What problems should be paid attention to when carrying out CC protection? CC attacks are very detrimental to the operation of websites, so we must actively guard against such attacks. However, some websites may fall into misunderstandings when preventing such attacks. CC is a type of DDos attack. The CC attack uses a proxy server to generate legitimate requests to the victim host to achieve DDoS and camouflage. It attacks the page by creating a large number of background database query actions and consumes target resources.
For example, some attacks are usually concentrated in a period of time, so some websites feel that when they encounter this kind of attack, they directly close their website to achieve the purpose of CC protection you want and avoid the attack from causing damage to the website. And those attackers are just for you to take the initiative to close the website, and users have no way to access your website. And you are not sure how long this attack will last? When the website is opened next time, the attack is likely to continue. In fact, you still have not escaped the fate of being attacked.
The difference between an application-based attack such as CC attack and a traffic-based DDoS is that traffic-based DDoS is an attack against IP, while CC attacks are server resources. Here we will focus on the CC attack. The CC attack is an attack that relies on the http protocol and constructs a special http request to cause the server to maintain a connection waiting state until the server's CPU, memory, number of connections and other resources are full, thereby causing a denial of service. It is a typical application Layer DDoS attack.
The biggest difference between the characteristics of a CC attack and a flow-based DDoS attack is that it does not require a large amount of traffic to achieve the attack effect. In some extreme cases, when subjected to such attacks, there may be no obvious changes in traffic characteristics, but slow access and timeout at the business level, and a large number of access requests may point to the same or a few pages.
Because the IPs from the CC attack are real and scattered, and the requests of the CC attack are all valid requests and cannot be denied. For such attacks, the basic algorithm of DDoS attack cleaning equipment may not be so obvious. It is necessary to capture the characteristics of the attack in real time during the attack and prescribe the right medicine.
Since CC attacks are typical application layer DDos attacks, traditional security equipment, such as firewalls, operator cleaning, etc., cannot play a good role in CC protection. At present, the industry usually deploys proxy devices with security functions in the front of application servers for protection, such as WAF, load balancing, etc., to avoid direct exposure of the server to CC attacks. The proxy device enables resource proxy and security protection functions. For example, it is required to establish a TCP connection with the server and send the received HTTP request after receiving a complete HTTP request. At this time, the attacker's request is directly terminated by the proxy device without sending it. To the server.
1. Server vertical expansion and horizontal expansion
This is the simplest method when funds allow. Essentially, this method is not aimed at CC attacks, but to improve the service's ability to handle concurrency, but it does improve the ability of CC protection.
2. Cancel domain name binding
Generally, cc attacks are aimed at the domain name of the website. The attacker sets the attack target as the domain name in the attack tool and then executes the attack. Our measure for such an attack is to cancel the binding of this domain name, so that the CC attack will lose its target and reach it.
3. Deploy high-defense CDN defense
The simplest and most convenient way to defend against CC attacks is to hide the source IP of the server by accessing the high-defense CDN. The high-defense CDN can automatically identify malicious attack traffic, intelligently clean these fake traffic, and return normal visitor traffic to the source server IP. , To ensure the normal and stable operation of the source server.
We can perform targeted CC protection configuration on the attack characteristics of CC attacks, because when a CC attack occurs, it is obvious that a large number of visits are concentrated in a few or multiple pages after capturing the packet. In general, customers will not concentrate on a few pages when visiting the business, but rather scattered.
This article is from: https://www.zhuanqq.com/News/Industry/303.html