dos and ddos attacks. It is an abuse of resource. The purpose is to use its own resources to consume resources of the other party by means of amplification or inequality. Many different ip addresses access the server at the same time, causing the server's service to fail or even crash.

Today, I will introduce some simple and effective methods to prevent denial-of-service attacks based on my company's server management experience. Although it cannot be completely protected, however, in the battle against ddos, the loss can be minimized.

1. How to discover attacks

On the server, you can simply and effectively view the current load of the server through cpu usage and memory usage. If the server suddenly exceeds the load, the performance suddenly decreases, this may be a sign of attacks. However, this may also be the reason for the increase in the number of normal website visitors. How can we differentiate these two situations? According to the following two principles, you can determine that the attack is under attack.

(1) The data traffic of the website suddenly exceeds dozens or even hundreds of times, and the data packets arriving at the website at the same time come from a large number of different ip addresses.

(2) A large number of arriving packets (including tcp packets and udp packets) are not part of the website service connection and usually point to any port on your machine. For example, if your website is a web server, data packets are sent to your ftp port or any other port.

2. ban IP address Method

After you confirm that you are under attack, you can use a simple method to shield ip addresses to resolve dos attacks. This method is very effective for dos attacks, because dos often comes from a small number of IP addresses, and these IP addresses are fictitious camouflage. Shield the attacker ip address on the server or vro to effectively prevent dos attacks. However, ddos attacks are troublesome. We need to analyze the IP addresses to shield the IP addresses that actually attack.

Whether dealing with dos or ddos, We need to install the corresponding firewall on the server, and then analyze the visitor's ip address based on the firewall logs, when an abnormal ip segment with a large traffic volume is found, you can add corresponding rules to the firewall for filtering.

Of course, filtering directly on the server will consume certain system resources of the server. Therefore, it is effective to locate illegal ip segments on the server through firewall logs, then add the filter entries to the vro. For example, we found that the illegal ip segment for ddos attacks is 211.153.0.0 255.255.0.0, and the server address is 61.153.5.1. You can log on to the company's core router and add the following statement to the access control list for filtering.

Cess-list 108 deny tcp 211.153.0.0 0.0.255.255 61.135.5.1 0.0.0.0
 

In this way, the 211.153.0.0 255.255.255.0.0 illegal ip address is filtered out.
Tip: In the access control list, the subnet mask must use a reverse mask, that is, 0.0.255.255 indicates that the subnet mask is 255.255.0.0.

3. added the syn cache method.

Although the ban ip method mentioned above can effectively prevent dos and ddos attacks, the function of shielding ip addresses will naturally filter out some normal ip addresses. Therefore, we do not recommend that you use the ban ip method described above in the case of small attacks. We can defend against small dos and ddos attacks by modifying the syn cache. This method has achieved remarkable results in the company where the author is located.

The sy cache size is modified by the key values in the registry. We will introduce you to the modification methods in windows2003 and 2000.

(1) defense against access denial-of-service attacks in windows2003

Step 1: Start-> Run-> enter regedit to go to the Registry Editor.

Step 2: Find

Hkey_local_machinesystemcurrentcontrolsetservices
 

There is a synattackprotect key value under it. The default value is 0. You can change it to 1 to defend against syn attacks more effectively.
Tip: This parameter allows tcp to adjust the re-transmission of syn-acks. When synattackprotect is set to 1, if the system detects a syn attack, the connection response timeout time will be shorter.

Step 3: Set

Enabledeadgwdetect under hkey_local_machinesystemcurrentcontrolsetservices
 

Key Value and change it to 0. This setting will disable syn attacks on the server and force the server to modify the gateway to suspend the service.
Step 4: Set

Enablepmtudiscovery under hkey_local_machinesystemcurrentcontrolsetservices
 

Key Value and change it to 0. In this way, attackers can limit the mtu size and reduce the overall load on the server.
Step 5: Set

Hkey_local_machinesystemcurrentcontrolsetservices
 

The keepalivetime under is set to 300,000, and The nonamereleaseondemand is set to 1.
(2) defense against access denial-of-service attacks in windows2000

The methods for preventing access denial attacks in Windows 2003 are similar to those in windows, but there are some differences in setting values. Let's give a brief introduction.

Step 1: Set synattackprotect to 2.

Step 2: Set enabledeadgwdetect to 0.

Step 3: Set enablepmtudiscovery to 0.

Step 4: Set The keepalivetime to 300000.

Step 5: Set nonamereleaseondemand to 1.

Summary

After the attack detection method described above, the ban ip method and the last modified registry method can effectively prevent dos and ddos attacks. However, due to the characteristics of ddos attacks, no server can completely prevent them. Even if a professional anti-ddos hardware firewall is installed, the loss cannot be completely avoided. The several methods described today are free of charge and can be used in practice.