防范 DDoS 攻击的 15 个方法 已翻译 100%

oschina 投递于 2015/05/12 07:36 (共 5 段, 翻译完成于 05-12)
阅读 11461
收藏 182
8
加载中

To stop DDoS (distributed denial of service) attack, one needs to have a clear understanding of what happens when an attack takes place. In short, a DDoS attack can be accomplished by exploiting vulnerability in the server or by consuming server resources (for example, memory, hard disk, and so forth).There are two broad types of DDoS attacks: bandwidth depletion attacks and resources depletion attacks. In order to halt both types of attacks, you can follow the steps given below:

1. If only a few computers are the source of the attack and you have identified the source of those IP, you can put an ACL (access control list) in your firewall blocking those IPs. Change the IP address of the web server for a while, if possible, but it will not be affective when the attacker will start resolving your new IP by querying your DNS servers.

2. When you identify that attacks originating from a specific country, you think block that country’ IP block, at least for a while.

已有 1 人翻译此段
我来翻译

3. Create an inbound traffic profile. This way you will know who is regularly visiting your site. In case you discover an unexpected number of new visitors, you can further investigate the logs and source IPs. Before large scale attacks, you might experience a small-scale DDOS attack that the attacker may use to estimate the strength of your network resilience.

4. The easiest, although a costly, way to defend your network from bandwidth consumption attack is to buy more bandwidth.

5. You may deploy more servers, spread around various datacenters, and you may use good load balancing software.

6. Make sure your DNS is protected behind the same type of load balancer that you used to protect your web and other resources.

已有 2 人翻译此段
我来翻译

7. Optimize your webserver to handle more visitors without exhausting all resources. If you are using Apache server, you can use Apachebooster plugin, which was designed by integration of varnish and nginx. Apachebooseter can cope with sudden spike with traffic and memory usages.

8. Fast DNS-Protect against DNS-based DDoS attacks with a highly scalable DNS infrastructure. You can think about buying CloudFlair business or enterprise plan, which provides protection to DNS and layer 3, 4 and 7 based DDoS attacks.

9. Enable anti IP spoofing features in your firewall and routers. It is much easier to implement anti-spoofing in Cisco ASA firewall than in the routers. To enable anti-spoof with ASDM, click on configuration from firewalls and then click on anti-spoofing. You can prevent spoofing in router using ACL. Create an access control list for your internal IP subnets, and apply that ACL in your Internet facing interface.

已有 2 人翻译此段
我来翻译

10. Hire third party DDoS service to protect your site. There are a number of service providers with robust network who can help your website survive during denial of service attack. You can subscribe to such service for a monthly cost of few hundred dollars only.

11. Pay attention to your server’s security configuration in order to prevent resource depletion type of DDoS attack.

12. Consult a DDoS expert, and make an action plan to carry out when you actually face the attack.

13. Monitor your network and web traffic. If possible you can set up multiple analytics such as Statcounter and Google analytics in order to understand and gather more data of your traffic patterns.

已有 2 人翻译此段
我来翻译

14. Secure you DNS server against recursive DNS query attacks.

15. Block ICMP in your router. Enable it when you need it for troubleshooting purpose only. Also you can do the following things with your router: rate limit, filtering packets, timeout half-open connections, drop junk and spoofed packets, set low threshold for TCP SYN, ICMP and UDP flood drop.

Finally study more about DDoS attacks and be familiar with the types of DDoS attacks and make action plan to defend against each type of DDoS attack.

已有 2 人翻译此段
我来翻译
本文中的所有译文仅用于学习和交流目的,转载请务必注明文章译者、出处、和本文链接。
我们的翻译工作遵照 CC 协议,如果我们的工作有侵犯到您的权益,请及时联系我们。
加载中

评论(24)

帖子列表
帖子列表

引用来自“huigeer”的评论

大公司: 硬防+海量带宽资源
小公司:云防 or 等死

引用来自“布洛克斯”的评论

小公司不会有人搞

引用来自“savior”的评论

同级别的竞争对手会搞 比如最简单的siege扫描你网站的搜索页面 不仅吃带宽而且会把你的mysql拖垮
那也得很多台机器搞才行呀
单车骚年
单车骚年

引用来自“huigeer”的评论

大公司: 硬防+海量带宽资源
小公司:云防 or 等死

引用来自“布洛克斯”的评论

小公司不会有人搞
同级别的竞争对手会搞 比如最简单的siege扫描你网站的搜索页面 不仅吃带宽而且会把你的mysql拖垮
fffonion
fffonion
cloudflare 不是 cloudfair…
华为赵广
华为赵广
阿里云宣称可以为用户防ddos,到底是怎么防法?
一只囧蟹
一只囧蟹

引用来自“huigeer”的评论

大公司: 硬防+海量带宽资源
小公司:云防 or 等死

引用来自“布洛克斯”的评论

小公司不会有人搞
没有带宽都扯淡
Peng_JK
Peng_JK
怎么一堆废话
厦门萝卜
厦门萝卜

引用来自“huigeer”的评论

大公司: 硬防+海量带宽资源
小公司:云防 or 等死
小公司 可以用安全狗软件试试!还是有点效果的!
_
_Tench_

引用来自“huigeer”的评论

大公司: 硬防+海量带宽资源
小公司:云防 or 等死

引用来自“布洛克斯”的评论

小公司不会有人搞
有的。。。收保护费那种。。你懂的==
purple_grape
purple_grape

引用来自“sadsamly”的评论

沒硬防都是死
只要流量足够大,硬防也是死。
purple_grape
purple_grape
DDOS攻击理论上已经超越了防守理论,类似的还有穷举法,根本没办法。
返回顶部
顶部