deal with DDoS It's a systems engineering , Or just want to defend against a product DDoS It's unrealistic , One thing is for sure , Completely put an end to DDoS It's impossible at the moment , But through appropriate measures to resist 90% Of DDoS Attack can be done , Because of the cost of both attack and defense , If the resistance is enhanced by appropriate means DDoS The ability of , This means that it increases the attack cost of the attacker , Then the vast majority of attackers will not be able to continue and give up , It's equivalent to a successful defense DDoS attack . The following is what I have resisted for many years DDoS My experience and suggestions , Share with you ！

1、 Using high performance network equipment

First of all, we must ensure that network equipment can not become a bottleneck , So choose the router 、 Switch 、 Hardware firewall and other equipment should try to choose high visibility 、 Products with good reputation . And then it's better if you have a special relationship or agreement with the network provider , When a large number of attacks occur, ask them to make traffic restrictions at the network nodes to counter some kinds of DDoS The attack is very effective .

2、 Try to avoid NAT Use

No matter router or hardware protective wall equipment, network address translation should be avoided as far as possible NAT Use , Because using this technology will greatly reduce the network communication capacity , The reason is simple , because NAT You need to translate the address back and forth , In the process of conversion, we need to calculate the check sum of network packets , So a lot of waste CPU Time for , But sometimes you have to use NAT, Then there's no good way .

3、 Sufficient network bandwidth guarantees

Network bandwidth directly determines the ability to resist attacks , If only there were 10M In terms of bandwidth , No matter what measures are taken, it will be difficult to confront the present SYNFlood attack , Currently, at least 100M Shared bandwidth of , The best, of course, is to hang on 1000M It's on the trunk of . But it should be noted that , The network card on the host is 1000M It doesn't mean that its network bandwidth is Gigabit , If you connect it to 100M On the switch , Its actual bandwidth will not exceed 100M, And then it's connected to 100M The bandwidth of 100 MB is not equal to that of 100 MB , Because the network service provider is likely to limit the actual bandwidth on the switch to 10M, This must be made clear .

4、 Upgrade the host server hardware

Under the premise of network bandwidth guarantee , Please try to improve the hardware configuration , It's going to be effective against every second 10 m SYN Attack Pack , The configuration of the server should be at least ：P4 2.4G/DDR512M/SCSI-HD, The main thing that plays a key role is CPU And memory , If you have a pair of high aspirations CPU Use it if you want , Memory must be selected DDR High speed memory , Try to choose the hard disk SCSI Of , Don't just be greedy IDE The price is not expensive, and the quantity is cheap , Otherwise, there will be a high performance cost , And then the network card must be selected 3COM or Intel And so on , if Realtek It's still for your own use PC Come on. .

5、 Make the website a static page

A lot of facts prove that , Make the website as static as possible , Not only can greatly improve the ability to resist attack , And it also brings a lot of trouble to hackers , At least so far about HTML There's no overflow yet , Have a look ！ Sina 、 sohu 、 Netease and other portal websites are mainly static pages , If you don't need dynamic script calls , Then take it to a separate host , The main server will be involved in the attack , Of course , It's OK to put some scripts that don't make database calls properly , Besides , It's best to deny access using a proxy in a script that calls the database , Because experience has shown that using a proxy to visit your website 80% It's a malicious act .

6、 Enhanced operating system TCP/IP Stack

Win2000 and Win2003 As a server operating system , It has a certain resistance in itself DDoS Ability to attack , It's just not on by default , If opened, it can resist about 10000 individual SYN Attack Pack , If it is not turned on, it can only resist hundreds of , How to turn it on , Please refer to Microsoft's post , Maybe some people will ask , Then I use Linux and FreeBSD What do I do ？ It's simple , You can refer to this article to do 《SYN cookies》－ http://cr.yp.to/syncookies.html

7、 Installation of professional anti DDOS A firewall

For example, Golden Shield firewall is the most used , The most professional anti DDOS A firewall .

8、 Other defenses

The above seven confrontations DDoS Suggest , Suitable for the vast majority of users with their own hosts , But if the above measures still can not be solved DDoS problem , There's some trouble , More investment may be needed , Increase the number of servers and adopt DNS Round robin or load balancing technology , Even need to buy seven layer switch equipment , So that the resistance to DDoS Attack power doubled , As long as the investment goes deep enough , There is always a time when the attacker will give up , Then you will succeed ！

Now you know how the server defends DDOS Did you attack ？

High protection section （TCP_SYN,ACK,RST） Exhibition ：

103.219.39.1

103.219.39.2

103.219.39.3

103.219.39.4

103.219.39.5

103.219.39.6

103.219.39.7

103.219.39.8

103.219.39.9

103.219.39.10