Preventing DDoS denial of service attacks from strengthening itself

DoS (Denial of service), the abbreviation for Denial-of-service, refers to the intentional attack on the network protocol implementation of the flaw or directly through brute means to deplete the object of the target resources, the purpose is to make the destination computer or network can not provide normal services, so that the target system stop responding to even crash. These service resources include network bandwidth, file system space capacity, open processes, or allowed connections. This attack will lead to a lack of resources, no matter how fast the processing speed of the computer, the amount of memory, the speed of network bandwidth can not avoid the impact of this attack.

Most Dos attacks require considerable bandwidth, while individual hackers do not have high-bandwidth resources available. To overcome this shortcoming, a DOS attacker developed a distributed attack. Attackers use the tool to assemble a number of network bandwidth to simultaneously launch a large number of attack requests for the same target, which is the DDoS (distributed denial of Service) attack. It can be said that a DDoS attack is a set of Dos attacks launched by the hacker's centralized control, which is considered the most effective form of attack and very difficult to resist.

Recently, some sites in China have been attacked by a larger scale of Denial-of-service (D.O.S) (including DDoS attacks on large international websites such as Yahoo)--distributed denial-of-service attacks. The sites affected include well-known news websites, commercial websites, securities websites, and even some of the network security sites. The symptoms are: the site can not be accessed, the response speed is very slow, affecting the surrounding network segment of other hosts, and so far there are many sites have not returned to normal, still not normal access.

As a network security site, our main station isbase.com also received a very fierce denial of service attacks. The company's technicians responded immediately: A practical and complete solution was proposed for the attack and possible attacks, minimizing the damage. Now the site is all right, although the attack is still continuing, but the impact on the server has been minimized, will not affect the normal operation of the server. At the same time, we have actively contacted other attacked peer sites, indicating that the attack came from the same modus operandi that may have been deliberately done by someone (group). In addition, for our recent emergency response to other sites, the scale of the attack, the intensity of the great heinous. After taking the solution of our company, the website receiving emergency response has returned to normal.

We made a preliminary analysis of this massive denial-of-service attack based on attacks on our site:

From the symptoms of the attack, this attack is roughly the following: Distributed denial of service attacks, Syn-flood attacks, ICMP bombs (ping of death) and so on. This is the preliminary result of the review of the records that were left after the attack on our site.

To guard against denial of service attacks, start by hardening yourself.

In response to the current D.O.s attack implementation, we have taken the following measures in advance:

1. In order to prevent the Syn-flood attack (the specific principle of the Syn-flood attack see the technical article of this site), we have strengthened the system by default installation, mainly by recompiling the kernel, setting the corresponding kernel parameters so that the system forces the Syn request of the timeout to connect the packet reset, At the same time, the system can quickly process invalid SYN request packets by shortening the timeout constant and the lengthened waiting queue. If these invalid packets are not forced to be cleaned and reset, the load on the system will be greatly increased and the system will eventually lose its response.

2. In order to prevent the attack of ICMP bombs, the traffic of ICMP packets in the system kernel is limited to allow. and adjusts this limit in the system parameters. To prevent the system from causing loss of response.

3. Install the firewall system in the system, use the firewall system to filter all access packets.

4. Carefully adjust the parameters of the server. According to our site access to the characteristics of large, the Web server and mail server for a modest up-front processing, that is, by the advance of the server to achieve a certain load, so that the entire system load changes in the amount of traffic will not change greatly, if there is a significant change, it is likely to cause the server crashes. This is consistent with the principle of prestressed technology widely used in buildings.

After hardening the server, you must also use some effective methods and rules to detect and discover denial of service attacks, and to take appropriate countermeasures after the denial of service attack is detected.

Detection means a lot, you can see the router records and system records and the current state of the site to achieve.

Typically, some special types of IP packets are filtered in advance (no records are required) when designing a firewall. These special IPs are not available on the Internet (cannot be routed). For denial of service attacks, it is often most necessary to have such a return packet to conceal the attacker's real address and identity. Once such addresses appear, they often mark the beginning of some kind of denial-of-service attack.

The address of this large class is the address of these four segments of the 127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16. For the rules of our firewall, the three address segments are completely rejecting any packets: Denyall. Then, by detecting the count of these rules, we determine whether there are certain attacks. If we find the following in our counter:

0 0 deny IP from "to 127.0.0.0/8 4552 553302 deny IP from 10.0.0.0/8 to" 0 0 deny IP from "to" 10.0.0.0/8 0 0 deny IP from 1 72.16.0.0/12 to all 0 0 deny IP from the to 172.16.0.0/12 97601 11024404 deny IP from 192.168.0.0/16 to any 0 0 deny IP 192.168.0.0/16 we can infer that there is a denial of service attack, and when we use Netstat–an to detect the number of network connections we have, we find a large number of SYN_RCVD types of connections:

TCP4 0 0 202.109.114.50.80 203.93.217.52.2317 syn_rcvd tcp4 0 0 202.109.114.50.80 61.136.54.73.1854 syn_ Rcvd This indicates that the server is suffering a syn-flood attack at this time. It is meaningless to record the IP address of such an attack (since these IP addresses are forged by changing the header of the packet in the program).

How to prevent Dos/ddos attacks

All kinds of Dos attacks are easily accessible from the Internet, and Dos attacks pose a significant threat to the security of fast-growing internet networks. In some ways, however, Dos attacks never go away and there is no technical solution at the moment.

In the face of the dangerous DOS rapids, how can we handle it? Let's start with a summary of the technical issues that pose a threat to Dos attacks. Dos attacks can be said to be caused by the following reasons.

1. Vulnerabilities caused by software vulnerabilities. This includes security-related system flaws in the operating system or application, most of which are due to faulty programming, careless source audits, inadvertent secondary effects, or inappropriate bindings. Because the software used is almost entirely dependent on the developer, the bugs caused by the software can only be remedied by patching.

2. Incorrect configuration can also become a security risk for the system. These error configurations typically occur in hardware devices, server systems, or applications, mostly due to inexperienced, irresponsible employees, or erroneous theories. Therefore, we must make sure that the network connectivity devices and server systems in the network are properly configured to reduce the likelihood of these errors occurring.

3. Repeated requests cause overload denial of service attacks. A denial-of-service attack occurs when a duplicate request for a resource greatly exceeds the support capability of the resource.

To avoid a Dos attack on the system, from the previous two point of view, the network administrator to actively and carefully maintain the entire system, to ensure that no security risks and vulnerabilities, and the 3rd malicious attack on the need to install a firewall and other security devices to filter Dos attacks, and strongly recommend that the network administrator regularly review the security Timely detection of security threats to the system behavior.

3Com is a comprehensive enterprise network solution provider, designed to provide enterprise users with "simple and rich, safe and reliable and cost-effective" network solutions. Internet Support Tools are one of the main solutions, including Superstack 3 Firewall, Web cache, and server Load balancer. The 3Com Superstack 3 firewall, as a security gateway device, can detect and prevent hackers such as "denial of service" and "distributed denial of service" in a default configuration, powerfully protecting users ' networks from unauthorized access and other external threats and attacks from the Internet. And the 3Com superstack 3 server load balancer protects all servers from denial of service attacks while providing a hardware-wire-speed 4~7 layer load balancing for multiple servers. The same 3Com Superstack 3 Web cache provides an efficient local cache for the enterprise and protects itself from denial of service attacks.