Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to prevent DDoS attacks by computers". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "how to prevent DDoS attacks by computers".

What is a capacity DDoS attack?

Capacity DDoS attacks are designed to fill the victim's bandwidth (such as UDP reflection attacks).

Packets sent by UDP reflection attacks disguise the destination IP address as the source. The response to the spoofed packet is then sent to the target, not to the attacker.

The advantage of attacking the target through an intermediate server rather than directly is that the response packet is usually much larger than the packet sent. For example, the response to a DNS query may be 28 to 54 times larger than the original request.

In this way, the attacker can send many smaller packets, while the response packet will exhaust the target's resources.

What is a protocol DDoS attack?

Protocol DDoS attacks discover weaknesses in the way the protocol operates (such as SYN flooding). The SYN flood uses a three-way handshake to work.

When an attacker sends a large number of SYN packets to a machine, the server allocates resources to the request and returns an SYN ACK packet-assuming it is the beginning of the connection request.

Typically, another server responds with an ACK to start the connection. In the case of the attack, the attacker continues to send SYN requests without completing the connection until the server is exhausted and cannot accept any additional traffic.

What is an application DDoS attack?

Application DDoS attacks target weaknesses in the way the application works (such as Slowloris attacks).

The Slowloris attack is very similar to the SYN flood attack, but is aimed at network servers. This occurs when an attacker sends HTTP requests without completing them and continues (slowly) to send additional headers to keep the connection open.

Because connections are never completed, they absorb all available resources from the server and cannot handle legitimate connections.

Other types of DDoS attacks

Alternatively, DDoS attacks can be grouped according to the OSI model layer they affect. These are usually classified as infrastructure attacks (such as UDP reflection and SYN flooding) or application attacks (such as HTTP flooding and cache corruption).

A HTTP flood occurs when an attacker sends a "flood" of seemingly legitimate HTTP requests to a server or application, exhausting its resources.

The cache bus attack is a subset of HTTP flooding attacks designed to avoid CDN caching by changing the query string, so CDN must contact the source server for each request to overload it.

Mitigation measures of DDoS attack

The most important part of defending against DDoS attacks is the preparation itself. DDoS attempts are difficult to deal with after they start.

Expand bandwidth

One way to deal with capacity attacks is to expand the bandwidth in response. Unfortunately, this can be very difficult, depending on the size of the attack and the ability of the attacker to scale up the attack as a response.

This is not realistic unless the organization being attacked is a service provider or a very large organization.

Outsourcing response

Smaller organizations can outsource their responses to other professional companies, or their ISP (or both).

These types of relationships need to be in place before an attack occurs, so that when an attack occurs, mitigation is as simple as contacting an ISP or service provider to activate protection (or continuously enable protection).

What DDoS protection providers usually do is transfer traffic to their environment (if it has not already passed their environment). This can be done through DNS, by updating the A record to point to the IP that the DDoS provider has assigned (although you need a lower TTL for it to take effect quickly), or through BGP, by advertising more specific routes that are currently being advertised.

Develop a DDoS-specific incident response plan

Even if an organization has outsourced its DDoS protection, it is critical to develop an DDoS-specific incident response plan.

Once it is written and agreed by various stakeholders, it is important to review it at least once a year (preferably through desktop exercises) to ensure that everyone understands their role in the plan.

The DDoS-specific response plan should include the following:

Before the event:

Circuit diagrams: create as accurate a circuit diagram as possible, including telecommunications contacts.

Also create your own network and a map of any appropriate contacts (including people who can and have the right to make local changes, and who can contact the telecommunications company for any updates).

Upgrade: determine when (and how) to involve your ISP or DDoS mitigation organization (providing up-to-date contacts and copies of the contract).

Communication: develop a list of who and when to notify (contact information for the security team, appropriate network team contacts, etc.).

This should be divided into two groups-technical responders (who can / will implement technical changes to resolve attacks) and everyone else (communications, laws, etc.). The second group should include anyone who might need to participate, but they should talk individually to the technician who made the change in order to respond as effectively as possible.

Ideally, this should be printed and distributed so that people can access it even if the system is not available.

Make sure your communications team has a plan for how and how to communicate in the event of an event that leads to the loss of customer-facing assets.

Review: these documents and contact lists should be reviewed on a regular basis (at least quarterly).

During the event:

Classify events as DDoS attacks: you need to confirm that this is a DDoS attack, not just a brief burst of high traffic or a mistake made by someone on the network. Ideally, this also includes determining the type and volume of attacks that are taking place.

Upgrade: loop event commanders so that they can start notifying the necessary personnel.

Take the initial step: if possible, dredge the traffic. If the traffic is higher than the bandwidth of the link, contact your service provider (they may cause a drop in traffic on one side of them). At the same time, if you have DDoS mitigation services, please contact them.

Communication: establish a link for technicians and non-technicians to keep abreast of events.

This is especially important if public services are interrupted for a long time, as your communications team needs to be up-to-date to communicate with shareholders / media / customers.

Afterwards:

Return to normal: when will you cancel any mitigation measures? Who will sign for it?

Source of attack: what information can you collect about the attack to explain it and the attacker behind it? Is this a targeted attack?

Lesson: what are they? How can they be used to improve the event response plan?

Build an elastic architecture

Building resilient systems requires a comprehensive business continuity plan, and DDoS is an integral part of that plan.

Basically the same principles apply to data centers and networks when architecting for DDoS and for business continuity. You want to avoid any single point of failure or bottleneck and have a diversity of geographically different networks and vendors.

Content delivery networks (CDN) are one way to improve your response to DDoS because they provide a geographically distributed network of proxy servers that can significantly increase resilience.

The cloud architecture provides significant improvements to the old model. It allows organizations of any size to create fully redundant systems that can rotate up and down and click buttons. It also has a geographically diverse infrastructure at a very low cost, as well as a cheap and simple way to expand load capacity up and down as needed.

Cloud-specific architecture allows organizations to take advantage of these new models and significantly improve your DDoS response.

Upgrade your hardware

Some types of DDoS attacks are very old and can be mitigated with newer hardware. For example, you can use appropriate network firewalls and load balancers to resist many protocol attacks (such as SYN flooding) and application attacks (such as Slowloris).

These firewalls can usually monitor for signs of such attacks and close connections when they reach an unsustainable level. Installing the correct hardware can mitigate the damage that can be caused by the attack.

At this point, I believe you have a deeper understanding of "how computers prevent DDoS attacks". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.