Red Guest Alliance CEO and Tianjin Webmaster discuss DDoS attack and defense

Source: Internet
Author: User

The intermediary transaction SEO diagnoses Taobao guest stationmaster buys the Cloud host technology Hall

June 8 20:00, the Tianjin Software Industry Association internet Application Branch of the official QQ group: 39241075, the fourth Group Meeting Seminar officially began. China Red Guest Alliance CEO of DDoS attack and defense. The following is a discussion record:

                                          Date: June 8, 2007 20:00 official QQ Group: 39241075 Guests: sharpwinner=============================================== ====================  Interconnection Liu Weijun (Old wheat 296128095):  Everyone good, recently some sites in Tianjin by network attacks, resulting in varying degrees of loss. Today, we are in the ADMIN5 webmaster Net straw Support, invited Sharpwinner to conduct a web security research activities, the form is still please sharpwinner first 20-30 minutes, please do not interrupt the middle, then we ask questions to discuss. Brief introduction: Sharpwinner is the Chinese Red Guest Alliance (www.redhacker.cn) CEO, "The Red Guest Cloud" the author, has "interprets the red guest-inside big exposure". Has received the Chinese Education Television satellite channel (CETV-SD) "Digital e" and other media visits, "Hundred Change Red Guest Sharpwinner" at present domestic major forums are reproduced.       sharpwinner: Today, we talk about DDoS attack and defense technology, with the continuous popularity of internet broadband, more and more people use the broadband network, but also to the hackers have brought many opportunities. Over the past few years, a variety of technology DDoS tools are more and more, the implementation of DDoS attacks more and more easy, so, commercial competition, extortion and so on more and more use of DDoS technology. Many IDC room, e-commerce sites, game servers have been plagued by DDoS attack technology, resulting in legal disputes, business losses and so on more and more, so to solve the DDoS problem has become a lot of network service providers, personal webmaster, have the website of the company must consider the important matters.   I want to do a simple survey, now have you been attacked by DDoS? ... It seems that the problem of DDoS attack is happening around us   We are now analyzing the attack principle of DDoS. First, DDThe OS is an abbreviation for the English distributed denial of service, meaning distributed denial of service. What does it mean to refuse a service? is to take some spam packets to block the network channel of the site, resulting in the site can not be normal access. Distributed service denial of attack is the way to use a master server to control N-Chickens to service the target server to deny attacks   we are now speaking of the symptoms of DDoS attacks. First of all, if the site is not open, you can try to use 3389 to connect the server to see, and then you can ping the test, and then a way is to use Telnet to login to the 80 port to see if there will be a black screen. If these tests are not connected, then it is a DDoS attack. Then, if the port connection except 80 ports is normal, the ping command test is normal, but the 80 port is not reachable, and then see if IIS is normal, you can change the 80 port to another port test, if normal access, it is likely to be a CC attack.   Now let's talk about several popular DDoS attack modes  n         ack Flood attack This method of attack is the classic most effective DDoS method, the network services to kill a variety of systems, mainly by sending a large number of fake source IP and source port to the victim of SYN or ACK packets, resulting in the host's cache resources are depleted or busy sending response packets caused by denial of service, Because the source is forged so it is difficult to track, the disadvantage is that the implementation of a certain degree of difficulty, the need for high bandwidth zombie host support. A small amount of this attack will cause the host server to be inaccessible, but can ping the pass, the Netstat-na command on the server will be observed a large number of syn_received state, a large number of such attacks will cause ping failure, TCP/IP stack failure, and will appear system solidification phenomenon , which does not respond to the keyboard and mouse. Most common firewalls cannot withstand this kind of attack.  