With the increase in Internet bandwidth and the continuous release of various DDOS hacker tools, the implementation of DDOS denial of service attacks is becoming increasingly easy, and DDOS attacks are on the rise. Due to various factors such as commercial competition, retaliation, and online extortion, many network service providers such as IDC hosting rooms, commercial sites, game servers, and chat networks have been plagued by DDOS attacks for a long time. This has been followed by a series of issues such as customer complaints, involvement with virtual host users, legal disputes, and business losses. Therefore, resolving the issue of DDOS attacks has become a top priority for network service providers.
1、 What is DDOS?
DDOS is an abbreviation for Distributed Denial of Service in English, meaning “distributed denial of service”. So what is a denial of service? It can be understood that any behavior that can cause legitimate users to be unable to access normal network services is considered a denial of service attack. In other words, the purpose of a denial of service attack is very clear, which is to prevent legitimate users from accessing normal network resources, thereby achieving the hidden purpose of the attacker. Although it is also a denial of service attack, DDOS and DOS are still different. DDOS’s attack strategy focuses on sending a large number of seemingly legitimate network packets to the victim host through many “zombie hosts” (hosts that have been invaded or can be indirectly exploited by the attacker), resulting in network congestion or server resource depletion, leading to a denial of service. Once implemented, distributed denial of service attacks, Attacking network packets can flood the victim host, flooding legitimate users’ network packets, causing legitimate users to be unable to access the server’s network resources normally. Therefore, denial of service attacks are also known as “flood attacks”. Common DDOS attack methods include SYN Flood, ACK Flood, UDP Flood, ICMP Flood, TCP Flood, Connections Flood, Script Flood, Proxy Flood, and so on; DOS focuses on exploiting host-specific vulnerabilities to cause network stack failures, system crashes, and host crashes, resulting in a denial of service failure. Common DOS attack methods include TearDrop, Land, Jolt, IGMP Nuker, Bonk, Smurf, Bonk, and OOB. In terms of these two types of denial of service attacks, the main hazard is DDOS attacks, which are difficult to prevent. As for DOS attacks, they can be well prevented by patching the host server or installing firewall software. The following article will explain in detail how to deal with DDOS attacks.
2、 How can I determine if your website has been attacked by DDOS?
There are two main manifestations of DDOS. One is traffic attacks, which mainly target network bandwidth. That is, a large number of attack packets cause network bandwidth to be blocked, and legitimate network packets are flooded by fake attack packets and cannot reach the host; The other is a resource exhaustion attack, which mainly targets the server host. That is, a large number of attack packets cause the host’s memory to be exhausted or the CPU to be consumed by the kernel and application programs, resulting in the inability to provide network services.
How to determine whether a website has suffered traffic attacks? You can use the Ping command to test. If you find that Ping timed out or suffered severe packet loss (assuming it is normally normal), you may have suffered a traffic attack. At this time, if you find that a server connected to the same switch as your host cannot access it, you can basically determine that you have suffered a traffic attack. Of course, the prerequisite for this test is that the ICMP protocol between you and the server host is not shielded by routers, firewalls, and other devices. Otherwise, the network service port of the Telnet host server can be used for testing, and the effect is the same. However, one thing is certain. If it is normal to ping your host server and the host server connected to the same switch, and suddenly the ping fails or there is a serious packet loss, then if network failure factors can be eliminated, it must be a traffic attack. Another typical phenomenon of traffic attacks is that once you suffer from traffic attacks, you will find that connecting to the website server using a remote terminal will fail.
Compared to traffic attacks, resource exhaustion attacks are easier to judge. If you ping the website host and accessing the website normally, and find that the website is suddenly very slow or inaccessible, and Ping can still ping, it is likely to suffer from a resource exhaustion attack. At this time, if you use the Netstat – na command on the server to observe a large number of SYNs_ RECEIVED、TIME_ WAIT、FIN_ WAIT_ If a state such as 1 exists and ESTABLISHED is very small, it can be determined that a resource exhaustion attack has occurred. Another phenomenon that belongs to a resource exhaustion attack is that pinging your own website host fails or causes severe packet loss, while pinging servers on the same switch as your own host is normal. This is caused by the attack on the website host, which results in the system kernel or some application CPU utilization reaching 100% and unable to respond to the ping command. In fact, there is still bandwidth available, otherwise, pinging hosts that are not connected to the same switch will fail.
Currently, there are three popular DDOS attacks:
SYN/ACK Flood attack
This attack method is the classic and most effective DDOS method, which can kill network services of various systems. It mainly involves sending a large number of SYN or ACK packets that counterfeit the source IP and source port to the victim host, causing the host’s cache resources to be exhausted or busy sending response packets, resulting in a denial of service. Due to the fact that the sources are all forgeries, it is relatively difficult to track down. The disadvantage is that it is difficult to implement and requires high bandwidth zombie host support. A small amount of this attack can cause the host server to be inaccessible, but it can be pinged. Using the Netstat – na command on the server can observe a large number of SYNs_ In the RECEIVED state, a large number of such attacks can lead to Ping failures, TCP/IP stack failures, and system freezes, which means that the keyboard and mouse are not responsive. Most ordinary firewalls cannot resist this attack.
