您的位置:首页 > 运维架构 > 网站架构

针对最近爆出很多网站被ddos攻击 写给各位站长

2008-12-16 17:37 218 查看
DDOS是英文Distributed Denial of Service的缩写,意即"分布式拒绝服务",DDOS的中文名叫分布式拒绝服务攻击,


1.Synflood: 该
攻击以多个随机的源主机地址向目的主机发送SYN包,而在收到目的主机的SYN ACK后并不回应,这样,目的主机就为这些源主机建立了大量的连接队列,



4.Ping of Death:
主机收到了长度大于65536字节的包时,就是受到了Ping of Death攻击,该攻击会造成主机的宕机。


6.PingSweep:使用ICMP Echo轮询多个主机。

7.Pingflood: 该攻击在短时间内向目的主机发送大量ping包,造成网络堵塞或主机资源耗尽。 针对ddos的特点,写点防御心得给大家。


第二:限制服务器一个IP地址1-3个TCP连接。 假如您的网站框架多建议用6个。 别太多了。超过限制数目封IP ,封闭时间有讲究看最后一条。



第五:服务器资源占用,一个IP 就给每秒100KB的浏量。正常打开网页够了。


第七:80的TCP time_wait时间空连接阀值改小点。10-15秒吧。 10秒打不开您的网站就封浏览着IP。

第八:很重要的封ip时间,5-10秒就能够了,封了太长,某些正常客户IP正好和伪IP相同,容易把真的用户给封掉。 封闭5秒,有效防止DDOS。 就是真的用户被封了,刷新一下就又能够打开了。对于DDOS的这样“握”一下服务器IP的假IP比较有效。

就写这么多吧,下次继续。。。 本文选自:http://hi.baidu.com/nick_jack

DDOS is a Distributed Denial of Service in English acronym means "distributed denial of service", DDOS Chinese by the name of the distributed denial of service attacks, commonly known as flood attacks. DoS attacks on the way there are many, the most basic DoS attacks is the use of reasonable requests for service to a disproportionate amount of resources and services, so that legitimate users can not get the service to respond.

7 common law of DOS attack

1.Synflood: the number of random attacks by the source address of the host to host the purpose of sending SYN packets, and the purpose of the receipt of the SYN ACK after the host does not respond in this way on purpose host for the host to establish the source of a lot of connection queue , But has not received due to the ACK has been to maintain these queues, resulting in a large number of resources consumption and can not be normal to the request.

2.Smurf: the attack to a subnet broadcast address made with a specific request (for example, respond to the request of the ICMP) packet, and the source address of the disguised want to attack the host address. All on-line sub-radio hosts are to respond to the request packet to the host contract had been attacked, the host to attack.

3.Land-based: the attacker will be a source of the package address and destination address are set to host the target address, and then the IP packet through the deception of the attack were sent to the mainframe, which can packages have been created as a result of trying to attack the host And their connection to be trapped in cycle of death, to a large extent, thereby reducing system performance.

4.Ping of Death: According to the TCP / IP standards, a package of up to 65,536 bytes in length. Despite the length of a package can not be more than 65,536 bytes, but a package is divided into a number of fragments can be superimposed. When a host has received more than 65,536 bytes in length when the package is subject to a Ping of Death attacks, the attacks will cause the host downtime.

5.Teardrop: IP packet transmission network, the packets can be divided into smaller segments. An attacker can send two (or more) packets to achieve TearDrop attacks. The first package to offset 0, length N, the second of the offset package is less than N. In order to merge the data above, TCP / IP stack will be the distribution of unusually huge resources, resulting in a lack of system resources or even restart the machine.

6.PingSweep: the use of ICMP Echo hosts a number of polling.

7.Pingflood: The purpose of the attack in a short period of time to host a large number of ping packets, causing the network to plug the host or depletion of resources. Ddos for feature writing experience to the defense at all.

First: to modify the registry to prevent mild DOS attack. Do not have to write this, we all own GOOGLE go looking for information.

The second: an IP address of the server restrictions 1-3 TCP connection. If your multi-site framework proposed by 6 months. Do not too much. Restrictions on the number of closures over IP, closed about time to see the last.

Third: to open the firewall only 80, and your remote management through the port. Any other port related to the shut.

Fourth: TCP packet restrictions on the TCP connection time to be changed to 1 second within a given server at least 5 to send messages, letters or IP, not because of DDOS seconds to send the message most of them in 1-4 months. Is about to shake hands and immediately left servers. For example, the normal access to open web pages are more than 5 or more messages. Of course there are exceptions, in order to resist DD, 12 of manslaughter does not matter.

Fifth: The occupation of server resources, IP gave a 100KB per second, the amount of Liu. Open the pages normal enough.

Sixth: M proxy server access. After analysis of the capture, DD of IP there is a lot of proxy server.

VII: 80 of the TCP time_wait air time to connect Gaixiao point threshold. It 10-15 seconds. 10 seconds could not open the seal on your Web site browser with IP.

Eighth: the importance of closure, 5-time ip can be 10 seconds, the closure is too long, some of the normal customer IP and pseudo-IP is the same, really easy to Fengdiao to the user. Closed 5 seconds, to effectively prevent DDOS. The user is really blocked, you will also be able to refresh the open. DDOS for such "grip" the server's IP fake IP to be more effective.

Xiezhemeduo on it, continue to the next. . .
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息