n         TCP Full-connection attack This is the second type of attack. This attack was designed to bypass regular firewall checks, and in general, Conventional firewalls have the ability to filter teardrop, land and other Dos attacks, but for normal TCP connections are spared. However, many Web services programs can accept the number of TCP connections is limited, once a large number of TCP connections, even if it is normal, it will cause Web site access is very slow and even inaccessible. TCP Full-connection attack is the constant establishment of a large number of T with the victim server through many zombie hostsThe CP connection is dragged across, until resources such as the server's memory are exhausted, causing a denial of service. This attack is characterized by bypassing the general firewall protection to achieve the purpose of the attack, the disadvantage is to find a lot of zombie hosts, and because the zombie host IP is exposed, so easy to be tracked  n          cc attacks now for the third attack, this attack is essentially targeted at asp,php,jsp and other scripting programs, and calls MSSQLServer, MySQLServer, Oracle and other databases of the Web site system design. The feature is to establish a normal TCP connection with the server, and constantly submit queries to the script program, lists and so on a large number of resource-consuming database resources, typical of a small broad attack method. In general, the cost of submitting a GET or post instruction to the client is almost negligible, and the server may have to trace a record from tens of thousands of records to handle the request, a process that is expensive for resources, Common database servers rarely support hundreds of of simultaneous query execution, which is easy for the client, so the attacker can simply submit a query to the host server via proxy proxies, consuming server resources in minutes and causing a denial of service. Common phenomenon is that the site is slow, such as snail, ASP program invalidation, PHP connection database failure, database main program CPU high. This attack is characterized by a complete bypass of ordinary firewall protection, easy to find some proxy proxy can be implemented to attack, the disadvantage is to deal with static pages only the effect of the site will be greatly compromised, and some proxies will expose the attacker's IP address   Just now we talked about several DDoS attacks that are currently used more, so how do we defend against DDoS attacks? To deal with DDoS is a systematic project, it is not realistic to rely solely on some kind of system or product to prevent DDoS, it is certain that it is impossible to completely eliminate DDoS at present. But it's possible to protect against 90% of DDoS attacks with appropriate measures, based on the cost of attack and defense, if the appropriate way to enhance the ability to resist DDoS, also means to increase the attack costs of attackers, so the vast majority of attackers will not continue to give up, is the equivalent of successfully defending against DDoS attacks.      so the first way is to use high-performance network equipment, to ensure that network equipment can not be a bottleneck, so select routers, switches, hardware firewalls and other equipment when you should try to choose the well-known high reputation, good products. Then, if there is a special relationship or agreement with the network provider, it would be better if a large number of attacks occurred when they were asked to do at the network pointThe flow restrictions are very effective against certain types of DDoS attacks.   The second way is adequate network bandwidth   network bandwidth directly determines the ability to resist attacks, if only 10M bandwidth, whatever measures are difficult to combat the current Synflood attack. At least 100M of shared bandwidth is currently selected, the best of course is hanging on the backbone of the 1000M, but it should be noted that the host on the network card is 1000M does not mean that its bandwidth is gigabit, if it is connected to the 100M switch, its actual bandwidth will not exceed 100M, Then the 100M bandwidth does not mean that there is a trillion bandwidth, because the network service providers are likely to limit the actual bandwidth on the switch 10M, this must be clear.   Then the best way to prevent the use of professional anti-DDoS firewall, the current anti-DDoS firewall up to the 10G,2G,4G,6G cluster firewall is now more common, such as the firewall price is very expensive, from tens of thousands of to hundreds of thousands of have, So for personal webmaster is certainly difficult to accept. But there's a workaround. Now we have launched a Gigabit firewall server space, and more common to rent server space so that will be the price down   Then there is a best anti-DDoS technology, this is load balancing, this is for some large it enterprises, Increasing the number of servers to use load-balancing technology, or even the purchase of seven-tier switch devices, so that the ability to resist DDoS multiplied, so that the cost of hacking attacks will be very high, so that hackers will give up.   Well, today we tell you the concept of DDoS and the rationale, and then attack the symptoms, and how to defense, then we have all finished, we have any questions can now be proposed.   Interconnection Liu Weijun (Old wheat 296128095): Sharpwinner for today's research to do a lot of preparation, thank you, next time we will conduct a discussion on the invasion.   

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.