Analysis and countermeasure of security precaution for DDoS attack

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

Recently, some sites in China have been attacked by a larger scale of Denial-of-service (D.O.S) (including DDoS attacks on large international websites such as Yahoo)--distributed denial-of-service attacks. The sites affected include well-known news websites, commercial websites, securities websites, and even some of the network security sites. The symptoms are: the site can not be accessed, the response speed is very slow, affecting the surrounding network segment of other hosts, and so far there are many sites have not returned to normal, still not normal access.

As a network security site, our main station isbase.com also received a very fierce denial of service attacks. The company's technicians responded immediately: A practical and complete solution was proposed for the attack and possible attacks, minimizing the damage. Now the site is all right, although the attack is still continuing, but the impact on the server has been minimized, will not affect the normal operation of the server. At the same time, we have actively contacted other attacked peer sites, indicating that the attack came from the same modus operandi that may have been deliberately done by someone (group). In addition, for our recent emergency response to other sites, the scale of the attack, the intensity of the great heinous. After taking the solution of our company, the website receiving emergency response has returned to normal.

We made a preliminary analysis of this massive denial-of-service attack based on attacks on our site:

From the symptoms of the attack, this attack is roughly the following: Distributed denial of service attacks, Syn-flood attacks, ICMP bombs (ping of death) and so on. This is the preliminary result of the review of the records that were left after the attack on our site.

To guard against denial of service attacks, start by hardening yourself.

In response to the current D.O.s attack implementation, we have taken the following measures in advance:

1. In order to prevent the Syn-flood attack (the specific principle of the Syn-flood attack see the technical article of this site), we have strengthened the system by default installation, mainly by recompiling the kernel, setting the corresponding kernel parameters so that the system forces the Syn request of the timeout to connect the packet reset, At the same time, the system can quickly process invalid SYN request packets by shortening the timeout constant and the lengthened waiting queue. If these invalid packets are not forced to be cleaned and reset, the load on the system will be greatly increased and the system will eventually lose its response.

2. In order to prevent the attack of ICMP bombs, the traffic of ICMP packets in the system kernel is limited to allow. and adjusts this limit in the system parameters. To prevent the system from causing loss of response.

3. Install the firewall system in the system, use the firewall system to filter all access packets.

4. Carefully adjust the parameters of the server. According to our site access to the characteristics of large, the Web server and mail server for a modest up-front processing, that is, by the advance of the server to achieve a certain load, so that the entire system load changes in the amount of traffic will not change greatly, if there is a significant change, it is likely to cause the server crashes. This is consistent with the principle of prestressed technology widely used in buildings.

After hardening the server, you must also use some effective methods and rules to detect and discover denial of service attacks, and to take appropriate countermeasures after the denial of service attack is detected.

Detection means a lot, you can see the router records and system records and the current state of the site to achieve.

Typically, some special types of IP packets are filtered in advance (no records are required) when designing a firewall. These special IPs are not available on the Internet (cannot be routed). For denial of service attacks, it is often most necessary to have such a return packet to conceal the attacker's real address and identity. Once such addresses appear, they often mark the beginning of some kind of denial-of-service attack.

The address of this large class is the address of these four segments of the 127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16. For the rules of our firewall, the three address segments are completely rejecting any packets: Denyall. Then, by detecting the count of these rules, we determine whether there are certain attacks. If we find the following in our counter:

0 0 deny IP from "to" 127.0.0.0/8 4552 553302 deny IP from 10.0.0.0/8 to "any 0 0 deny IPs from" to 10.0.0.0/8 0 0 deny IP from 172.16.0.0/12 to no 0 0 deny IP from No to 172.16.0.0/12 97601 11024404 deny IP from 192.168.0.0/16 to any 0 0 Deny IP from No to 192.168.0.0/16 we can infer that someone is in denial of service attack, when we use Netstat–an to detect the number of network connections at that time, we will find a large number of SYN_RCVD types of connections:

TCP4 0 0 202.109.114.50.80 203.93.217.52.2317 syn_rcvd tcp4 0 0 202.109.114.50.80 61.136.54.73.1854 SYN_RCVD This indicates that the server is now being Attacked by Syn-flood. It is meaningless to record the IP address of such an attack (since these IP addresses are forged by changing the header of the packet in the program).