stop ddos attack | DDoS Protection & DDos Mitigation

First, why Ddos?
With the increase of Internet network bandwidth and Ddos toosl unceasingly, Ddos denial-of-service attack and easy to implement, and Ddos attack is to rise. For commercial competition, retaliation and network blackmail factors, causing many IDC custody room, business sites, game servers and network chat as Internet service providers have long been ddos attack, the customer complaints, virtual mainframe users get involved, legal disputes, business losses and so on a series of problems, therefore, solve the problems become network provider ddos attack the priority must be considered.
Second, what is the Ddos?
DDOS Distributed Denial of Service is English abbreviations, meaning “Distributed Denial of Service,” then what is Denial of Service Denial of Service ()? It could mean, all can lead to legitimate users can’t access network service behavior of normal is denial-of-service attack. Also means denial of service attack purpose is very clear, is to prevent a legitimate user access to network resources, normal, thus achieve the attacker ulterior motives. Although also is the denial of service attack, but with different DOS or DDOS attack tactics and DDOS focus through many “bots” (by an attacker can indirectly by invading or the host machine to send to the victims of) the network packets looks legitimate and thereby causes obstruction or network server resources exhausted and distributed denial of service, to be implemented once the denial of service attack, attack network packets will be like a Flood victims to host, thus putting a legitimate user network packets, cause a legitimate user can access server’s network resources, therefore, denial of service attacks also called “Flood attacks,” common DDOS attack to deliver up appropriate means of SYN are to deliver up appropriate ACK, deliver up appropriate, ICMP, UDP Connections, deliver up appropriate, TCP deliver up appropriate to deliver up appropriate, Script, etc; deliver up appropriate to deliver up appropriate existent And while focusing on through the DOS using against the host specific loopholes in network stack failure, system collapses, host crash cannot provide the normal function of the network service, causing the denial of service attacks, the common means is a DOS TearDrop, Land, Boink Jolt, Nuker IGMP Smurf, Bonk, and OOB, etc. The two denial of service attacks, great is the main reason is difficult to attack, ddos attack as DOS, by giving host server, patch or install firewall software could very well be after, how to manage ddos attack are introduced in detail.
Third, the Ddos?
Ddos forms of expression to basically have two kinds, one kind is flow is mainly directed against the attack, attack, namely the bandwidth of the network attack in a packet network bandwidth is blocked, legal network packets are false attack and reach host bag submerged, Another attack for resources, mainly is aims at server hosting, through a large number of attacks against packet caused by the host CPU, memory, or by the kernel and exhausted after application of caused cannot provide network services.
How to judge whether suffered flow attack site? Through the Ping command to test, if discover the Ping timeout or lost package (assumption), usually is the normal flow attack may suffer, then if your host and found in the same server switches also cannot access can be determined, the basic flow is suffered from attack. Of course, this test is the premise of your host server to the ICMP protocol is not between the router and equipment, or firewall can shield the network service Telnet – host server to test, the effect is the port. But one thing is for sure, if your host server at ordinary times the Ping and the switches in the same host server is normal, suddenly Ping is a serious packet loss, or is that if can eliminate network fault factors, affirmation is suffered flow, a flow attack against the typical phenomenon is, once suffered flow attack, will find using remote terminal connected web server will fail.
Relative to the flow attack, attack resources exhausted to judge if usually some access to web site host and Ping is normal, found very slowly or suddenly site visit, and the Ping Ping can also is likely to suffer the resources, if the attack on the server with Netstat – making lots of command observed SYN_RECEIVED, TIME_WAIT FIN_WAIT_1, etc, and time consuming than forming condition can be determined, is certainly suffered resources exhausted. Another kind of phenomenon is resources exhausted attack, the Ping Ping host your own website, or is lost package, and with their hosts Ping in the same switch on the server is normal, the reason is caused by this website hosts after the attack or some application system kernel 100% CPU utilization Ping command, actually can respond, otherwise there is some bandwidth in the same switches Ping impassability hosts.
Currently there are three main popular Ddos attack:
1 and deliver up appropriate SYN/ACK attack: this is the most effective method of attack of the classic method, can kill Ddos various system network services, mainly through to the victims of counterfeit source IP hosts sent the source port and SYN packet, or an ACK is drained of host caching resources or busy sending response packet and denial of service, because the source is forged the tracking up more difficult, defect is implemented, has the certain difficulty to rise high bandwidth bots support. Small amounts of this attack will lead to host server, but you can access the Ping, on a server with Netstat – making command will observe the presence of large amounts of SYN_RECEIVED state, a large number of this attack will cause the Ping failure, TCP/IP stack failure, and will appear system solidification phenomenon, namely no response keyboard and mouse. Most common firewall can withstand such attacks.
