High anti-server rental users relatively easy to resist ddos attack, defense and server room because of their defense, as well as technical escort. Normal dedicated server users do not have to be discouraged in the face DDOS attacks are likely to occur, do the following preventive preparation, it also can be easier to deal with.
(1) periodically scan
to scan the existing network master node on a regular basis, check the security vulnerabilities that may exist on emerging vulnerabilities in a timely manner to clean up. Because the computer backbone nodes with higher bandwidth, is the best place to hackers use, so these server itself to strengthen host security is very important. And all server-level computer connected to the network master node, so regular vulnerability scanning becomes more important.
(2) Configuration in the backbone node firewall
firewall itself can withstand DdoS attacks and other attacks. The discovery of attack, it can be directed to attack some of the expense of the host, so you can protect the real host will not be attacked. Of course, these sacrifices less oriented host can choose not important, or linux and unix and other vulnerabilities and prevent attacks outstanding natural systems.
(3) with enough machines to withstand hacker attacks
This is an ideal coping strategies. If the user has sufficient capacity and sufficient resources to hacker attacks, when it continued access to the user, to win user resources, the own consumption of energy is gradually lost, and so the user may not be dead attack, hackers have been unable Weapon children of . However, this method requires more capital investment, usually most of the equipment is idle, and the actual operation of the current network of SMEs do not match.
(4) make full use of network equipment to protect network resources
The so-called network device refers to a router, firewall load balancing equipment, they can be effectively protected network. When the network is dead is the first to attack the router, but the other machines did not die. Dead router will return to normal after the restart, but also start up quickly, there is no loss. If the other server died, one of the data will be lost, and restart the server is a long process. In particular, a company using load balancing device, so that when a router crashes is attacked, another will work immediately. Thus the greatest degree of reduced DdoS attacks.
(5) filtering unnecessary services and ports
filtering unnecessary services and ports that fake IP filtering on the router ...... only open port services become popular practice of many servers, such as WWW server then only 80 and will be open to all other the port is closed or do block policy on the firewall.
Source (6) Check the visitor
whether to use a router to check a visitor via a reverse query Unicast Reverse Path Forwarding such as the IP address is true, if it is false, it will be shielded. Many hackers often use fake IP addresses ways to confuse users, it is difficult to find out where it came from. Therefore, the use of Unicast Reverse Path Forwarding can reduce the appearance of fake IP address to help improve network security.
(7) all the RFC1918 IP address filtering
RFC1918 IP address is the IP address of the internal network, like 10.0.0.0,192.168.0.0 and 172.16.0.0, they are not fixed IP address of a network segment, Internet inside the area but reserved of IP addresses, they should be filtered out. This method does not filter access to internal staff, but the large number of false forged internal IP filtering attack, this can also reduce DdoS attacks.
(8) limiting SYN / ICMP traffic
when the user should set the maximum flow rate of SYN / ICMP on the router to limit the maximum bandwidth SYN / ICMP packets can occupy, so that, over a large number of defined SYN / ICMP traffic when there is described not a normal network access, but there hacking. Early by limiting SYN / ICMP traffic is the best way to prevent the DdoS, although the method for DdoS was not as effective, but still be able to play a role.
