To combat a DDoS(distributed denial of service) attack, you need to have a clear understanding of what is happening during the attack. In simple terms, DDoS attacks can be used to exploit vulnerabilities in a server, or to consume resources on the server (such as memory, hard disk, etc.). DDOS attacks fall into two categories: bandwidth depletion attacks and resource depletion attacks. To effectively deter both types of attacks, you can follow the steps listed below:
-
If only a few computers are the source of the attack, and you have identified the IP addresses of these sources, you place an ACL (access control list) on the firewall server to block access from these IP addresses. If possible, change the IP address of the Web server for a period of time, but if an attacker queries your DNS server and resolves to your new IP, this will no longer work.
-
If you are certain that the attack is coming from a particular country, consider blocking IP traffic from that country, at least for a while.
3. Monitor incoming network traffic. This way you know who is visiting your network, you can monitor unusual visitors, and you can analyze logs and source IP after the fact. An attacker may use a small number of attacks to test the robustness of your network before launching a larger attack.
4. The most effective (and expensive) solution to bandwidth consuming attacks is to buy more bandwidth.
5. You can also use high-performance load balancing software, using multiple servers and deploying them in different data centers.
6. Use the same policy to protect DNS while using load balancing for Web and other resources.
7. Optimize resource usage to improve the load capacity of web Server. For example, using Apache you can install the ApacheBooster plug-in, which integrates with Varnish and Nginx to handle the surge in traffic and memory footprint.
8. Use highly scalable DNS devices to protect against DDOS attacks against DNS. Consider purchasing Cloudfair’s commercial solution, which provides DDOS attack protection against DNS or TCP/IP layers 3 through 7.
9. Enable the anti-IP spoofing function on the router or firewall. It is easier to configure this feature in CISCO’s ASA firewall than in a router. To enable this function on Cisco Adaptive Security Device Manager (ASDM), click Firewall in Configuration, find anti-spoofing, and click Enable. You can also use access control lists (ACLs) on routers to prevent IP spoofing. You need to create ACLs for the Intranet and then apply them to Internet interfaces.
Use third-party services to protect your site. There are a number of companies that offer services that provide high-performance infrastructure to help you defend against denial of service attacks. All you have to pay is a few hundred dollars a month.
11. Pay attention to the security configuration of the server to avoid resource exhaustion DDOS attacks.
12. Listen to experts and make emergency plans for attacks in advance.
13. Monitor network and Web traffic. If possible, you can configure multiple analysis tools, such as Statcounter and Google Analytics, so that you can more intuitively understand the patterns of traffic changes and obtain more information from them.
14. Protect DNS from DNS amplification attacks.
15. Disable ICMP on the router. Open ICMP only when testing is required. Consider the following policies when configuring your router: flow control, packet filtering, half-connection timeouts, garbage packet discarding, packet discarding from forged sources, SYN thresholds, and disabling ICMP and UDP broadcasts.
Finally, learn more about the types and methods of DDOS attacks, and make emergency plans for each attack.