2, TCP connection against the attack: all is to bypass firewall inspection and conventional design, under normal circumstances, most TearDrop filter firewall with conventional Land, such ability, but the DOS attack for normal TCP connection, but many are the network service (such as: IIS, I can with Apache etc Web server) can accept a TCP connection number is limited, once have plenty of TCP connection, even if it is normal, also can cause site visit is very slow and even unable to visit, TCP connection attack is through the many victims bots constantly and establish a TCP connection of the server, until the server memory resources are exhausted and dragged across, causing the denial of service attacks, the characteristics of the bypass firewall is general purpose, achieve protection against disadvantages is needed to find many bots, and due to the IP bots, so is exposed to track.

3, brush against: this Script Script is mainly for existence, PHP, asp, JSP CGI scripts, and etc MSSQLServer calls, MySQLServer, Oracle database website system etc, the characteristics and design is normal and server TCP connection, and constantly scripts to submit a list of inquiry, as the database resource consumption, and the typical attack with small. Generally speaking, submit a � or POST instruction to the client takes and bandwidth occupy is almost negligible, and for processing the request server is likely to rise from the record of a record to detect, this process of resources is big, common database server can support hundreds of inquires rarely commands and that it is easy for the client, so only through the attacker existent Proxy host server submitted to a query instructions, just a few minutes will consume the server resources and denial of service, common phenomenon is the web to slow to a crawl, asp program failure, PHP connect to database failure, data KuZhu program takes the CPU. This feature is completely bypass firewall protection, the general agent can find some existent shortcoming is against attack, only static page website effect will be discounted, and some existent will expose the attacker’s IP address.
Fourth, how to resist Ddos?
Deal with DDOS is a system engineering, want to rely solely on a system or product guard are unrealistic, DDOS can be affirmed is, completely eliminate DDOS is unlikely, but through the appropriate measures against 90% of the attack can be done DDOS attack and defense, based on the cost of expenses are, if appropriate measures through enhanced ability to resist DDOS, it means that increase the attacker’s attack, so most cost attacker will not continue, also is equivalent to a successful attack against DDOS. The following is the defense Ddos attack:
1, using high-performance networking equipment
First, to guarantee the network equipment, so choose cannot become the bottleneck routers, switches, hardware firewall equipment should try to choose high reputation, reputation good products. Or if a special relationship with network provider or agreement is better, when a large attack occurred when they take place in network contacts to limit the flow of some kinds of Ddos attack against is very effective.
2 and avoid the use of NAT
Both routers or hardware device to avoid using wall network address translation NAT use, because the technology can greatly reduce the network communication ability, the reason is very simple, because the NAT need to address and conversion, conversion process of network packets to the calibration and calculation, thus wasted a lot of time, but some of the CPU must be used when there is no good, NAT.
3 and plenty of network bandwidth
Network bandwidth can directly determine the resistance to attack ability, if just 10M bandwidth, regardless of what measures is difficult to fight against the SYNFlood now, at least to choose the 100M share bandwidth, most certainly is hanging in the trunk 1000M. But you need to be aware that hosts 1000M of network is the network bandwidth does not mean that it is, if it is the gigabit switches in the 100M, its actual bandwidth does not exceed the 100M, namely the bandwidth of the 100M in also is not just a BaiZhao bandwidth, because the network service provider may limit switches in actual bandwidth for 10M, it must be clear.
4 and upgrade host server hardware
In a network bandwidth to ensure the premise, please try to hardware configuration, effective against attacks per 100,000 SYN packet, server configuration should at least for: DDR512M/mp4 2.4 G/SCSI – HD, plays a key role is the main memory, and if there is a CPU and in twin CPU zhiqiang and memory must choose the high-speed memory and disk DDR try to choose SCSI, don’t just greedy IDE inexpensive quantity is cheap enough, otherwise, it will pay high cost performance, namely card must choose 3COM Intel or if such famous Realtek or use in their own PC.
5 and the static page make
A great deal of truth, the website as static page, not only can make greatly enhance ability against the attack, but also bring trouble hackers, at least so far about HTML overflow haven’t appear, look! Sina, sohu, netease portals are mainly as static page, if you are not needed, it is called dynamic scripts to another host to a single attack, the troubler servers, of course, when appropriate, put some do not calling scripting or can the database, in addition, the best in the script to call database access to the agent, because experience shows that use a proxy to visit your site 80% belongs to malicious behaviour.
Six of the operating system, strengthen the TCP/IP stack
As the server Win2003 Win2000 and operating systems, itself has certain resistance Ddos attack ability, but by default, if no open open about 10,000 words can withstand SYN packet, if not open attack only can resist hundreds, concrete, to see how open Microsoft article! The TCP/IP stack strengthening security “.
Perhaps some people will ask, what I use is Linux and FreeBSD? Very simple, according to this article to do! The SYN Cookies.
7 and professional firewall installed antioxidant Ddos
8 and other defensive measures
Above a few Suggestions, suit against DDOS majority of users with his host, but if taken measures to solve the above problem, cannot DDOS some trouble, may need more investment, increasing number and the round robin DNS server load equilibrium technique, tour or even need to purchase seven layer switches equipment, thus make the attack power against DDOS doubled, just enough to further investment.