A Free Trial That Lets You Build Big!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
Second, what is DDoS.
DDoS is the abbreviation of the English Distributed denial of service, meaning "distributed denial of service", then what is the denial of service (denial)? It can be understood that any behavior that causes legitimate users to not be able to access the normal network services is a denial of service attack. In other words, the purpose of the Denial-of-service attack is very clear, that is, to prevent legitimate users from accessing the normal network resources, so as to achieve the ulterior motives of the attackers. Although the same denial of service attack, however, DDoS and DOS are still different, DDoS attack strategy focused on many "zombie host" (by the attacker or indirect use of the host) to the victim host to send a large number of seemingly legitimate network packets, resulting in network congestion or server resources exhaustion caused by denial of service , once a distributed denial of service attack is implemented, attack network packets will be like flooding to the victim host, so that the legitimate user's network package submerged, resulting in legitimate users can not normally access the server's network resources, therefore, denial of service attacks are called "flood attacks", the common means of DDoS attacks have SYN Flood, ACK Flood, UDP Flood, ICMP Flood, TCP Flood, Connections Flood, Script Flood, Proxy Flood, etc. While DOS focuses on the use of host-specific vulnerabilities resulting in network stack failure, system crashes, host crashes and can not provide normal network service functions, resulting in denial of service, common Dos attack means teardrop, land, Jolt, IGMP Nuker, Boink, Smurf, Bonk, OOB and so on. In terms of these two denial of service attacks, the main harm is mainly DDoS attacks, because it is difficult to prevent, as for Dos attacks, by patching the host server or install firewall software can be very good defense, the text will detail how to deal with DDoS attacks.
Three, was the DDoS?
There are two main types of DDoS manifestations, a kind of traffic attacks, mainly for network bandwidth attacks, that is, a large number of attack packets caused network bandwidth is blocked, legitimate network packets are covered by a false attack packet can not reach the host, another for resource depletion attacks, mainly for server host attacks, This means that a large number of attack packets cause the memory of the host to be depleted or the CPU is occupied by the kernel and the application, which cannot provide network services.
How to determine if the site has suffered traffic attacks. Ping to test, if you find that ping timeout or packet loss is serious (assuming normal), you may suffer from traffic attacks, if found and your host on the same switch server can not access, the basic certainty is that the flow of attack. Of course, the premise of this test is that you go to the server host between the ICMP protocol is not blocked by routers and firewalls and other devices, otherwise you can take Telnet host server network service port to test, the effect is the same. But there is one thing to be sure, if you normally ping your host server and connected to the same switch on the host server is normal, all of a sudden ping or is a serious loss of packets, then if you can eliminate the network failure factors are certainly suffering from traffic attacks, and then a typical traffic attack is, Once a traffic attack occurs, it is found that connecting to the Web server with a remote terminal fails.
Relative to the traffic attack, resource exhaustion attack to be easy to judge some, if peacetime ping the website host and visit the website are normal, found suddenly website visit is very slow or inaccessible, and ping can ping, it is likely to suffer from resource depletion attack, at this time if the server with Netstat -na command observed a large number of syn_received, time_wait, fin_wait_1 and other states exist, and established very few, you can be determined to be a resource-exhausted attack. Another kind of resource exhaustion attack is that ping your own web site host ping or packet loss is serious, and Ping and its own host on the same switch on the server is normal, this is due to the site host after the attack caused the system kernel or some applications CPU utilization up to 100% Unable to respond to the ping command, in fact, there is still bandwidth, otherwise ping does not connect the host on the same switch.
There are currently three popular DDoS attacks:
1, Syn/ack flood attack: This attack method is the classic most effective DDoS method, can kill a variety of system network services, mainly by sending a large number of spoofed source IP and source port to the injured host SYN or ACK packets, resulting in the host's cache resources are depleted or busy sending response packets caused by denial of service , because the source is forged so it is difficult to track, the disadvantage is that the implementation of a certain degree of difficulty, the need for high bandwidth zombie host support. A small amount of this attack will cause the host server to be inaccessible, but can ping the pass, the Netstat-na command on the server will be observed a large number of syn_received state, a large number of such attacks will cause ping failure, TCP/IP stack failure, and will appear system solidification phenomenon , which does not respond to the keyboard and mouse. Most common firewalls cannot withstand this kind of attack.
2, TCP full connection attack: This attack is to bypass the conventional firewall inspection and design, generally, the general firewall has a filter teardrop, land and other Dos attacks, but for the normal TCP connection is spared, but many network services programs (such as: IIS, Apache and other Web servers can accept the number of TCP connections is limited, once a large number of TCP connections, even if it is normal, can lead to Web site access is very slow and even inaccessible, TCP full connection attack is through many zombie hosts constantly with the victim server to establish a large number of TCP connections, Until the server's memory and other resources are pulled across, resulting in denial of service, this attack is characterized by bypassing the general firewall protection to achieve the attack, the disadvantage is to find a lot of zombie hosts, and because the zombie host IP is exposed, so easy to be traced.
