当前位置:网站首页>The method of server defense against DDoS, Hangzhou advanced anti DDoS IP section 103.219.39 x
The method of server defense against DDoS, Hangzhou advanced anti DDoS IP section 103.219.39 x
2022-07-08 00:22:00 【IDC02_ FEIYA】
deal with DDoS It's a systems engineering , Or just want to defend against a product DDoS It's unrealistic , One thing is for sure , Completely put an end to DDoS It's impossible at the moment , But through appropriate measures to resist 90% Of DDoS Attack can be done , Because of the cost of both attack and defense , If the resistance is enhanced by appropriate means DDoS The ability of , This means that it increases the attack cost of the attacker , Then the vast majority of attackers will not be able to continue and give up , It's equivalent to a successful defense DDoS attack . The following is what I have resisted for many years DDoS My experience and suggestions , Share with you !
1、 Using high performance network equipment
First of all, we must ensure that network equipment can not become a bottleneck , So choose the router 、 Switch 、 Hardware firewall and other equipment should try to choose high visibility 、 Products with good reputation . And then it's better if you have a special relationship or agreement with the network provider , When a large number of attacks occur, ask them to make traffic restrictions at the network nodes to counter some kinds of DDoS The attack is very effective .
2、 Try to avoid NAT Use
No matter router or hardware protective wall equipment, network address translation should be avoided as far as possible NAT Use , Because using this technology will greatly reduce the network communication capacity , The reason is simple , because NAT You need to translate the address back and forth , In the process of conversion, we need to calculate the check sum of network packets , So a lot of waste CPU Time for , But sometimes you have to use NAT, Then there's no good way .
3、 Sufficient network bandwidth guarantees
Network bandwidth directly determines the ability to resist attacks , If only there were 10M In terms of bandwidth , No matter what measures are taken, it will be difficult to confront the present SYNFlood attack , Currently, at least 100M Shared bandwidth of , The best, of course, is to hang on 1000M It's on the trunk of . But it should be noted that , The network card on the host is 1000M It doesn't mean that its network bandwidth is Gigabit , If you connect it to 100M On the switch , Its actual bandwidth will not exceed 100M, And then it's connected to 100M The bandwidth of 100 MB is not equal to that of 100 MB , Because the network service provider is likely to limit the actual bandwidth on the switch to 10M, This must be made clear .
4、 Upgrade the host server hardware
Under the premise of network bandwidth guarantee , Please try to improve the hardware configuration , It's going to be effective against every second 10 m SYN Attack Pack , The configuration of the server should be at least :P4 2.4G/DDR512M/SCSI-HD, The main thing that plays a key role is CPU And memory , If you have a pair of high aspirations CPU Use it if you want , Memory must be selected DDR High speed memory , Try to choose the hard disk SCSI Of , Don't just be greedy IDE The price is not expensive, and the quantity is cheap , Otherwise, there will be a high performance cost , And then the network card must be selected 3COM or Intel And so on , if Realtek It's still for your own use PC Come on. .
5、 Make the website a static page
A lot of facts prove that , Make the website as static as possible , Not only can greatly improve the ability to resist attack , And it also brings a lot of trouble to hackers , At least so far about HTML There's no overflow yet , Have a look ! Sina 、 sohu 、 Netease and other portal websites are mainly static pages , If you don't need dynamic script calls , Then take it to a separate host , The main server will be involved in the attack , Of course , It's OK to put some scripts that don't make database calls properly , Besides , It's best to deny access using a proxy in a script that calls the database , Because experience has shown that using a proxy to visit your website 80% It's a malicious act .
6、 Enhanced operating system TCP/IP Stack
Win2000 and Win2003 As a server operating system , It has a certain resistance in itself DDoS Ability to attack , It's just not on by default , If opened, it can resist about 10000 individual SYN Attack Pack , If it is not turned on, it can only resist hundreds of , How to turn it on , Please refer to Microsoft's post , Maybe some people will ask , Then I use Linux and FreeBSD What do I do ? It's simple , You can refer to this article to do 《SYN cookies》- http://cr.yp.to/syncookies.html
7、 Installation of professional anti DDOS A firewall
For example, Golden Shield firewall is the most used , The most professional anti DDOS A firewall .
