How to prevent ddos ​​attacks?

​
 

Foreword

DDoS attack is a common attack, but it is indeed the most annoying problem that troubles operation and maintenance personnel. It can cause website downtime, server crashes, content tampered with, and even serious brand/property damage. In fact, in addition to the daily prevention awareness and operations of operation and maintenance personnel, the paid value-added services provided by IDC service providers are the best choice. After all, the service that costs money is the most effective. Of course, if someone pays the bill, it will be possible to pay. I hope the DDoS attack method obtained by the editor below can solve your worries!

Theoretical answer
 

First of all, the first method starts with us starting from our daily DDoS attack defense methods, which is particularly related to the security awareness and prevention awareness of operation and maintenance personnel. This method is the lowest cost for individuals and enterprises and is also an indispensable part of defense:

Independent defense methods and steps

• Regularly scan for vulnerabilities and patch them whenever

Ensure that the server software has no vulnerabilities to prevent attackers from invading. Make sure the server is up to date with the latest system and apply security patches.

• .Filter unnecessary services and ports

Filter unnecessary services and ports, i.e. filter fake IPs on routers...Opening only service ports has become a popular practice for many servers, such as WWW servers, which only opens 80 ports, closes all other ports, or blocks them on the firewall.

• Check the source of the visitor

Use unicast reverse path forwarding and other methods to check the reverse router to check whether the guest IP address is true, and if it is false, block it. Many hackers often use fake IP addresses to confuse users and it is difficult to find its source. Therefore, using unicast reverse path forwarding can reduce the occurrence of fake IP addresses and help improve network security.

Value-added services defend against DDOS attacks

Secondly, if funds allow, you can purchase from IDC service providers to

Value-added services to defend against DDOS attacks:

1. Use high defense servers to ensure the security of the server system

DDOS high defense server mainly refers to a server that independently deals with DDOS attacks and CC attacks above 100G. It can provide security maintenance for a single customer. According to the environment of each IDC computer room, some provide hard defense and some use soft defense. Simply put, it is a server that can help the website denial of service attacks and regularly scan existing network master nodes to find possible security vulnerabilities.

2. Use high-defense IP to hide the real IP address of the server

High-defense IP is a value-added service for Internet servers when services are unavailable after being attacked by high-traffic DDoS. The defense principle is that users can use high-defense IP to divert attack traffic to high-defense IP, thereby protecting the real IP from being exposed, ensuring the stability and reliability of the source site, ensuring the user's access quality and stickiness to content providers.

3. Use high-defense CDN to defend by separating data traffic through content

The full name of CDN defense is ContentDeliveryNetworkDefense, that is, content separation data traffic defense. The basic principle of high-defense CDN is to build content distribution Internet on the Internet. With the help of edge network servers deployed across the country, the program modules such as load balancing, content distribution, production scheduling of the management center service platform can enable customers to obtain the required content in the principle of proximity without browsing the website source network server immediately. The basic principle is simply to build several high-defense server CDN connection points. When there is a CDN connection point attack, each connection point bears each other. It is not easy to cause a website to be unable to open due to attack and hacking of a connection point. At the same time, using a CDN can also protect the website's source IP. There is a key link here. Once a high-defense CDN is connected (free CDN can generally prevent DDOS around 5G), do not leak the network IP of the source network server, otherwise the attacker can avoid the CDN and immediately attack the source network server.
 

Configure the Web Application Firewall
 

Web application firewall is a product that executes a series of security policies against HTTP/HTTPS. WAF (Web application firewall) based on cloud security big data capabilities. It is used to defend against common OWASP attacks such as SQL injection, XSS cross-site scripting, common Web server plug-in vulnerabilities, Trojan uploads, and unauthorized core resource access. It also filters massive malicious CC attacks to avoid leaks in your website asset data and ensure the security and availability of website business. 

Netizens share experience:

Technical solution

1. Non-home page, add a token test. This token is checked from the page before jumping. crsf

2. You can try the "first packet discard" method when being attacked, but the user experience will be slightly reduced.

3. Use iptables with Linux to live selinux and try to do some tcp handshake control.

Expose the ports to the public network as few as possible to reduce possible attack points. Configuring security groups, acl access control or iptables firewall rules, the purpose of these three operations is actually the same, all to restrict access to unknown clients, but the places where they take effect are different. Generally speaking, we definitely want to limit this traffic further away from the server. The purpose of placing the server behind CDN and load balancing is actually the same as the second point. cdn can cache server resources to each edge node, allowing users to access the nearest edge node nearby, thereby alleviating the pressure on the server. Load balancing can configure scheduling algorithms to allocate traffic to the backend server as needed, and conduct personalized health monitoring of the backend, kick out unhealthy servers, and not continue to process requests

Make the website into a static page or a pseudo-static to reduce database calls and dynamic script execution. Enhance the TCP/IP stack of the operating system and enable some defense functions. Install a professional anti-DDoS firewall and set some thresholds and rules to filter malicious requests. Intercepting HTTP requests is to identify and intercept malicious requests based on the IP address or User Agent field. The backup website, or at least a temporary homepage, can be switched to the backup website or displayed an announcement when the production server goes offline. Deploy CDNs and use multiple servers to distribute static content to relieve stress from the source server. Other defense measures, such as increasing the number of servers and using DNS round patrol or load balancing technology

CDN5 editor also shares several methods:

1. Enhanced network bandwidth: Enhanced network bandwidth can allow servers to better handle large amounts of requests, thereby better resisting DDoS attacks.
2. Install a firewall: Using a firewall can help filter out attack traffic and improve the security level of the server.
3. Use load balancer: The load balancer can distribute large traffic to different servers, so that the server will not be crushed, thereby effectively defending against DDoS attacks
4. IP blocking and blacklisting: prevent attackers from attacking again by forcibly blocking the IP address of the attack, adding to the blacklist, etc.
5. Cloud Firewall: Use cloud firewall to defend against large-scale DDoS attacks, intercept attack traffic at the source through cloud resources, and thus protect the server from attacks.
6. Source site survival: Establish a multi-replica and multi-live server environment to prevent a server from being attacked by DDoS, causing the service to be unavailable.
7. High-defense CDN: Using a CDN network can help reduce the load on the server and reduce the impact of DDoS attacks. High Defense CDN also optimizes its policies to handle specific types of DDoS attacks. For example, it can adopt a layered defense strategy and mitigate attacks by setting up stream limits, blacklists, and whitelists. Using a high-defense CDN to defend against DDoS attacks is very effective. Not only do they defend against attacks, they also optimize performance and improve website speed.