DDOS *** The SYNFlood *** principles and prevention strategies
DDOS *** by the DOS *** evolved, DOS (Denial of Service) *** The idea is to allow the system to "overload" and refused to provide normal service. *** These simple, only need to use loopholes in the agreement or carry normal traffic is allowed into the network can be. Because DOS *** exploit loopholes in the agreement is, on its face is the usual flow of traffic, it is difficult to completely eliminate.
*** compared to the DOS using a single or a few devices *** purposes, DDOS (Distributed Denial of Service) *** in, with its large number of meat *** Control for the person to be *** ** * with the increased bandwidth of the Internet, DDOS *** can easily generate more than several Gb / s network traffic. Resulting in some or all of network congestion.
DOS *** cause the server and network resources are exhausted, unable to provide normal services and even collapse, but it is easy to detect.
*** *** DDOS server which result in some or all of network congestion, not easy to detect.
DDOS *** many different types, introduced one of the most common network *** --- SYNFlood *** here.
SYNFlood ***
. 1, *** principle
SYNFlood *** DDOS *** belongs, which uses TCP protocol flaw, by sending a large number of connection requests half consuming CPU and memory resources. *** end (or broiler) forge a large number of IP address does not exist in a short time, continuously syn packet is sent to the server, the server replies to confirm packet, and wait for the customer to confirm, as the source address does not exist, the server need to constantly until a retransmission timeout, the forged SYN packet for a longer period of occupation of the connection queue, the normal SYN request is discarded, the target system is running slowly, causing severe network congestion or even system failure, as shown below.
In issuing server SYN + ACK packet after the response is not received client's ACK packet (third handshake can not be completed), the server in this case will generally retry (SYN + ACK is sent to the client again) and after a while this time discard the length of the connection is not completed we called SYN Timeout, in general this time is the number of minutes of stages (about 30 seconds to 2 minutes); abnormal cause a user to wait a server thread one minute is not a big problem, but if there were a large number of analog malicious *** this case, the server side in order to maintain a very large list of connections half consumed a lot of resources to count ---- millions of semi-connected, even simple save and traverse will consume a lot of CPU time and memory, not to mention also continue to carry out this list of IP SYN + ACK retry.
2, prevention strategies - based firewall WAF deeply convinced
our company IDC room Internet gateway, firewall deployed WAF deeply convinced of DDOS *** detect, intercept and prevent.
(1) the network level: defined in the Dos / DDos protection based SYN flood protection ***. Setting server traffic packet threshold, reaches a predetermined threshold will be considered *** SYN flood, according to the rules will intercept *** source IP or automatically blacklisted.
(2) system level
windows operating system latest Service Pack update system patches. Our IDC room windows operating system are installed in 360 days engine software, automatic update system patches fix vulnerabilities.
Finally, the network *** is not terrible, terrible is the lack of awareness of network security. With the increasing emphasis on the national level of network security and related regulatory guidelines have been published, the entire network security industry is unprecedented role in promoting.