Category: Operation / Design
One of the most difficult to prevent attacks. The bottom line is that the server is the request stream (flood), why is banal run out of resources, and the server can not handle the load.
Usually DOS attack is a distributed and performed by a botnet: network of infected computers.
It should be understood that an attack carried out by special software which optionally can be modified for specific tasks, ie most of the tricks to protect the attacker can bypass if you wish.
DDOS attack is the object of sale, ie, An attacker could be anyone who can afford the owner of a botnet
Rent a botnet rather vague, if earlier it was estimated at several thousand USD, but now prices fell dramatically and there is a proposal in the $ 100-150 per day attack (though it implies deposit, that in such a high moral business means that the odds just to spend the money are quite high). DDOS attacks are separated by the degree of coarseness:
- overflow channel, the number of requests is so great that exhausted the resources of network connection.
Solutions:
- buying a wider channel (speed 10GBps be quite sufficient), in addition, you must have a backup channel.
- Directly to the server resources safeguarded by filtering on the port with hardware solutions.
- SYN-flooding.
The idea is that at a special TCP packet c SYN flag the server must reply packet SYN + ACK, and then wait for a response. In the case of DOS attack response is not received, meanwhile, the server is busy waiting.
In this case, can be used and the 'SYS-reflection `attack, when a SYN packet is sent to the third server with an indication of a fake IP address: actually it does not change, but will come SYN / ACK packet and at intervals of several minutes, should be considered when blocking on IP.
Solutions:
- Using the SYN-COOKIE
- Installation is quick (preferably hardware) frontend, which will be engaged in the processing of such requests, not "distracting" the application server
- Limiting the time waiting for a response and an increase in the number of simultaneous connections (within reason)
- Calculation of the prohibition of problem IP addresses.
- HTTP-flood.
In this case, the main burden accepts service applications, as a consequence, we have a big load.
Solutions:
- Branch of real users of "bots": set COOKIE, setting flags means of javascript or flash, captcha. The latter is not very pleasant for the user, even though Google and Yandex it does not disdain.
Using their own tricks, please note that:
a) In addition to DOS robots come to the site search engine spiders, which just do not cut off
b) the bots can be software-driven so as to circumvent the protections (cookie protects from the most simple and most complex can execute javascript), so these solutions are designed to quickly raise the cost of the attack
a) load of the remedies must be less than if the robot overcame it (in the first place refers to optimization captcha)
- Specialized software and hardware tools for tracking traffic anomalies
- Services to clean up the traffic-party resources (http://ddef.ru/defence/, http://highloadlab.ru/ services/service_8.html), which filter out harmful requests. Some of them (highloadlab) are free.
It should be noted that all of these services are strictly monitoring the reputation ohranyamyh sites, and may decline if the project is suspect.
About DDOS already written a lot and mostly sad bots umneyut them more, not Gondor will stand, etc. In fact, with a serious approach, he is not so terrible (here lib.rus.ec dosyat nonstop and though henna), but always be prepared for the worst, and make the splash page: "we were attacked and DDOSyat, while we are fighting in the blood, look on youtube video about our new services. "
|