TCP Full Connection Attack
This attack is designed to bypass the inspection of conventional firewalls. Generally, conventional firewalls have the ability to filter DOS attacks such as TearDrop and Land, but normal TCP connections are ignored. However, many network service programs (such as IIS, Apache, and other Web servers) can accept a limited number of TCP connections. Once there are a large number of TCP connections, even if they are normal, “It can also lead to very slow or even inaccessible website access. A TCP full connection attack is one in which many bots continuously establish a large number of TCP connections with the victim server until the server’s memory and other resources are exhausted and dragged across, resulting in a denial of service. The characteristic of this attack is that it can bypass the protection of general firewalls to achieve the purpose of the attack, while the disadvantage is that many bots need to be found.”, And because the IP address of the zombie host is exposed, it is easy to be tracked.
Brush Script Script Attack
This attack is mainly designed for website systems that have script programs such as ASP, JSP, PHP, and CGI, and call databases such as MSSQLServer, MySQL Server, and Oracle. It is characterized by establishing a normal TCP connection with the server, and constantly submitting queries, lists, and other calls that consume database resources to the script program. The typical attack method is small and broad. Generally speaking, submitting a GET or POST command can almost ignore the cost and bandwidth consumption of the client, while the server may have to find a record from tens of thousands of records to process the request. This processing process is very resource intensive. Common database servers rarely support the execution of hundreds of query instructions at the same time, which is easy for the client, Therefore, attackers only need to submit a large number of query instructions to the host server through the proxy proxy, which can consume server resources in just a few minutes, leading to a denial of service. Common phenomena include websites that are as slow as snails, ASP programs that fail, PHP fails to connect to the database, and database main programs that consume a high amount of CPU. The characteristic of this attack is that it can completely bypass ordinary firewall protection, and it is easy to find some proxy agents to carry out the attack. The disadvantage is that the effect of dealing with websites with only static pages will be greatly reduced, and some proxies will expose the attacker’s IP address.
3、 How to resist DDOS attacks?
Dealing with DDOS is a system engineering, and it is unrealistic to rely solely on a certain system or product to prevent DDOS. To be sure, it is currently impossible to completely eliminate DDOS, but it is possible to resist 90% of DDOS attacks through appropriate measures. Based on the cost of both attack and defense, if the ability to resist DDOS is enhanced through appropriate measures, it means increasing the attack cost of attackers, The vast majority of attackers will be unable to continue and give up, which is equivalent to successfully resisting DDOS attacks. The following points are for preventing DDOS attacks:
Using high-performance network devices
First of all, it is necessary to ensure that network devices cannot become bottlenecks, so when selecting routers, switches, hardware firewalls, and other devices, it is necessary to try to choose products with high visibility and good reputation. It is even better if there is a special relationship or protocol with a network provider. When a large number of attacks occur, it is very effective to ask them to make traffic restrictions at network nodes to counter certain types of DDOS attacks.
Try to avoid the use of NAT
Whether it is a router or a hardware protective wall device, it is necessary to avoid using network address translation NAT as much as possible, because using this technology can greatly reduce network communication capacity. In fact, the reason is simple, because NAT requires address translation back and forth, and the checksum of network packets needs to be calculated during the conversion process, which wastes a lot of CPU time. However, sometimes NAT must be used, which is no good way.
Adequate network bandwidth guarantee
Network bandwidth directly determines the ability to resist attacks. If there is only 10M of bandwidth, no matter what measures are taken, it is difficult to resist the current SYNFlood attack. Currently, it is necessary to choose at least 100M of shared bandwidth, and the best option is to hang on a 1000M backbone. However, it should be noted that the network card on the host is 1000M, which does not mean that its network bandwidth is gigabit. If it is connected to a 100M switch, its actual bandwidth will not exceed 100M, and even if it is connected to a 100M switch, it does not mean that it has a 100M bandwidth, because network service providers are likely to limit the actual bandwidth on the switch to 10M, which must be clarified.
Upgrade host server hardware
On the premise of ensuring network bandwidth, please improve the hardware configuration as much as possible. To effectively combat 100000 SYN attack packets per second, the server configuration should be at least P4 2.4G/DDR512M/SCSI-HD. The key roles are mainly CPU and memory. If there are Zhiqiang dual CPUs, use it. The memory must choose DDR high-speed memory, and the hard disk must choose SCSI as much as possible. Don’t just be greedy for IDE that is inexpensive and inexpensive enough, Otherwise, there will be a high performance cost, and the network card must be selected from famous brands such as 3COM or Intel. If it is Realtek, it is better to use it on your own PC.
Make the website a static page
A large number of facts have proven that making websites as static as possible can not only greatly improve their anti attack ability, but also bring a lot of trouble to hackers. At least until now, HTML spillovers have not appeared. Let’s take a look! Portal websites such as Sina, Sohu, and NetEase are mainly static pages. If you do not need dynamic script calls, then move it to a separate host to avoid the main server being affected by an attack. Of course, it is still possible to appropriately place some scripts that do not require database calls. In addition, it is best to deny access using agents in scripts that require database calls, Because experience has shown that using proxies to access 80% of your website is malicious behavior.
Enhanced TCP/IP stack for operating systems
As server operating systems, Win2000 and Win2003 inherently have a certain ability to resist DDOS attacks, but they are not enabled by default. If enabled, they can withstand approximately 10000 SYN attack packets, while if not enabled, they can withstand only hundreds.
Install a professional anti DDOS firewall, such as Huosan Cloud APP Shield
Fire Umbrella Cloud APP Shield is a highly customizable network security management solution launched for various types of apps facing DDoS and CC attacks. In addition to effectively defending against large-scale DDoS attacks (Level T), Fireumbrella Cloud APP Shield can thoroughly solve the CC attack problem of the TCP protocol unique to the gaming industry, with lower protection costs and better effects.
Other defensive measures
