With the development of the Internet and information technology, everyone is enjoying the comfort and convenience brought by the Internet. Nowadays, both personal social behavior and business activities have long been inseparable from the Internet.
But as well as creating opportunities, cyberspace also poses threats. With the increase of enterprise value and popularity, the official website, online trading platform and user login page are all the preferred targets of attackers, and the most common attack method is DDoS. DDoS attacks make many manufacturers and enterprises feel helpless at the same time, but also suffered huge losses. Over the years, DDoS attacks have become increasingly diversified and difficult to defend against. It has become a form of attack used by different organizations and individuals for extortion, revenge, and even cyber warfare.
This article takes you through common DDoS attacks and how to defend against them.
What is a DDoS attack?
Distributed denial-of-service (DDoS) attacks are also called Distributed denial-of-service (DoS) attacks. Its purpose is to use a variety of attacks, so that the function of the network system paralysis or resource exhaustion, forcing the web page or server interruption of service, resulting in normal users can not use web page functions and use services.
In the early days of computers, which were not as sophisticated as they are today, one-to-one DoS attacks were easy to achieve as long as the attacker’s machine was superior to the victim’s. Many large enterprises today have strong service offering capabilities, so it is no longer a problem to deal with attacks on a single request.
If fighting isn’t going to work, we’ll fight. An attacker will organize many associates to request services at the same time until the service becomes inaccessible, hence the word “distributed” in the name. In reality, however, the average attacker cannot organize local partners to “fight”, so he uses a “botnet” to control many computers to attack.
Botnets computers infected with malware, and other internet-connected resources, such as IoT devices. These zombie hosts receive the attacker’s control command, thus building a large number of zombie host (Bot) army, launching a specific type of attack on the same target at the same time, will be exhausted by the attacker’s network resources and system resources, resulting in the inability to provide services for real users. This is where the name “block service” comes from.
Because the number of zombie hosts is large and widely distributed, and they are all legitimate network devices, it is difficult to separate the attack traffic from the normal traffic, and the harm degree and defense difficulty are very great.
The picture above shows the news that Taobao’s servers are down on Singles’ Day every year. The surge of traffic caused by many users using the service is, in some ways, equivalent to a large DDoS attack.
How do I identify DDoS attacks
The most obvious feature of a DDoS attack is when a site or service suddenly becomes slow or unavailable. However, in real business, similar performance issues can occur for a variety of reasons, such as a reasonable surge in business traffic, such as game file updates, so further confirmation is often required. Here are some telltale signs of a DDoS attack:
-
Suspicious access from a single IP address or IP range;
-
The number of requests to a single page or interface spikes;
-
Unusual traffic patterns, such as sudden spikes in traffic in the early hours of the day, or some kind of traffic spike that is not consistent with business (for example, every 10 minutes)
There are other, more specific signs of DDoS attacks, depending on the type of attack.
DDoS attack mode
Bandwidth consumption attack
Through the transmission of a large number of invalid, or malicious amplification of the flow of data requests, blocking the bandwidth of the attacked server, so that it reached saturation, so that normal users can not enter, and even cause web page breakdown, to achieve the purpose of denial of service.
Common UDP flood attacks (sending large or small packets of user datagram protocol) and ICMP flood attacks (sending a large number of ICMP-related packets). Fatal pings that generate more than the maximum data length specified in the IP protocol and cause system downtime fall into this category.
Resource-consuming attack
Different from bandwidth-consuming DDoS attacks, resource-consuming attacks cause the attacked server to repeatedly run ineffectively, depleting web resources and failing to respond to normal users’ requests, thus achieving the purpose of denial of service.
This type of DDoS attack is typical, such as SYN flood attack. We all know that creating a TCP connection requires three interactions between the client and the server, often referred to as the “three-way handshake.” This information is usually stored in the server connection table structure, but the size of the table is limited and the server cannot create new TCP connections when the storage capacity is exceeded.
In a SYN flood attack, the server initiates a TCP handshake request and then disconnects the network. The server continues to send requests and wait for a reply. As a result, the server resources are constantly consumed. Furthermore, if the IP address source of SYN flood attacks is set to the IP address of the attacked server, the server will continue to respond until resources are exhausted. This is a common LAND attack.
In addition, there are a large number of servers to be attacked to simulate the normal HTTP request CC attack, network zombie attack and so on, are exhausted server resources as the target of the attack means.
Application of attack
In recent years, The Development of Web technology has been very rapid, so application attacks have also been born. That is, the attacker continues to maliciously send a large number of HTTP requests to the Web server, and uses some interfaces provided by Web applications to add, delete, modify, and check the background database of the website. Because the operation is done by computers, the enormous computing power of computers is often accompanied by terrifying destructive power. Once a Web service is subjected to such an attack, it can have a fatal impact on the business it hosts.
DDoS defense mode
DDoS attacks are difficult to defend against because they are packaged with seemingly normal requirements and are difficult to trace.
However, we can still use the following three processing directions to strengthen the system against DDoS:
– Enforce firewall traffic rules
A high-performance firewall can be configured to limit requests from abnormal IP addresses, reduce the bandwidth consumption or resource consumption of a large number of invalid data, and strengthen the filtering mechanism to block DDoS attacks.
– Improves server performance and specifications
Improve the performance of the server. When the server is attacked by DDoS, it can obtain more buffer time. In the condition of not paralyzing the service, it can formulate anti-ddos defense measures according to the attack mode in time to minimize the damage.
– Use a system that supports DDoS defense
For example, the DDoS traffic cleaning mechanism can import traffic to the cleaning system to filter and eliminate abnormal traffic sources, or the server itself can defend against a certain number of invalid packets, and set a reasonable number of concurrent connections, so that DDoS attacks fail.
– Looking for a professional defense service team
As traditional devices cannot defend against DDoS attacks with heavy traffic, cloud defense systems are increasingly favored by customers. Youpaiyun anti-DDOS IP service is a high-level anti-DDOS service that protects Internet services against DDoS attacks. Deploy the high IP defense service in front of the source server to defend the service server against internal and external traffic attacks.
After a customer connects services to a high defense IP address, all public network traffic from the source server is diverted to the high defense equipment room. The abnormal traffic detection system of the high defense IP address platform intelligently identifies and analyzes the traffic in real time, diverts attack traffic to the high defense node, and hides the source station to ensure the stable and reliable operation of the source station.
High defense IP addresses can defend against the following attacks, including but not limited to SYN Flood, UDP Flood, ICMP Flood, IGMP Flood, ACK Flood, and Ping Sweep.
Youpai Cloud high defense IP service provides online SaaS service access mode, remote multi-node and multi-line protection, single point defense 1T, total network defense capacity nearly 3T, supporting BGP, telecom, China Unicom, mobile and other lines. The SVN effectively defends against SYN Flood, ACK Flood, UDP Flood, HTTP Flood, and CC attacks, providing customers with stable and secure access experience.
Recommended reading
High anti-ddos IP address: anti-ddos system
Everyone is talking about cloud security, what is going on?