Turn: How can I determine if the server has suffered DDoS attacks? What are the solutions to server attacks?

There are two main types of DDoS attacks: Traffic attacks, which are mainly attacks against network bandwidth, that is, a large number of Attack Packets Cause network bandwidth to be blocked, legitimate network packets are flooded with false attack packets and cannot reach the master. The other is resource depletion attacks, which are mainly attacks against server hosts, that is, the host memory is exhausted or the CPU is used up by the kernel and application through a large number of attack packets. Program Network services cannot be provided after the occupation.

How can I determine whether a website is under Traffic attack? You can use the ping command to test whether the ping times out or the packet loss is serious (assuming it is normal at ordinary times), the ping may be attacked by traffic, if you find that the server connected to the same vswitch with your host cannot be accessed, you can be sure that the server is under a traffic attack. Of course, the premise of this test is that the ICMP protocol between you and the server host is not blocked by routers, firewalls, and other devices. Otherwise, you can use the network service port of the Telnet host server to test, the results are the same. However, it is certain that, if the ping to your host server and the host server connected to the same switch are normal at ordinary times, the Ping will suddenly fail or cause serious packet loss, if we can eliminate the network fault, we will certainly have suffered a traffic attack. Another typical traffic attack phenomenon is that once we suffer a traffic attack, A remote connection to the website server may fail.

Compared with traffic attacks, resource depletion attacks are easy to judge. If you ping the website host and access the website normally, you may find that the website access is very slow or cannot be accessed, ping can also be pinged, which is likely to suffer from resource depletion attacks. At this time, if a large number of syn_received, time_wait, fin_wait_1, and other statuses are observed using the netstat-Na command on the server, if the number of established instances is small, it can be determined that the instance has suffered a resource depletion attack. Another attack is caused by resource depletion: ping your website host fails or packet loss is serious, while ping the server on the same switch as your host is normal, this is because the system kernel or some applications cannot respond to the ping command when the CPU usage reaches 100% after the website host is attacked. In fact, the bandwidth is still available, otherwise, the host on the same vswitch cannot be pinged.

There are currently three popular DDoS Attacks:

1. SYN/ack flood attack: This attack method is the most effective and classic DDoS method. It can kill network services of various systems, it is mainly through sending a large number of SYN or Ack spoofing source IP addresses and source ports to the affected host (correct command response ?) Package, causing denial of service because the host's cache resources are exhausted or busy sending response packets. Because the source is forged, tracing is difficult. The disadvantage is that implementation is difficult, high-bandwidth botnets are required. A small number of such attacks will cause the host server to be inaccessible, but can be pinged. Using the netstat-Na command on the server, we will see a large number of syn_received states, A large number of such attacks may cause Ping failure, TCP/IP stack failure, and system solidification, that is, the system does not respond to the keyboard or mouse. Most common firewalls cannot defend against such attacks.

2. TCP full-connection attacks: these attacks are designed to bypass the inspection of conventional firewalls. Generally, conventional firewalls are capable of filtering DoS attacks such as teardrop and land, however, for normal TCP connections, we do not know that many network service programs (such as IIS, Apache, and other Web servers) can accept a limited number of TCP connections, once a large number of TCP connections exist, even normal access to the website may be very slow or even inaccessible, TCP full-connection attacks are caused by a large number of zombie hosts constantly establishing a large number of TCP connections with the affected server, and the resources such as the memory directly to the server are exhausted and dragged across, resulting in DOS, this attack is characterized by bypassing the protection of the general firewall to achieve the purpose of the attack, the disadvantage is that you need to find a lot of zombie hosts, and because the zombie host's IP address is exposed, it is easy to track.

3. script-based attacks: these attacks are mainly designed for websites that have ASP, JSP, PHP, CGI, and other script programs and call databases such as MSSQLServer, mysqlserver, and Oracle, it is characterized by establishing a normal TCP connection with the server, and constantly submitting queries, lists, and other calls that consume a large amount of data library resources to the script program. A typical attack method is small-scale. Generally, submitting a get or POST command almost ignores the client consumption and bandwidth usage, the server may need to find a record from tens of thousands of records to process this request. This processing process consumes a lot of resources, common Database servers rarely support the simultaneous execution of hundreds of query commands, which is easy for clients. Therefore, attackers only need to submit a large number of query commands to the host server through the proxy, it takes only a few minutes to consume server resources and cause a denial of service. A common phenomenon is that the website is slow, such as snail ing, ASP program failure, PHP database connection failure, and the CPU usage of the database master program is high. This attack is characterized by completely bypassing common firewall protection and easily finding some proxy agents to launch attacks. The disadvantage is that the effect of websites with only static pages is compromised, in addition, some proxies expose the attacker's IP address.

currently, the most effective solution to server attacks is to use the hardware firewall, SK server room is the largest hardware anti-DDoS server room in the United States, with 50 GB hardware firewall. A single server provides 10 Gbit/s traffic attacks, unlimited server traffic, and 61 IP addresses.