A, reduce violence | effective 】 【 exposed ports

Use the firewall or cloud server security group function to configure port access blacklist and whitelist.

Do not expose non-service necessary service ports on the public network to avoid non-service related requests and access. Firewalls or security groups can be configured to prevent system scanning or accidental exposure.

Second, the cloud service | spending 】 【 increase bandwidth, servers

In the short term, if there is no other good solution, we can increase service configuration temporarily to improve the short-term pressure resistance ability by using the way of saving money:

1. Attack traffic is allocated through load balancing

   Build more servers (general cloud servers have the image replication function, which can be quickly replicated). Use Nginx to evenly distribute user access traffic to each server, reduce the pressure on a single server, improve the overall service throughput processing capacity, and effectively alleviate DDoS attacks within a certain traffic range.

2. Add a single server

   You can flexibly increase the configuration or bandwidth of a single server in a short period of time to ensure normal service availability during DDoS attacks.

   In general, plan 1 saves more money!

Third, the flexible | free 】 【 DDoS software

1. Use Nginx to prevent HTTP DDoS attacks

The following modules can be selected as required.

• ngx_http_limit_req_moduleModule, limiting the number of requests per second

The number of requests per unit of time is limited by the leaky bucket principle. If the number of requests per unit of time exceeds the limit, 503 error will be returned. bash http { limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s; // Trigger condition, all access IP limit 10 requests per second… server { … location ~ \.php$ { limit_req zone=one burst=5 nodelay; // Execute the action by zone name corresponding to… }}}

Parameter Description:

• $binary_remote_ADDR: binary access IP address
• Zone =one:10m: The name of the zone is one, and 10m memory is allocated for this zone to store sessions (binary remote addresses). The 1m memory can hold 16000 sessions
• Rate =10r/s: The rate is limited to 10 requests per second
• Burst = 5: allows more than frequency limit the number of requests, not more than five hypothesis 1, 2, 3, 4 seconds in a second request for nine, then request for 5 seconds 15 is allowed, on the other hand, if the first request in 15 seconds, will put 5 requests in the next second, 2 seconds more than 10 requests 503 directly, similar to the average speed limit more seconds.
• Nodelay: Indicates that the delayed processing of the exceeded requests is not delayed. After the value is set, 15 requests are processed within 1 second.

• ngx_http_limit_conn_moduleModule, limit the number of IP connections

  http {
     limit_conn_zone $binary_remote_addrzone=addr:10m; // Trigger condition... server { ... location /download/ { limit_conn addr 1; // Limit one connection at a time, excess connections return 503... }}}Copy the code

• ngx_lua_wafModule, application – level firewall function

For those of you who use pagodas regularly, nginx includes a configuration called include Luawaf. conf, known as the ngx_lua_waf firewall.

Its common features include:

• Prevent SQL injection, local include, partial overflow, Fuzzing testing, XSS,SSRF and other Web attacks
• Prevent leakage of files such as SVN or backup
• Protect against stress testing tools like ApacheBench
• Block common scanning hacker tools, scanners
• Mask abnormal network requests
• Block image attachment class directory PHP execution permission
• Prevent WebShell uploads

At the same time, it also has the basic CC attack blocking function. That is, the number of accesses to IP addresses is recorded. When the number of accesses reaches the specified number within a certain period of time, interception is performed.

Bloggers for their Lua script, made some modifications, can dynamically configure the duration of the ban. Usage (pagoda) :

1. The Nginx configuration file is enabledinclude luawaf.conf;
2. Overwrite the downloaded file to/www/server/nginx/waf Let me download
3. Important Configuration notes (downloaded config.lua file, which can be modified at your discretion) :

   -- Whether to enable blocking CC attacks CCDeny="on"-- A /b-c: If the number of requests from the same IP address exceeds A times within b seconds, the IP address is disabled"100/50-60"    
   Copy the code

   

2. Use iptables to defend against DDoS attacks

# limit SYN_RECV connections once per second
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT

Limit IP shards to 100 shards per second to prevent DoS attacks
-A FORWARD -f -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
 
Limit pings to one per second and restart after 10 pings
-A FORWARD -p icmp -m limit --limit 1/sec --limit-burst 10 -j ACCEPT
 
Limit ICMP response to requests once per second
-A FORWARD -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT

--connlimit-mask 32 --connlimit-mask 32 --connlimit-mask 32 --connlimit-mask 32 --connlimit-mask 32 --connlimit-mask 32 --connlimit-mask 32 --connlimit-mask 32
iptables -A INPUT -i eth0 -p tcp --syn -m connlimit --connlimit-above 15 --connlimit-mask 32 -j DROP
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

# Anti-ddos, allow the external network up to 24 initial connections, and then the server every second to add 12, access too much over the discard, the second is to allow the internal server 1 initial connections per second for forwarding
iptables -A INPUT  -p tcp --syn -m limit --limit 12/s --limit-burst 24 -j ACCEPT
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT

The maximum number of connections allowed on port 80 of the server is 20
iptables -I INPUT -p tcp --dport 80 -m connlimit  --connlimit-above 20 -j REJECT 

# Limit the access to port 3306 of the host. Each IP address can only be connected 5 times per hour. If the connection exceeds the limit, the number of times will be recalculated in 1 houriptables -A INPUT -p tcp --dport 3306 -m state --state NEW -m recent --name SSHPOOL --rcheck --seconds 3600 --hitcount 5  -j DROP iptables -A INPUT -p tcp --dport 3306 -m state --state NEW -m recent --name SSHPOOL --set -j ACCEPT
Copy the code

3. Use Linux kernel parameters to weaken DDoS attacks

The following are Linux kernel parameters. You can run the echo 2 > /proc/sys/net/ipv4/command to set the values.

