1. Use high-performance network equipment
First of all, make sure that your network equipment does not become a bottleneck, so try to choose equipment such as routers, switches, hardware firewalls, and other high-profile, well-reputed products. It's even better if you have a special relationship anti DDOS or agreement with your network provider, and it's very effective to ask them to limit traffic to network nodes against specific types of DDoS attacks when a large number of attacks occur.
This is the legendary lack of technology and money.
2. Try to avoid the use of NAT
Whether it is a router or a hardware protection wall device, avoid the use of Network Address Translation NAT, because this technique can greatly reduce the network communication capacity.virtual Machine cloud In fact, the reason is very simple, because NAT needs to go back and forth to convert the address, the need to calculate the checksum of the network packet during the conversion process, thus wasting a lot of CPU time, but sometimes you have to use NAT, so there is no good way.
3. Adequate network bandwidth guarantee
Network bandwidth directly determines the ability to resist attacks, if only 10M of bandwidth, no matter what measures are difficult to resist the current SYNFood attack, at least 100M of shared bandwidth,vpshosting the best of course is to hang on the trunk line of 1000M.
However, it should be noted that a 1000M NIC on the host does not mean that its network bandwidth is gigabit. If it is connected to a 100M switch, its actual bandwidth will not exceed 100M. And even if it is connected to a 100M bandwidth, it doesn't mean that it will have 100 megabytes of bandwidth because the network service provider will probably limit the actual bandwidth on the switch to 10M, which must be clear.
4. Upgrade host server hardware
Under the premise of network bandwidth guarantee, please try to upgrade the hardware configuration, to effectively fight against 100,000 SYN attack packets per second, the server's configuration should be at least: P4 2.4G/DDR512M/SCSI-HD, playing a key role is mainly the CPU and memory, if there is a Zhiqiang dual-CPU, then use it, the memory must be to choose DDR high-speed memory, hard disk should be as far as possible to choose the SCSI, do not just greedy IDE price is not expensive, but also enough cheap, otherwise you will pay a high price of performance, and then the network card must choose 3COM or Intel and other brand-name, such as Realtek, or use in their own PC.
5. Make the site a static page or pseudo-static
A large number of facts have proved that the site as static as possible, not only can greatly improve the ability to resist attacks, but also to bring a lot of trouble to the hacker, at least so far on the HTML overflow has not yet appeared, look at it! Sina, Sohu, NetEase and other portals are mainly static pages, if you do not need to call dynamic scripts, then put it on a separate host to avoid attacks on the main server, of course, appropriate to put some of the scripts do not do database calls or can be.
In addition, it is best to refuse the use of proxy access in the scripts that need to call the database, because experience has shown that the use of proxies to access your site is malicious.
6. Enhance the operating system's TCP/IP stack
Win2000 and Win2003, as server operating systems, have a certain degree of resistance to DDoS attacks, but the default is not enabled. If it is turned on, it can resist about 10,000 SYN attack packets, but if it is not turned on, it can only resist a few hundred.
7. Install a professional anti-DDOS firewall.
8. HTTP request interception
If the malicious request has characteristics, it is very simple to deal with it: just block it.
HTTP requests usually have two characteristics: IP address and UserAgent field. For example, send a malicious request from an IP segment and then block that IP segment on the line. Or, if their User Agent field is characterized by a specific word, intercept requests containing that word.
9. Backup sites
You should have a backup website, or at least a temporary homepage. In case the production server goes offline, you can switch to the backup site immediately and you won't be helpless.
The backup site does not have to be full-featured, but if it can be viewed fully statically, it can be used to meet market demand. At a minimum, it should be possible to display an announcement telling users that something has gone wrong with the site's design and it's being fixed at full speed.
Github Pages or Netlify recommend such temporary homepages; they have the bandwidth to handle attacks, and both support domain binding for automatic building from source code.
10. Deploying a CDN
CDN is the distribution of a website's static content to multiple servers so that users can access it close to them, increasing speed. So CDN is also a method of bandwidth expansion that can be used to defend against DDOS attacks.
The content of the site is stored on the source servers, and the CDN is a cache of the content. Users are only allowed to access the CDN, and if the content is not on the CDN, the CDN will send a request to the source server. In this way, as long as the CDN is large enough, it can resist many attacks. However, this approach presupposes that most of the site's content must be static and cacheable. For sites based on dynamic content (such as forums), we must consider other ways to minimize user requests for dynamic data.
The high defense IPs offered by the major cloud providers do the same thing behind the scenes: the site domain points to the high defense IP, which provides a buffer layer that cleans the traffic and caches the content on the source server.
Here we have an important key point, once on the CDN, do not appear to leak the IP address of the source server, otherwise it is the attacker can not only bypass the CDN directly attack the source server, the previous efforts are in vain. Search "bypass CDN to get the real IP address of the information", you will know how rampant the domestic blackmail industry. 11.
11. Other Defense Measures
The above anti-DDoS suggestions for the vast majority of users have their own hosts, but if the above measures still can not solve the DDoS problem, some trouble, you may need to invest more, increase the number of servers, DNS loops or load balancing technology, or even need to buy a layer 7 switch, if the investment is deep enough, you can double the ability to defend against DDoS attacks.
cloud server hk: Efficient, Reliable, Global Connectivity for Seamless Operations.
NAT Upgrade host server hardware anti-DDOS firewall
0
.jpg?x-oss-process=image/resize,p_100/format,webp)
.jpg?x-oss-process=image/resize,p_100/format,webp)
- Aluminum material
- metal package
- choose a good fabric
- microneedle module
- pdf to word
- power battery
- Aluminum Machined Parts
- battery technology
- wardrobe maintenance
- Visual Storytelling
- clothes washing
- massaging
- massage
- Integrate Social Media
- Tudor Ranger
- pdf converter
- Wax Seal Stickers
- following measures
- Focus on PPC
- freight forwarders
- between PDF
- WordPress multilingual plugin
- page
- permethrin
- acoustic radiation
- Pest Control Needs
- PDF Editor
- software
- Cloud VPS
- network