With the continuous maturity of DDoS attack technology today, how much do you know about the security protection measures against DDoS attacks? Only by clearly understanding the definition and principles of DDoS attacks and what kind of attacks you may or will face, can you better continue to strengthen protection, and be able to avoid being attacked and causing losses.
DDoS (Distributed Denial of Service) attacks are distributed DoS attacks. Such attacks are usually launched through botnets, which are distributed throughout the Internet, so this type of attack is called a distributed DoS attack. DDoS attack is a special form of DoS-based denial of service attack, which is a distributed and coordinated large-scale attack.
The most basic DoS attack is to use reasonable service requests to occupy too many service resources, so that the server cannot process the instructions of legitimate users. DDoS is to use more puppet machines to launch attacks and attack victims on a larger scale than before. Therefore, it is more difficult to defend against DDoS attacks than against a single DoS attack.
A complete DDoS attack system consists of four parts: the attacker, the master, the agent and the target. The attacker puts forward the attack request, then the main control end issues the command, and finally the agent actually sends out the DDoS attack package. These data packets are disguised, and its source cannot be identified, and the services requested by these data packets will consume a large amount of system resources of the attack target, causing the target host to be unable to provide services for normal users, and even cause the system to crash.
DDoS attacks can be classified from seven aspects: influence, attack feature classification, attack rate, attack route, intrusion target, system and protocol weakness, and degree of automation:
(1) From the perspective of influence, it can be divided into a complete breakdown of network services and attacks that reduce network services.
(2) From the perspective of attack characteristics, DDoS attacks can be divided into two types: attack behavior characteristics can be extracted (can be further subdivided into filterable and non-filterable types) and attack behavior characteristics cannot be extracted.
(3) The attack rate can be classified into continuous rate and variable rate attacks.
(4) Classification of direct attacks and repeated attacks based on attack routes.
(5) Based on intrusion targets, DDoS attacks can be divided into bandwidth attacks and connectivity attacks.
(6) From the classification of system and protocol weaknesses, it can be divided into flood attacks (UDP flood attacks and ICMP flood attacks), expansion attacks (Smurf and Fraggle attacks), attacks using protocols (such as TCP SYN attacks) and malformed packet attacks. (IP address attack and IP packet attribute attack).
(7) According to the degree of automation, it can be classified into three categories: manual, semi-automatic and automated DDoS attacks.
The so-called post-event remedy is always less effective than pre-prevention. In order to ensure that enterprises can completely solve a variety of new ddos traffic attacks, it is recommended to take anti-DDoS attack countermeasures in advance. The following are some examples of conventional DDoS countermeasures:
(1) Scan regularly
It is necessary to regularly scan the existing network master nodes, check out possible security vulnerabilities, and clean up new vulnerabilities in a timely manner.
(2) Check the source of the visitor
Use Unicast Reverse Path Forwarding to check whether the visitor's IP address is true through reverse router lookup, and if it is false, it will be blocked. Many hacker attacks often use fake IP addresses to confuse users, and it is difficult to find out where it came from. Therefore, the use of Unicast Reverse Path Forwarding can reduce the appearance of fake IP addresses and help improve network security.
(3) Configure firewall on backbone node
The firewall itself has a certain ability to prevent DdoS attacks and other attacks. When an attack is discovered, the attack can be directed to some sacrificial hosts, which can protect the real host from being attacked.
(4) Adopt distributed cluster defense
Distributed cluster defense is the most effective way to defend against large-scale DDoS attacks in the network security community. The principle of distributed cluster defense is to have multiple nodes. When a node is attacked and cannot provide services, the system automatically switches to another node and returns all the attacker’s data packets to the sending point, making the attack source paralyzed. In-depth security protection perspective to influence the company's security execution decisions.
Choosing appropriate anti-DDoS security countermeasures is a necessary part of website security protection. Dealing with DDoS is a systematic project. It is unrealistic to rely on a certain system or product to prevent DDoS. If conditions permit, you can also consider using CDN acceleration.
This article is from: https://www.zhuanqq.com/News/Industry/285.html