Over a month ago, my personal website suffered a DDOS attack that took it offline for over 50 hours. This article is about how to deal with such attacks.
To be clear, I’m not a DDOS expert and never thought I’d be a target. After the attack, I learned a lot from the help and advice offered by many unknown friends. Here are some of the solutions that have helped me the most.
First, what is DDOS?
First of all, let me explain what a DDOS is.
For example, I run a restaurant that normally seats up to 30 people at a time. You just walk into a restaurant, sit down at a table and order your food, and you get it right away.
Unfortunately, I fell foul of a rogue. He sent 300 people into the restaurant at once. They looked like normal customers and each said, “Hurry up.” However, the capacity of the restaurant is only 30 people, it is impossible to meet so many orders at the same time, plus they blocked the door, three floors inside and three floors outside, normal dining guests can not enter, in fact, the restaurant paralyzed.
This is known as a DDOS attack, in which a large number of requests are made in a short period of time, exhausting the server’s resources and making it unable to respond to normal visits, causing the website to essentially go offline.
“DOS” is an abbreviation for “Denial of Service”, indicating that the purpose of an attack is to disrupt the service. The first D is distributed, which means that attacks are not coming from one place, but from all directions, making them harder to defend against. You close the front door, he comes in the back; You shut the back door and he jumped out the window.
Two, DDOS types
DDOS is not a kind of attack, but a general category of attacks. It has dozens of types, and new attacks are being invented all the time. The website runs each link, can be the attack target. As long as a link break, so that the whole process can not run, it has reached the purpose of paralyzed service.
One of the most common attacks is the CC attack. It simply sends too many normal requests to the server, causing it to go down. At its peak, more than 20 IP addresses around the world send requests in turn, and each address receives about 200 requests per second. When I look at the access log, I feel like the requests are flooding in. It’s like a flood in the blink of an eye. In a few minutes, the log file grows by 100MB.
The rest of this article deals with CC attacks.
Third, HTTP request interception
If a malicious request has a signature, it’s easy to deal with: just intercept it.
Generally, HTTP requests have two characteristics: IP address and User Agent field. For example, if a malicious request is sent from an IP address segment, it is sufficient to block the IP address segment. Or, if their User Agent field has a signature (containing a particular word), the request with that word is intercepted.
Interception can be done at three levels.
(1) Dedicated hardware
A hardware firewall can be placed in front of the Web server to filter requests. It works best, but it’s also the most expensive.
(2) The local firewall
Operating systems come with software firewalls, and Linux servers generally use iptables. For example, to block a request for IP address 1.2.3.4, run the following command.
$iptables -A INPUT -s 1.2.3.4 -j DROPCopy the code
Iptables is complicated and I’m not very good at it. It has an impact on server performance and is not protected against large attacks.
(3) Web server
The Web server can also filter requests. Intercepting IP address 1.2.3.4, nginx
Location / {deny 1.2.3.4; }Copy the code
Apache is written in the.htaccess file with the following paragraph.
<RequireAll> Require all Require not IP 1.2.3.4 </RequireAll>Copy the code
If you want more precise control (such as automatic identification and interception of frequently requested IP addresses), use WAF. I won’t go into details here, but you can refer to nginx Settings here and here.
Interception by Web servers is very performance consuming, especially Apache. With a slightly larger attack, this approach won’t work.
4. Bandwidth expansion
One of the prerequisites for HTTP interception in the previous section is that the request must have characteristics. True DDOS attacks, however, are featureless, with requests that look like normal requests and come from different IP addresses, making it impossible to intercept. That’s why DDOS is especially hard to defend against.
Of course, such DDOS attacks are not cheap, and ordinary websites do not have this kind of treatment. However, really should encounter how to do, is there a fundamental prevention method?
The simple answer is to try to absorb them all. If 300 people come to a restaurant with 30 people, try to expand the restaurant (such as temporarily renting a front and inviting some chefs), so that 300 people can sit down, so that normal users will not be affected. For the website, is in a short period of time to expand dramatically, to provide a few times or dozens of times the bandwidth, withstand the request of large traffic. This is why cloud service providers can offer protection products, as they have a lot of redundant bandwidth that can be used to digest DDOS attacks.
A friend taught me a method that impressed me. One cloud service provider promised to guarantee less than 5 gigabytes of traffic per host, and they bought five at a time. The site is hosted on one of the servers, but not exposed to users. The other hosts are mirrored, facing users, and DNS distributes traffic evenly among the four mirrored servers. In the event of an attack, this architecture can protect against 20 gigabytes of traffic, and if there is a bigger attack, buy more temporary hosts and keep adding mirrors.
Five, the CDN
CDN refers to the distribution of a website’s static content to multiple servers so that users can access it nearby, increasing speed. Therefore, CDN is also a method of bandwidth expansion and can be used to defend against DDOS attacks.
Site content is stored in the source server, CDN is the content cache. Users are only allowed to access the CDN, and if the content is not on the CDN, the CDN makes a request to the source server. That way, as long as the CDN is big enough, it can resist a lot of attacks. However, this approach assumes that most of the site must be statically cacheable. For sites with dynamic content (such as forums), find other ways to minimize user requests for dynamic data.
The image server mentioned in the previous section is essentially a mini CDN built by itself. The same is done behind the high security IP provided by major cloud service providers: the website domain name points to the high security IP, which provides a buffer layer, cleans the traffic, and caches the content of the source server.
Here is a key point, once the CDN, do not disclose the IP address of the source server, otherwise the attacker can bypass the CDN directly attack the source server, the previous efforts are in vain. Do a search for “bypass CDN to obtain real IP address” and you will know how rampant the black industry is in China.
Cloudflare is a free CDN service that provides a firewall and is highly recommended. I would also like to thank @Livid on v2Ex.com for their kind help. I am using their CDN product now.
(after)