More than a month ago, my personal website suffered a DDOS attack and went offline for more than 50 hours. This article will talk about how to deal with such attacks.
Simple Application Server
USD1.00 New User Coupon
* Only 3,000 coupons available.
* Each new user can only get one coupon(except users from distributors).
* The coupon is valid for 30 days from the date of receipt.
It should be noted that I am not proficient in DDOS and never thought that I would be a target of attack. After the attack, many friends who had never met before provided all kinds of help and suggestions, which helped me learn a lot. Recorded here are some of the most helpful solutions for me.
1. What is DDOS?
First of all, let me explain what DDOS is.
For example, I opened a restaurant, which can accommodate up to 30 people at the same time under normal circumstances. You walk directly into the restaurant, find a table to sit down and order, you can eat immediately.
Unfortunately, I offended a hooligan. He sent 300 people into the restaurant at the same time. These people looked like normal customers, and each said "Hurry up and serve." However, the capacity of the restaurant is only 30 people. It is impossible to meet so many ordering needs at the same time. In addition, they have blocked the door. There are three floors inside and three floors outside. Normal dining guests cannot enter at all. In fact, Paralyzed the restaurant.
This is a DDOS attack, which initiates a large number of requests in a short period of time, exhausts the
server's resources, cannot respond to normal access, and causes the website to go offline.
The DOS in DDOS is the abbreviation of denial of service, which means that the purpose of this attack is to interrupt the service. The D at the top is distributed, which means that the attack does not come from one place, but from all directions, so it is more difficult to prevent. You closed the front door and he came in through the back door; you closed the back door and he jumped up from the window.
2. Types of DDOS
DDOS is not an attack, but a general term for a large class of attacks. It has dozens of types, and new attack methods are still being invented. All aspects of website operation can be the target of attack. As long as one link is breached and the entire process cannot run, the goal of paralyzing the service is achieved.
Among them, one of the more common attacks is the cc attack. It simply and rudely sends a large number of normal requests, which exceed the maximum capacity of the
server and cause downtime. What I encountered was a cc attack. At most, there were about 20 IP addresses in the world sending requests in turn, and the number of requests for each address was 200 to 300 times per second. When I looked at the access log, I felt that those requests came in like a flood, and there were a lot of them in the blink of an eye. Within a few minutes, the size of the log file was 100MB larger. To be honest, this can only be regarded as a small attack, but my personal website has no protection, the server is still shared with other people, and this kind of traffic is immediately offline.
The following content in this article is for cc attacks.
Three, backup website
The first step to prevent DDOS is to have a backup website, or at least a temporary homepage. If the production server is offline, you can immediately switch to the backup website, so there is no way out.
The backup website is not necessarily fully functional. If it can be browsed completely statically, it can meet the demand. At least it should be able to display an announcement to tell users that there is a problem with the website and it is working hard to repair it. When my personal website went offline, I made a temporary homepage with a few simple lines of HTML code.
This kind of temporary homepage is recommended to be placed in Github Pages or Netlify. They have large bandwidth and can deal with attacks. They also support binding domain names and can be automatically constructed from source code.
Four, HTTP request interception
If the malicious request has characteristics, it is simple to deal with: just intercept it directly.
There are generally two characteristics of HTTP requests: IP address and User Agent field. For example, if malicious requests are sent from a certain IP segment, it is enough to block this IP segment. Or, if their User Agent field has characteristics (contains a specific word), then intercept requests with this word.
Interception can be done at three levels.
(1) Dedicated hardware
A hardware firewall can be set up in front of the
Web server to specifically filter requests. This effect is the best, but the price is also the most expensive.
(2) Local firewall
All operating systems have software firewalls, and Linux
servers generally use iptables. For example, to intercept the request of IP address 1.2.3.4, you can execute the following command.
$ iptables -A INPUT -s 1.2.3.4 -j DROP
Iptables is more complicated, and I don't know how to use it. It has a certain impact on server performance and cannot prevent large-scale attacks.
(3) Web server
The web server can also filter requests. To intercept IP address 1.2.3.4, nginx is written as follows.
location / {
deny 1.2.3.4;
}
Apache is written in the .htaccess file, plus the following paragraph.
<RequireAll>
Require all granted
Require not ip 1.2.3.4
</RequireAll>
If you want more precise control (such as automatically identifying and blocking frequently requested IP addresses), you need to use WAF. I won't introduce it in detail here, you can refer to here and here for the settings of nginx.
The interception of the
Web server is very performance consuming, especially Apache. For a slightly larger attack, this method is useless.
Five, bandwidth expansion
The HTTP interception in the previous section has a premise that the request must have characteristics. However, a real DDOS attack has no characteristics. Its request looks the same as a normal request and comes from a different IP address, so it cannot be intercepted. This is why DDOS is particularly difficult to prevent.
Of course, the cost of such a DDOS attack is not low, and ordinary websites will not receive this treatment. However, what should I do if I really encounter it? Is there a fundamental way to prevent it?
The answer is simple, it is to try to digest these requests. There are 300 people in the 30-person restaurant, then find a way to expand the restaurant (for example, temporarily rent a storefront and hire some chefs) so that 300 people can sit down, so normal users will not be affected. For the website, it means to rapidly expand its capacity in a short period of time, providing several times or tens of times the bandwidth to withstand the request of large traffic. This is why cloud service providers can provide protection products, because they have a lot of redundant bandwidth that can be used to digest DDOS attacks.
A friend taught me a method, which left a deep impression on me. A cloud service provider promised that each host would protect against attacks below 5G traffic, and they bought five in one go. The website is set up on one of the hosts, but it is not exposed to users. The other hosts are mirrors. To face users, DNS will evenly distribute the traffic to these four mirror servers. Once an attack occurs, this architecture can prevent 20G of traffic. If there is a larger attack, then buy more temporary hosts and continue to expand the image.
Six, CDN
CDN refers to the distribution of static content of a website to multiple servers, which can be accessed by users nearby to improve speed. Therefore, CDN is also a method of bandwidth expansion and can be used to defend against DDOS attacks.
The content of the website is stored on the origin server, and the CDN is the cache of the content. The user is only allowed to access the CDN. If the content is not on the CDN, the CDN sends a request to the origin server. In this case, as long as the CDN is large enough, it can resist large attacks. However, this method has a premise that most of the content of the website must be statically cacheable. For websites with dynamic content (such as forums), it is necessary to find other ways to minimize user requests for dynamic data.
The mirror server mentioned in the previous section is essentially to build a micro CDN by itself. The high-defense IP provided by major cloud service providers is also doing the same behind the scenes: the website domain name points to the high-defense IP, which provides a buffer layer, cleans traffic, and caches the content of the origin server.
There is a key point here. Once you are on the CDN, never reveal the IP address of the source server, otherwise an attacker can bypass the CDN and attack the source server directly, and the previous efforts are in vain. Search for "bypass CDN to obtain real IP address" and you will know how rampant the domestic black industry is.
The attacker seems to have subscribed to my Weibo. Not long after this article was published yesterday, I was attacked again. He bypassed the CDN and directly attacked the source server (I don't know how the IP address was leaked), and the traffic was larger than the last time.
