At present, the most common way to solve DDOS attacks on servers is to use hardware firewalls, which is often referred to as high defense servers, high defense servers will have a certain amount of hard defense, or large or small.

1. Scan regularly

Periodically scan the existing network master nodes to identify possible security vulnerabilities and clean up new vulnerabilities in a timely manner. Because of their high bandwidth, backbone nodes are the best places for hackers to use, so it is very important to strengthen the security of these hosts themselves. And it’s server-level computers that are connected to the network’s main nodes, so it’s even more important to scan for vulnerabilities regularly.

2. Configure firewalls on backbone nodes

The firewall itself can resist DdoS attacks and other attacks. When an attack is detected, the attack can be directed to some sacrificial hosts, which can protect the real hosts from being attacked. Of course, these sacrificial hosts can choose to be less important, or Linux and Unix systems with fewer vulnerabilities and inherently better defense against attacks.

3. Have enough machines to withstand hacking attacks

This is an ideal coping strategy. If the user has enough capacity and enough resources to the hacker attack, it is constantly visiting users, seize user resources, their energy is also gradually lost, perhaps not such a user is attacked to death, the hacker has been unable to support. However, this method requires a lot of investment, and most of the devices are idle at ordinary times, which is inconsistent with the actual operation of the current sme network.

4. Make full use of network devices to protect network resources

Network devices refer to load balancing devices such as routers and firewalls, which can effectively protect the network. Routers are the first to die when a network is attacked, but other machines do not. Dead routers can be rebooted and come back to normal quickly with no damage. If another server dies, its data is lost, and restarting the server takes a long time. In particular, one company uses load balancing devices so that if one router crashes under attack, the other one will come to work immediately. This minimizes DdoS attacks.

5. Filter unnecessary services and ports

Filtering unnecessary services and ports, that is, filtering fake IP addresses on routers…… It has become a popular practice for many servers to open only service ports, such as WWW servers that open only 80 ports and close all other ports or do blocking policies on the firewall.

6. Check the source of your visitors

Use methods such as Unicast Reverse Path Forwarding to check whether the visitor’s IP address is true, and if it is false, it will be blocked. Many hacker attacks use fake IP addresses to confuse users, making it difficult to trace where they are coming from. Therefore, Unicast Reverse Path Forwarding can reduce the occurrence of false IP addresses and improve network security.

7. Filter all RFC1918 IP addresses

RFC1918 IP addresses are Intranet IP addresses, such as 10.0.0.0, 192.168.0.0, and 172.16.0.0. They are not fixed IP addresses of a network segment, but reserved regional IP addresses of the Internet. They should be filtered out. This method does not filter the access of internal employees, but filters a large number of fake internal IP addresses that are forged during the attack, which also mitigates DdoS attacks.

8. Limit SYN/ICMP traffic

Users should configure the maximum SYN/ICMP traffic on the router to limit the maximum bandwidth that SYN/ICMP packets can occupy. In this way, when a large amount of SYN/ICMP traffic exceeds the limit, it indicates that the network is not normal, but hackers. Restricting SYN/ICMP traffic was the best defense against DOS in the early days. Although it is not so effective against DdoS, it still works.