Government websites are also affected by DDOS attacks. How should the current DDOS protection be carried out?

Nowadays, DDOS protection has become more and more important. Recently, the National Internet Emergency Response Center (CNCERT) released the report "my country's Internet Network Security Situation Review", which summarized the state of my country's Internet network security from DDoS attacks, APT attacks, and security vulnerabilities. The analysis of the network security situation puts forward countermeasures and suggestions.
　　DDoS attacks are one of the more difficult means to prevent from common network attacks. The report shows that DDoS attacks still occur frequently, and the organization and purpose of attacks are more prominent.
　　The information systems of my country's party and government agencies and key information infrastructure operating units are the targets of frequent DDoS attacks. CNCERT tracked and found that a hacker organization launched more than 1,000 DDoS attacks on more than 300 government websites in my country in 2019. In the early stage, its attacks could cause more than 80.0% of the target websites to be affected to varying degrees. Most units have strengthened their protection capabilities by deploying protective equipment or purchasing cloud protection services. Later, their attacks have been unable to cause substantial damage to the target website, indicating that the protection capabilities of the attacked units have been greatly improved.
　　It can be said that the reason why DDoS has been “prosperous” for many years lies in its accuracy. In a short period of time, access to the target website is congested or even downtime, and normal operations are immediately affected. No one can withstand it. However, preparing a large amount of bandwidth resources for DDoS protection will make the cost difficult to withstand. Historical painful cases also show that accessing reliable third-party DDOS protection services is the most effective means to prevent DDoS attacks.
　　In 2019, CNCERT continued to analyze the attack resources used to launch DDoS every month, and the stability of the resources that could be used decreased. Compared with 2018, the number of domestic active control end IP addresses that can be used each month decreased by 15.0% year-on-year, and the number of active reflective servers decreased by 34.0% year-on-year.
　　At the same time, sample monitoring found that the number of high-traffic DDoS attacks with a peak value of more than 10Gbps in our country averaged 220 per day, an increase of 40% year-on-year.
　　The reason is that under the continuous high pressure of governance actions in recent years, a large number of DDoS attack resources have migrated abroad. Data shows that the number of control terminals of DDoS attacks and the proportion of reflected attack traffic from overseas both accounted for more than 90.0%. In large-scale DDoS incidents that attacked targets in my country, traffic from outside China accounted for more than 50.0%.
　　DDOS protection methods:
　　(1) Regular scanning 　　 It is
　　necessary to scan the existing network master nodes regularly to check for possible security vulnerabilities, and to clean up new vulnerabilities in a timely manner. The computers of the backbone nodes are suitable locations for hackers to use because they have high bandwidth. Therefore, it is very important to strengthen the security of these hosts. Moreover, all the computers connected to the main nodes of the network are server-level computers, so regular scanning for vulnerabilities becomes even more important.
　　(2) Configure a firewall on the backbone node. The firewall
　　itself can resist DDoS attacks and other attacks. When an attack is discovered, the attack can be directed to some sacrificial hosts, which can protect the real host from being attacked. Of course, these sacrificial hosts that are oriented can choose unimportant ones, or systems
　　with fewer vulnerabilities and excellent natural defense against attacks such as Linux and Unix. (3) Use enough machines to withstand hacker attacks.
　　This is an ideal response strategy. If the user has enough capacity and resources for hackers to attack, when it keeps accessing users and seizing user resources, its own energy is gradually being drained. Perhaps the hackers will be unable to help them before the user is attacked to death. . However, this method requires a lot of investment, and most of the equipment is usually idle, which does not match the actual operation of the current small and medium-sized enterprise network.
　　(4) Make full use of network equipment to protect network resources
　　The so-called network equipment refers to load balancing equipment such as routers and firewalls, which can effectively protect the network. When the network was attacked, the router was the first to die, but the other machines did not die. The dead router will return to normal after being restarted, and it will start up quickly without any loss. If other servers die, the data in them will be lost, and restarting the server is a long process. In particular, a company uses load balancing equipment so that when one router is attacked and crashes, the other will work immediately. Thereby reducing DDoS attacks to the greatest extent.
　　(5) Filter unnecessary services and ports
　　Filter unnecessary services and ports, that is, filter fake IPs on the router... Only opening service ports has become a popular practice for many servers. For example, WWW servers only open 80 and leave all others. The port is closed or a blocking strategy is implemented on the firewall.
　　(6) Check the source of the visitor
　　Use Unicast Reverse Path Forwarding to check whether the visitor’s IP address is true through reverse router lookup. If it is false, it will be blocked. Many hacker attacks often use fake IP addresses to confuse users, and it is difficult to find out where it came from. Therefore, using Unicast Reverse Path Forwarding can reduce the appearance of fake IP addresses and help improve network security.
　　(7) Filter all RFC1918 IP addresses.
　　RFC1918 IP addresses are the IP addresses of the internal network, such as 10.0.0.0, 192.168.0.0 and 172.16.0.0, which are not fixed IP addresses of a certain network segment, but are reserved areas inside the Internet Sexual IP addresses, they should be filtered out. This method is not to filter the access of internal employees, but to filter a large number of false internal IPs forged during the attack, which can also mitigate DdoS attacks.
　　(8) Limit SYN/ICMP traffic
　　The user should configure the maximum SYN/ICMP traffic on the router to limit the maximum bandwidth that SYN/ICMP packets can occupy. In this way, when there is a large amount of SYN/ICMP traffic exceeding the limit, it means that it is not normal network access, but There is hacking. In the early days, restricting SYN/ICMP traffic was the best way to prevent DOS. Although the effect of this method on DdoS is not obvious at present, it can still play a certain role.
In the face of endless network attacks, the importance of DDOS protection is self-evident. Network security incidents caused by network attacks may cause business interruption, key data leakage, loss of digital assets and other consequences. These are all units and enterprises. For the unbearable pain, DDOS protection is already a part that cannot be ignored.
This article is transferred from: https://www.zhuanqq.com/News/Industry/357.html