There are two ways to implement
DDoS attacks
Self built DDoS platform
Now there are open source DDoS platform source code. As long as there are enough machines and bandwidth resources, a set of highly lethal DDoS platforms can be deployed at any time.
The following provides a common DDoS client packet code, you can see that the attack method is very rich, IP, port, TCP flag, packet size are custom. def func():
os.system (“./txDDoS -a “+type+” -d “+ip+” -y “+port+” -f 0x10 -s 10.10.10.10 -l 1300″)
if __ name__ == “__ main__” :
pool = multiprocessing.Pool (processes=int(nbproc))
for i in xrange(int(nbproc)):
pool.apply_ async(func)
pool.close ()
pool.join ()
After talking about the implementation of DDoS attacks, the following describes how to defend against
DDoS attacks from the perspectives of iptables, applications themselves and high-performance agents.
Iptables protection
sysctl -w net.ipv4 .ip_ forward=1 &>/dev/null
#Turn on Forwarding
sysctl -w net.ipv4 .tcp_ syncookies=1 &>/dev/null
#Turn on syncookie (lightweight DOS prevention)
sysctl -w net.ipv4 . netfilter.ip_ conntrack_ tcp_ timeout_ established=3800 &>/dev/null
#Set the default maximum TCP connection duration to 3800 seconds (this option can greatly reduce the number of connections)
sysctl -w net.ipv4 .ip_ conntrack_ max=300000 &>/dev/n
#Set the maximum supported connection tree to 30W (depending on your memory and iptables version, each connection needs more than 300 bytes)
iptables -N syn-flood
iptables -A INPUT -p tcp –syn -j syn-flood
iptables -I syn-flood -p tcp -m limit –limit 3/s –limit-burst 6 -j RETURN
iptables -A syn-flood -j REJECT
#Lightweight prevention against syn attacks
iptables -A INPUT -i eth0 -p tcp –syn -m connlimit –connlimit-above 15 -j DROP
iptables -A INPUT -p tcp -m state –state ESTABLISHED,RELATED -j ACCEPT
#To prevent too many DOS connections in, you can allow up to 15 initial connections per IP of the external network card, and discard the excessive connections to protect the application itself
Take nginx as an example to limit the frequency of a single IP request.
http {
limit_ req_ zone $binary_ remote_ addr zone= one:10m rate=10r/s ; / / trigger condition, all IP access is limited to 10 requests per second
server {
location ~ \.php$ {
limit_ Req zone = one burst = 5 nodelay; / / the action executed corresponds to} by the name of zone
}
location /download/ {
limit_ Conn addr 1; / / limit 1 connection at the same time. 503 is returned for the exceeded connection
}
}
}High performance proxy haproxy + keepalived 1. Front end of haproxy configuration: frontend http
bind 10.0.0.20:80
acl anti_ DDoS always_ true
#White list
acl whiteip src -f /usr/local/haproxy/etc/ whiteip.lst
#Mark illegal user
stick-table type ip size 20k expire 2m store gpc0
tcp-request connection track-sc1 src
tcp-request inspect-delay 5s
#Deny illegal users connection
tcp-request connection reject if anti_ DDoS { src_ get_ Gpc0 GT 0} back end xxx.xxx.cn
mode http
option forwardfor
option httplog
balance roundrobin
cookie SERVERID insert indirect
option httpchk GET / KeepAlive.ashx HTTP/1.1\r\nHost:\ server.1card1.cn
acl anti_ DDoS always_ false
#White list
acl whiteip src -f /usr/local/haproxy/etc/ whiteip.lst
#The session rate of storing client for 10 seconds
stick-table type ip size 20k expire 2m store http_ req_ rate(10s),bytes_ out_ rate(10s)
tcp-request content track-sc2 src
#More than 50 sessions in 10 seconds are suspicious
acl conn_ rate_ limit src_ http_ req_ rate(server.1card1.cn) gt 80
#Determine whether the server ID cookie exists in the HTTP request
acl cookie_ present cook(SERVERID) -m found
#Mark as illegal user
acl mark_ As_ abuser sc1_ inc_ gpc0 gt 0
tcp-request content reject if anti_ DDoS !whiteip conn_ rate_ limit mark_ As_ Abuser2. Keepalived to configure Global_ defs {
router_ id {{ server_ id }}
}
vrrp_ script chk_ haproxy{
script “/home/proxy/keepalived/{{ project }}/check_ haproxy_ {{ server_ id }}.sh”
interval 2
weight -10
}
vrrp_ instance VI_ 1 {
state {{ role }}
interface {{ interface }}
virtual_ router_ id 10{{ tag }}
priority {{ value }}
advert_ int 1
authentication {
auth_ type PASS
auth_ pass keepalived_ DDoS
track_ script {
chk_ haproxy
}
}
virtual_ ipaddress {
{{ vip }}/24 dev {{ interface }} label {{ interface }}:{{ tag }}
}
Access CDN advanced anti DDoS IP or public cloud intelligent DDoS Defense System
As CDN advanced anti DDoS IP and public cloud intelligent DDoS Defense principles are similar, both use the agent or DNS scheduling method to carry out the "drainage → cleaning → reinjection" defense process, so the two will be introduced together.
CDN advanced anti DDoS IP is a paid value-added service launched for Internet servers when the service is unavailable due to large traffic DDoS attacks. Users can configure the advanced anti DDoS IP to drain the attack traffic to the advanced anti DDoS IP to ensure the stability and reliability of the source station. Generally, it can provide protection capacity up to hundreds of Gbps, which is more than enough to resist general DDoS attacks.
The public cloud intelligent DDoS Defense system is mainly composed of the following roles:
Scheduling system: it plays the role of intelligent domain name resolution, network monitoring and traffic scheduling in DDoS distributed defense system.
Source station: developer business server.
Attack protection point: the main function is to filter the attack traffic and forward the normal traffic to the source station.
Back end computer room: in the DDoS distributed defense system, it will cooperate with attack protection points to play a role in protecting large traffic and provide dual protection capability.
General CDN or Gong Youyun has the application and configuration process of providing mail, web system, WeChat official account, etc. basically, according to the following train of thought, we can operate:
The main steps are as follows:
1. Apply to the public cloud or CDN manufacturer for access to advanced anti DDoS IP or DDoS cleaning system, and submit the original resolution record of site domain name
2. Modify the IP provided by the public cloud or CDN manufacturer by modifying the site domain name resolution record. 3. The public cloud or CDN manufacturer cleans the DDoS attack traffic and sends the cleaned normal traffic back to the IP of the original resolution record of the site domain name
Introduction of public cloud DDoS protection service
At present, most public cloud manufacturers list DDoS protection in the service list. However, due to the differences in technology, resources and management, there are the following differences:
1. Different charging modes: some take DDoS protection as a supplementary service, others charge for DDoS protection, and the charging price or starting point of different manufacturers are different.
2. Different business scenarios: some public cloud factories will differentiate customer business scenarios, such as live broadcasting, finance, games, etc., but most of them will not differentiate such details.
3. Different functional richness: the number of customized things provided by public cloud DDoS protection services depends on the product maturity.
4. Different cleaning capabilities: the scale of DDoS cleaning traffic varies from dozens of Gbps to hundreds of Gbps due to the difference of manufacturers, and the maturity and effect of defense technology used are also different
