Ultimate guide to defending against DDoS attacks

One, why should DDoS?

With the increase of Internet network bandwidth and the continuous release of multiple DDoS hacker tools, DDoS attack is becoming more and more easy to implement. Out of commercial competition, retaliation and network blackmail and many other factors, resulting in a lot of IDC hosting rooms, business sites, game servers, chat networks and other network service providers have long been plagued by DDoS attacks, followed by customer complaints, with the virtual host users are implicated, legal disputes, business losses and a series of problems, Therefore, to solve the problem of DDoS attack is a network service provider must consider the first priority.

Second, what is DDoS?

DDoS is the abbreviation of the English Distributed denial of service, meaning "distributed denial of service", then what is the denial of service (denial)? It can be understood that any behavior that causes legitimate users to not be able to access the normal network services is a denial of service attack. In other words, the purpose of the Denial-of-service attack is very clear, that is, to prevent legitimate users from accessing the normal network resources, so as to achieve the ulterior motives of the attackers. Although the same denial of service attack, however, DDoS and DOS are still different, DDoS attack strategy focused on many "zombie host" (by the attacker or indirect use of the host) to the victim host to send a large number of seemingly legitimate network packets, resulting in network congestion or server resources exhaustion caused by denial of service , once a distributed denial of service attack is implemented, attack network packets will be like flooding to the victim host, so that the legitimate user's network package submerged, resulting in legitimate users can not normally access the server's network resources, therefore, denial of service attacks are called "flood attacks", the common means of DDoS attacks have SYN Flood, ACK Flood, UDP Flood, ICMP Flood, TCP Flood, Connections Flood, Script Flood, Proxy Flood, etc. While DOS focuses on the use of host-specific vulnerabilities resulting in network stack failure, system crashes, host crashes and can not provide normal network service functions, resulting in denial of service, common Dos attack means teardrop, land, Jolt, IGMP Nuker, Boink, Smurf, Bonk, OOB and so on. In terms of these two denial of service attacks, the main harm is mainly DDoS attacks, because it is difficult to prevent, as for Dos attacks, by patching the host server or install firewall software can be very good defense, the text will detail how to deal with DDoS attacks.

Have you been DDoS?

There are two main types of DDoS manifestations, a kind of traffic attacks, mainly for network bandwidth attacks, that is, a large number of attack packets caused network bandwidth is blocked, legitimate network packets are covered by a false attack packet can not reach the host, another for resource depletion attacks, mainly for server host attacks, This means that a large number of attack packets cause the memory of the host to be depleted or the CPU is occupied by the kernel and the application, which cannot provide network services.

How to determine if the site has suffered traffic attacks? Ping to test, if you find that ping timeout or packet loss is serious (assuming normal), you may suffer from traffic attacks, if found and your host on the same switch server can not access, the basic certainty is that the flow of attack. Of course, the premise of this test is that you go to the server host between the ICMP protocol is not blocked by routers and firewalls and other devices, otherwise you can take Telnet host server network service port to test, the effect is the same. But there is one thing to be sure, if you normally ping your host server and connected to the same switch on the host server is normal, all of a sudden ping or is a serious loss of packets, then if you can eliminate the network failure factors are certainly suffering from traffic attacks, and then a typical traffic attack is, Once a traffic attack occurs, it is found that connecting to the Web server with a remote terminal fails.

Relative to the traffic attack, resource exhaustion attack to be easy to judge some, if peacetime ping the website host and visit the website are normal, found suddenly website visit is very slow or inaccessible, and ping can ping, it is likely to suffer from resource depletion attack, at this time if the server with Netstat -na command observed a large number of syn_received, time_wait, fin_wait_1 and other states exist, and established very few, you can be determined to be a resource-exhausted attack. Another kind of resource exhaustion attack is that ping your own web site host ping or packet loss is serious, and Ping and its own host on the same switch on the server is normal, this is due to the site host after the attack caused the system kernel or some applications CPU utilization up to 100% Unable to respond to the ping command, in fact, there is still bandwidth, otherwise ping does not connect the host on the same switch.

There are currently three popular DDoS attacks:

1, Syn/ack flood attack: This attack method is the classic most effective DDoS method, can kill a variety of system network services, mainly by sending a large number of spoofed source IP and source port to the injured host SYN or ACK packets, resulting in the host's cache resources are depleted or busy sending response packets caused by denial of service , because the source is forged so it is difficult to track, the disadvantage is that the implementation of a certain degree of difficulty, the need for high bandwidth zombie host support. A small amount of this attack will cause the host server to be inaccessible, but can ping the pass, the Netstat-na command on the server will be observed a large number of syn_received state, a large number of such attacks will cause ping failure, TCP/IP stack failure, and will appear system solidification phenomenon , which does not respond to the keyboard and mouse. Most common firewalls cannot withstand this kind of attack.

2, TCP full connection attack: This attack is to bypass the conventional firewall inspection and design, generally, the general firewall has a filter teardrop, land and other Dos attacks, but for the normal TCP connection is spared, but many network services programs (such as: IIS, Apache and other Web servers can accept the number of TCP connections is limited, once a large number of TCP connections, even if it is normal, can lead to Web site access is very slow and even inaccessible, TCP full connection attack is through many zombie hosts constantly with the victim server to establish a large number of TCP connections, Until the server's memory and other resources are pulled across, resulting in denial of service, this attack is characterized by bypassing the general firewall protection to achieve the attack, the disadvantage is to find a lot of zombie hosts, and because the zombie host IP is exposed, so easy to be traced.

3, Brush script scripts attack: This attack is mainly for the existence of ASP, JSP, PHP, CGI and other scripting programs, and call MSSQLServer, MySQLServer, Oracle and other databases of the Web site system design, characterized by the server to establish a normal TCP connection , and constantly to the script to submit queries, lists, and so a large number of resource-consuming database resources, typical of a small broad attack method. In general, the cost of submitting a GET or post instruction to the client is almost negligible, and the server may have to trace a record from tens of thousands of records to handle the request, a process that is expensive for resources, Common database servers rarely support hundreds of of simultaneous query execution, which is easy for the client, so the attacker can simply submit a query to the host server via proxy proxies, consuming server resources in minutes and causing a denial of service. Common phenomenon is that the site is slow, such as snail, ASP program invalidation, PHP connection database failure, database main program CPU high. This attack is characterized by a complete bypass of common firewall protection, easy to find some proxy proxy can be implemented to attack, the disadvantage is to deal with static pages only the effect of the site will be greatly compromised, and some proxies will expose the attacker's IP address.