8、 Other defenses
The above seven confrontations DDoS Suggest , Suitable for the vast majority of users with their own hosts , But if the above measures still can not be solved DDoS problem , There's some trouble , More investment may be needed , Increase the number of servers and adopt DNS Round robin or load balancing technology , Even need to buy seven layer switch equipment , So that the resistance to DDoS Attack power doubled , As long as the investment goes deep enough , There is always a time when the attacker will give up , Then you will succeed !
Now you know how the server defends DDOS Did you attack ?
High protection section (TCP_SYN,ACK,RST) Exhibition :
103.219.39.1
103.219.39.2
103.219.39.3
103.219.39.4
103.219.39.5
103.219.39.6
103.219.39.7
103.219.39.8
103.219.39.9
103.219.39.10
边栏推荐
- 赞!idea 如何单窗口打开多个项目?
- An error is reported during the process of setting up ADG. Rman-03009 ora-03113
- 深潜Kotlin协程(二十三 完结篇):SharedFlow 和 StateFlow
- new和delete的底层原理以及模板
- How to put recyclerview in nestedscrollview- How to put RecyclerView inside NestedScrollView?
- 攻防世界Web进阶区unserialize3题解
- 35岁真就成了职业危机?不,我的技术在积累,我还越吃越香了
- 关于组织2021-2022全国青少年电子信息智能创新大赛西南赛区(四川)复赛的通知
- 手写一个模拟的ReentrantLock
- 【编程题】【Scratch二级】2019.09 绘制雪花图案
猜你喜欢
ReentrantLock 公平锁源码 第0篇
"An excellent programmer is worth five ordinary programmers", and the gap lies in these seven key points
Using Google test in QT
2022-07-07:原本数组中都是大于0、小于等于k的数字,是一个单调不减的数组, 其中可能有相等的数字,总体趋势是递增的。 但是其中有些位置的数被替换成了0,我们需要求出所有的把0替换的方案数量:
大数据开源项目,一站式全自动化全生命周期运维管家ChengYing(承影)走向何方?
QT creator add JSON based Wizard
他们齐聚 2022 ECUG Con,只为「中国技术力量」
ROS从入门到精通(九) 可视化仿真初体验之TurtleBot3
测试流程不完善,又遇到不积极的开发怎么办?
[the most detailed in history] statistical description of overdue days in credit
随机推荐
[C language] objective questions - knowledge points
玩轉Sonar
Stm32f1 and stm32cubeide programming example - rotary encoder drive
C language 001: download, install, create the first C project and execute the first C language program of CodeBlocks
华为交换机S5735S-L24T4S-QA2无法telnet远程访问
“一个优秀程序员可抵五个普通程序员”,差距就在这7个关键点
What if the testing process is not perfect and the development is not active?
C# 泛型及性能比较
35岁真就成了职业危机?不,我的技术在积累,我还越吃越香了
STM32F1与STM32CubeIDE编程实例-旋转编码器驱动
在网页中打开展示pdf文件
Binder核心API
大数据开源项目,一站式全自动化全生命周期运维管家ChengYing(承影)走向何方?
2022-07-07:原本数组中都是大于0、小于等于k的数字,是一个单调不减的数组, 其中可能有相等的数字,总体趋势是递增的。 但是其中有些位置的数被替换成了0,我们需要求出所有的把0替换的方案数量:
How does starfish OS enable the value of SFO in the fourth phase of SFO destruction?
Is Zhou Hongyi, 52, still young?
Jouer sonar
An error is reported during the process of setting up ADG. Rman-03009 ora-03113
[programming problem] [scratch Level 2] draw ten squares in December 2019
[question de programmation] [scratch niveau 2] oiseaux volants en décembre 2019