What kind of DDOS protection scheme can maximize the defense against DDOS attacks?

DDOS attacks have become one of the most difficult network security problems because they are easy to implement, difficult to prevent, and difficult to track. They are rapidly becoming the most common type of network threat. According to recent market research, the number of DDOS attacks in the past year And the number is growing rapidly. There are many ways of DDOS protection. First of all, let's learn about the DDOS attack methods, the phenomenon of being attacked and the methods of protecting against attacks.
A DDOS attack is a malicious network attack that makes online services unavailable by flooding traffic from multiple sources. They are aimed at all kinds of important resources from banks to news websites, which prevent website customers from accessing them normally. The trend is to shorten the attack duration, but increase the number of packets per second. Dealing with DDOS is a big project, and it is unrealistic for DDOS protection to completely prevent attacks.
And DDOS has the following two attack methods:
1. Traffic attacks, mainly attacks on network bandwidth, that is, a large number of attack packets cause bandwidth resources to be exhausted, and legitimate network packets are flooded by fake attack packets and cannot reach the host.
2. Resource exhaustion attacks are mainly attacks on the server host, that is, a large number of attack packets cause the host's memory to be exhausted or the CPU is occupied by the kernel and applications, resulting in the inability to provide network services.
To determine whether you are suffering from a DDOS attack, you can check yourself in several ways. The easiest way is to check whether the website is normally accessed. If the website cannot be accessed normally, you can log in to the control panel and open the traffic statistics to view the latest history. If you see some unusual traffic congestion, then your website is very likely and is being attacked by DDOS.
The phenomena of DDOS attacks include: first, the network is flooded with a large number of useless data packets; second, there are a large number of waiting TCP connections on the attacked host; the third source address is fake, creating high traffic of useless data, causing network congestion, Make the victim host unable to communicate with the outside world normally; fourthly, use the flaws in the transmission protocol provided by the victim host to issue specific service requests repeatedly at high speed, making the host unable to process all normal requests, and in severe cases, the system will crash.
To be sure, it is impossible to completely eradicate DDOS at present, but it is possible to resist 90% of DDOS attacks through appropriate measures. Based on the cost of attack and defense, if DDOS is enhanced by appropriate methods The ability of protection means that the attack cost of the attacker is increased, so the vast majority of attackers will not be able to continue and give up, which is equivalent to successfully resisting the DDOS attack.
Attackers build a network of infected computers by spreading malware through emails, websites, and social media, which are called "botnets." Without any DDoS protection measures, once infected, these machines can be remotely controlled without the owner's knowledge, just like the military, launching an attack on any target. Some botnets have millions of powerful computers, which generate a lot of traffic and overwhelm their targets. These floods can be generated in a variety of ways, such as sending connection requests that exceed the processing capacity of the server, or having the computer send a large amount of random data to the victim to exhaust the target bandwidth. Some attacks are so large that they can maximize a country's international cable capacity.
High-defense CDN is an effective DDOS protection method that protects enterprises and administrators from the largest and most complex DDoS attacks. High-defense CDN blocks "bad" traffic before it even reaches the site, using visitor identification Technology to distinguish legitimate website visitors (personnel, search engines, etc.) from automatic or malicious clients, which means that only filtered traffic can reach your host and maintain stable data transmission services, thereby mitigating such attacks.
This article is reproduced from: http://www.heikesz.com/ddos1/6723.html