To stop DDoS (distributed denial of service) attack, one needs to have a clear understanding of what happens when an attack takes place. In short, a DDoS attack can be accomplished by exploiting vulnerability in the server or by consuming server resources (for example, memory, hard disk, and so forth).There are two broad types of DDoS attacks: bandwidth depletion attacks and resources depletion attacks. In order to halt both types of attacks, you can follow the steps given below:

1. If only a few computers are the source of the attack and you have identified the source of those IP, you can put an ACL (access control list) in your firewall blocking those IPs. Change the IP address of the web server for a while, if possible, but it will not be affective when the attacker will start resolving your new IP by querying your DNS servers.

2. When you identify that attacks originating from a specific country, you think block that country’ IP block, at least for a while.

为了对抗 DDoS(分布式拒绝服务)攻击,你需要对攻击时发生了什么有一个清楚的理解. 简单来讲,DDoS 攻击可以通过利用服务器上的漏洞,或者消耗服务器上的资源(例如 内存、硬盘等等)来达到目的。DDoS 攻击主要要两大类: 带宽耗尽攻击和资源耗尽攻击. 为了有效遏制这两种类型的攻击,你可以按照下面列出的步骤来做:
1. 如果只有几台计算机是攻击的来源,并且你已经确定了这些来源的 IP 地址, 你就在防火墙服务器上放置一份 ACL(访问控制列表) 来阻断这些来自这些 IP 的访问。如果可能的话 将 web 服务器的 IP 地址变更一段时间,但是如果攻击者通过查询你的 DNS 服务器解析到你新设定的 IP,那这一措施及不再有效了。
2. 如果你确定攻击来自一个特定的国家,可以考虑将来自那个国家的 IP 阻断,至少要阻断一段时间.

3. Create an inbound traffic profile. This way you will know who is regularly visiting your site. In case you discover an unexpected number of new visitors, you can further investigate the logs and source IPs. Before large scale attacks, you might experience a small-scale DDOS attack that the attacker may use to estimate the strength of your network resilience.

4. The easiest, although a costly, way to defend your network from bandwidth consumption attack is to buy more bandwidth.

5. You may deploy more servers, spread around various datacenters, and you may use good load balancing software.

6. Make sure your DNS is protected behind the same type of load balancer that you used to protect your web and other resources.





7. Optimize your webserver to handle more visitors without exhausting all resources. If you are using Apache server, you can use Apachebooster plugin, which was designed by integration of varnish and nginx. Apachebooseter can cope with sudden spike with traffic and memory usages.

8. Fast DNS-Protect against DNS-based DDoS attacks with a highly scalable DNS infrastructure. You can think about buying CloudFlair business or enterprise plan, which provides protection to DNS and layer 3, 4 and 7 based DDoS attacks.

9. Enable anti IP spoofing features in your firewall and routers. It is much easier to implement anti-spoofing in Cisco ASA firewall than in the routers. To enable anti-spoof with ASDM, click on configuration from firewalls and then click on anti-spoofing. You can prevent spoofing in router using ACL. Create an access control list for your internal IP subnets, and apply that ACL in your Internet facing interface.

7、优化资源使用提高 web server 的负载能力。例如,使用 apache 可以安装 apachebooster 插件,该插件与 varnish 和 nginx 集成,可以应对突增的流量和内存占用。

8、使用高可扩展性的 DNS 设备来保护针对 DNS 的 DDOS 攻击。可以考虑购买 Cloudfair 的商业解决方案,它可以提供针对 DNS 或 TCP/IP3 到7层的 DDOS 攻击保护。

9、启用路由器或防火墙的反IP欺骗功能。在 CISCO 的 ASA 防火墙中配置该功能要比在路由器中更方便。在 ASDM(Cisco Adaptive Security Device Manager)中启用该功能只要点击“配置”中的“防火墙”,找到“anti-spoofing”然后点击启用即可。也可以在路由器中使用 ACL(access control list)来防止 IP 欺骗,先针对内网创建 ACL,然后应用到互联网的接口上。

10. Hire third party DDoS service to protect your site. There are a number of service providers with robust network who can help your website survive during denial of service attack. You can subscribe to such service for a monthly cost of few hundred dollars only.

11. Pay attention to your server’s security configuration in order to prevent resource depletion type of DDoS attack.

12. Consult a DDoS expert, and make an action plan to carry out when you actually face the attack.

13. Monitor your network and web traffic. If possible you can set up multiple analytics such as Statcounter and Google analytics in order to understand and gather more data of your traffic patterns.


11、注意服务器的安全配置,避免资源耗尽型的 DDOS 攻击。


13、监控网络和 web 的流量。如果有可能可以配置多个分析工具,例如:Statcounter 和 Google analytics,这样可以更直观了解到流量变化的模式,从中获取更多的信息。

14. Secure you DNS server against recursive DNS query attacks.

15. Block ICMP in your router. Enable it when you need it for troubleshooting purpose only. Also you can do the following things with your router: rate limit, filtering packets, timeout half-open connections, drop junk and spoofed packets, set low threshold for TCP SYN, ICMP and UDP flood drop.

Finally study more about DDoS attacks and be familiar with the types of DDoS attacks and make action plan to defend against each type of DDoS attack.

14、保护好 DNS 避免 DNS 放大攻击。

15、在路由器上禁用 ICMP。仅在需要测试时开放 ICMP。在配置路由器时也考虑下面的策略:流控,包过滤,半连接超时,垃圾包丢弃,来源伪造的数据包丢弃,SYN 阀值,禁用 ICMP 和 UDP 广播。

最后多了解一些 DDOS 攻击的类型和手段,并针对每一种攻击制定应急方案。