3, Brush script scripts attack: This attack is mainly for the existence of ASP, JSP, PHP, CGI and other scripting programs, and call MSSQLServer, MySQLServer, Oracle and other databases of the Web site system design, characterized by the server to establish a normal TCP connection , and constantly to the script to submit queries, lists, and so a large number of resource-consuming database resources, typical of a small broad attack method. In general, the cost of submitting a GET or post instruction to the client is almost negligible, and the server may have to trace a record from tens of thousands of records to handle the request, a process that is expensive for resources, Common database servers rarely support hundreds of of simultaneous query execution, which is easy for the client, so the attacker can simply submit a query to the host server via proxy proxies, consuming server resources in minutes and causing a denial of service. Common phenomenon is that the site is slow, such as snail, ASP program invalidation, PHP connection database failure, database main program CPU high. This attack is characterized by a complete bypass of common firewall protection, easy to find some proxy proxy can be implemented to attack, the disadvantage is to deal with static pages only the effect of the site will be greatly compromised, and some proxies will expose the attacker's IP address.
four, how to resist DDoS.
Dealing with DDoS is a systematic project, it is not realistic to rely solely on a system or product to prevent DDoS, and it is certain that it is not possible to completely eliminate DDoS at present, but it is possible to protect against 90% of DDoS attacks by appropriate measures, based on cost overhead for both attack and defense, If the ability to defend against DDoS is increased by appropriate means, the cost of attacking an attacker is increased, so the vast majority of attackers will not be able to go on and give up, which is equivalent to successfully defending against DDoS attacks. The following is the author for many years to resist DDoS experience and suggestions, and you share.
1, the use of high-performance network equipment
First of all to ensure that network equipment can not become a bottleneck, so select routers, switches, hardware firewalls and other equipment when you should try to choose the well-known high reputation, good products. Then it would be better if there was a special relationship or agreement with the network provider, and it would be very effective to ask them to do some sort of DDoS attack at the network point when a large number of attacks occurred.
2, try to avoid the use of NAT
Whether it is a router or a hardware wall device, try to avoid using Network address translation NAT, because this technology will greatly reduce network communication capabilities, the reason is very simple, because NAT needs to convert the address back and forth, the conversion process requires the network packet checksum calculation, so wasted a lot of CPU time , but there are times when you have to use NAT, there is no good way.
3, sufficient network bandwidth to ensure
Network bandwidth directly determines the ability to resist attacks, if only 10M bandwidth, no matter what measures are difficult to combat the current Synflood attack, at least to choose 100M of shared bandwidth, the best of course is hanging on the 1000M trunk. But it should be noted that the NIC on the host is 1000M does not mean that its network bandwidth is gigabit, if it is connected to the 100M switch, its actual bandwidth will not be more than 100M, and then the bandwidth of the 100M is not equal to the bandwidth of hundreds of megabytes, Because ISPs are likely to limit the actual bandwidth to 10M on the switch, this must be clear.
4, upgrade the host server hardware
In the context of network bandwidth guarantee, please try to upgrade the hardware configuration, to effectively combat 100,000 SYN attack packets per second, the server configuration should be at least: P4 2.4G/DDR512M/SCSI-HD, the key role of the main CPU and memory, if there is a strong dual-CPU, then use it, Memory must select the high speed memory of the DDR hard drive to choose SCSI, do not only greedy IDE price is still enough cheap, otherwise it will pay high performance costs, and then the network card must choose 3COM or Intel and other brands, if Realtek or used in their own PC it.
5, the site into a static page
A large number of facts prove that the site as far as possible to make static pages, not only can greatly improve the ability to attack, but also to the hacker to bring a lot of trouble, at least up to now the overflow of HTML has not appeared, look at it. Sina, Sohu, NetEase and other portals are mainly static pages, if you do not need dynamic script calls, then put it to another separate host to go, free from the attack when the main server, of course, put some do not do database call script is still possible, in addition, It is best to deny the use of proxy access in scripts that need to invoke the database, as experience shows that 80% of your site's use of proxies is a malicious act.
6, enhance the operating system of the TCP/IP stack
Win2000 and Win2003 as the server operating system, itself has a certain ability to resist DDoS attacks, but the default state does not open it, if the open words can withstand about 10,000 SYN attack packets, if not open then only can resist hundreds of, how to open, Go to see Microsoft's article yourself. "Hardening TCP/IP Stack security"-http://www.microsoft.com/china/technet/security/guidance/secmod109.mspx
Maybe some people will ask, then I use Linux and FreeBSD how to do. Very simply, follow this article to do it. "SYN Cookies"-http://cr.yp.to/syncookies.html
7, the installation of professional anti-DDoS firewall
8. Other defensive measures
The above seven countermeasures against DDoS recommendations, suitable for the vast majority of users with their own host, but if the above measures can still not solve the DDoS problem, there are some trouble, may need more investment, increase the number of servers and the use of DNS round patrol or load balancing technology, even need to buy seven-tier switch equipment This makes the ability to resist DDoS attacks multiply, as long as the investment is deep enough, there will always be an attacker to give up, then you will succeed. ：）
Start building with 50+ products and up to 12 months usage for Elastic Compute Service