# indicates that SYN Cookies are enabled. When SYN waits for an overflow of the queue, Cookies are enabled to prevent a small number of SYN attacks
net.ipv4.tcp_syncookies = 1

This value determines how many times the kernel attempts to send a SYN connection before disallowing the connection. The default value is 5. For a physical network with a high load and good communication, change the value to 2
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2

#0: no source address verification;
#1: strict mode, i.e. strict reverse path as defined in RFC3704; Each incoming packet passes through the FIB to check the reverse path. If the outbound port of the reverse path is not optimal, the detection fails. By default, packets that fail the check are discarded. In some special cases, packet loss may cause service exceptions.
#2: loose pattern, i.e. loose reverse path as defined in RFC3704; The SOURCE IP address of each inbound packet passes the FIB check. If the source IP address of the inbound packet cannot be reached through any outbound port in the reverse path, the detection fails.
# The RFC3704 document recommends strict mode to prevent IP spoofing DDos attacks. If asymmetric routes or other complex routes are used, the loose mode is recommended
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# indicates that the socket is closed at the request of the local end. This parameter determines how long it remains in FIN_WAIT_2 state. The default value is 60 seconds
net.ipv4.tcp_fin_timeout = 15

From the point of view of ICMP, to avoid various network problems such as ICMP host detection and ICMP Flood, you can use kernel options to limit ICMP behavior and avoid amplification attacks
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Enable malicious ICMP error message protection
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Maximum number of TCP sockets the system can handle that do not belong to any process. If this number is exceeded, connections that do not belong to any process are reset immediately with a warning message. This limit is set purely to defend against simple DoS attacks, do not rely on it or artificially lower the limit.
net.ipv4.tcp_max_orphans = 16384

# Permanently disable ping, to some extent hide themselves on the Internet to prevent some batch scanning software to detect hosts, reduce the chance of being hacked, but reduce the convenience of using
net.ipv4.icmp_echo_ignore_all = 1
Copy the code

4. Use professional software like DDoS Deflate

Deflate is a free script for defending against and mitigating DDoS attacks. It tracks the IP addresses that create a large number of network connections through NetStat monitoring.

When it detects that a node exceeds a preset threshold, the program disables or blocks these IP addresses through APF or iptables.

DDoS deflate’s official website: http://deflate.medialayer.com/

Four, customized 】 【 complex | business system filtering

Based on ELK log analysis, you can write filtering logic at the service system level to implement effective DDoS filtering.

ELK is not much to talk about here, everyone baidu. Here are a few kibana statistics for checking CC attacks before:On the X-axis is all the IP addresses (it looks dense and almost black because there are so many), and on the Y-axis is the total number of visits per IP address, sorted by the highest number of visits.

As you can see, 90% of the IP addresses have less than 250 visits, and a few have more than 500.

X-axis represents different IP addresses, and Y-axis represents the number of times that different IP addresses access different urls (each point is a URL).

It can be seen that the normal IP access to the page, the basic constant in 1-5 times (this business determines the access is relatively constant), and abnormal IP, the number of pages, is not fixed, there are more or less.

Sampling abnormal IP, threat intelligence results.

From above, through log statistical analysis, it is not difficult to see:

1. It is easy to give: the threshold of the number of normal access and abnormal access, so as to carry out reasonable interception combined with the above WAF software; In fact, the average website, compared to the graph above, the distribution of normal and abnormal visits, will be more clear and obvious.
2. By sampling some IP and combining it with its own business scenario analysis: There should be no overseas IP access, at the same time due to business restrictions, there will be no IDC (cloud server), VPS, VPN, Proxy and other types of IP, so you can also use pure database, through access to IP belonging, intelligent filtering (program can be directly integrated with QQwry. Dat database).

3) Imagine…

Five, buy expensive | to use 】 【 high prevention services

1, high defense server and ISP with traffic cleaning Baidu Google keywords: high anti-ddos, a large number of search, the pros and cons of their own judgment.

2. Flow cleaning services, such as Akamai and NexusGuard, are expensive.

3. CDN, such as Lanxun, Webstar, CloudFlare, etc. CDN focuses on the distributed characteristics of DDOS, diverts traffic and disperses it. Meanwhile, it accelerates the website, with good effect and relatively low cost.

---

Well, that’s all for today’s sharing.

If you like this article, please pay attention to the public account: Open ape notes, there will be continuous updates!