How to defend a Cloud Virtual Machine from being attacked by DDOS?

I believe that many large websites have encountered DDoS attacks, making the websites inaccessible and difficult to resolve, including personal blogs, which will also be "baptized" by DDOS. I feel the same way. So, in this article, let's learn about DDOS attacks and share some countermeasures to a certain extent.

About DDOS attacks

Distributed Denial of Service (DDoS) attacks refer to the use of client/server technology to combine multiple computers as an attack platform to launch a DDoS attack on one or more targets, thereby doubling the power of the denial of service attack.

Usually, attackers install attack programs on various "broilers" on the network through agents, and the agents launch attacks when they receive instructions.

With the development of network technology, DDOS attacks are also constantly evolving, and the attack cost is getting lower and lower, but the attack intensity is doubling, making DDOS more difficult to prevent. For example, reflective DDoS attacks are relatively high-level attacks. The attacker does not directly attack the target service IP, but sends request messages to special servers around the world by forging the attacker's IP. These special servers will send packets several times the size of the request message to the attacked IP (Target service IP).

DDOS attacks are daunting. They can directly cause website downtime and server paralysis, causing serious losses to websites and even enterprises. Moreover, DDOS is difficult to prevent. It can be said that there is no cure at present. We can only try to improve our own "stress resistance" to mitigate attacks, such as purchasing high-defense services.

Introduction to DDoS attacks

A distributed denial of service attack (DDoS attack) is a malicious network attack against a target system. DDoS attacks often cause the attacked person's business to be unable to access normally, which is the so-called denial of service.

Common DDoS attacks include the following categories:

Network layer attacks: A typical type of attack is UDP reflection attacks, such as NTP Flood attacks. This type of attack mainly uses large traffic to congestion the attacker's network bandwidth, causing the attacker's business to fail to respond normally to customer access.

Transport layer attacks: Typical attack types include SYN Flood attacks, connection number attacks, etc. These attacks achieve the purpose of denial of service by occupying the server's connection pool resources.

Session layer attacks: A typical type of attack is SSL connection attacks, which occupy the server's SSL session resources to achieve the purpose of denial of service.

Application-level attacks: Typical attack types include DNS flood attacks, HTTP flood attacks, game dummy attacks, etc. These attacks occupy the server's application processing resources and consume a lot of server processing performance to achieve the purpose of denial of service.

DDoS attack mitigation best practices

Alibaba Cloud users are advised to mitigate the threat of DDoS attacks from the following aspects:

Reduce exposure, isolate resources and irrelevant business, and reduce the risk of attack.

Optimize the business architecture and use the characteristics of public clouds to design systems that can flexibly scale and switch over disaster recovery.

Server security is strengthened to improve the number of connections and other performance of the server itself.

Conduct business monitoring and Incident Response Service.

DDOS attack response strategies

Here we share some strategies and methods that can deal with and mitigate DDOS attacks to a certain extent for everyone to learn from.

1. Regularly check server vulnerabilities

Regularly checking server software security vulnerabilities is the most basic measure to ensure server security. Whether it is the operating system (Windows or Linux) or commonly used application software on websites (mysql, Apache, nginx, FTP, etc.), server operation and maintenance personnel should pay special attention to the latest vulnerability dynamics of these software, and timely patch and patch high-risk vulnerabilities when they occur.

2. Hide the real IP of the server

By forwarding accelerated services through CDN nodes, the real IP address of the website server can be effectively hidden. CDN services are selected according to the specific conditions of the website. For ordinary small and medium-sized enterprise sites or personal sites, you can first use free CDN services, such as Baidu Cloud Acceleration, Qiniu CDN, etc. After website traffic increases and demand increases, consider paying CDN services.

Secondly, prevent the server from leaking IP addresses when transmitting information to the outside world. The most common situation is that the server should not use the sending email function because the email header will leak the server's IP address. If you must send an email, you can send it through a third-party agent (such as sendcloud), so that the IP displayed externally is the IP address of the agent.

3. Turn off unnecessary services or ports

This is also the most common practice among server operations and maintenance personnel. In the server firewall, only the ports used are opened, such as port 80 for website web services, port 3306 for databases, port 22 for SSH services, etc. Turn off unnecessary services or ports and filter fake IPs on the router.

4. Buy high-defense to improve affordability

This measure is to improve one's ability to withstand attacks by purchasing highly resistant shield machines and increasing server bandwidth and other resources. Some well-known IDC service providers have corresponding service providers, such as Alibaba Cloud, Tencent Cloud, 360 Panyun, etc. However, this solution has a high cost budget and is not suitable for ordinary small and medium-sized enterprises or even individual webmasters. When it is not attacked, server resources will be idle, so I will not elaborate on it too much here.

5. Limit SYN/ICMP traffic

Users should configure the maximum SYN/ICMP traffic on the router to limit the maximum bandwidth that SYN/ICMP packets can occupy. In this way, when a large amount of SYN/ICMP traffic exceeds the limit, it means that it is not a normal network access, but a hacker. In the early days, restricting SYN/ICMP traffic was the best way to protect against DOS. Although this method has less obvious effect on DDOS at present, it can still play a certain role.

6. Website request IP filtering

In addition to the server, the security performance of the website program itself also needs to be improved. The filtering function in the system security mechanism filters out excessive abnormal behaviors by restricting access operations such as POST requests and 404 pages per unit of time. Although this has no significant improvement effect on DDOS attacks, it also reduces malicious attacks with small bandwidth to a certain extent.

2.3 Deploy intelligent DNS resolution

Optimizing DNS resolution through intelligent resolution can effectively avoid the risks caused by DNS traffic attacks. At the same time, it is recommended that you host your business to multiple DNS service providers.

Block unsolicited DNS response information

Drop fast retransmission packets

Enable TTL

Discard DNS query requests and response data from unknown sources

Drop unsolicited or burst DNS requests

Start DNS client verification

Cache response information

Rights to use ACL

Leverage ACL, BCP38 and IP reputation functions

2.4 Provide margin bandwidth

Use server performance testing to evaluate the bandwidth and number of requests that can be sustained under normal business environments. Ensuring a certain amount of margin bandwidth when purchasing bandwidth can avoid the situation where bandwidth is greater than normal usage and affects normal users when attacked.

3. Service security reinforcement

Strengthen the operating system and software services on the server to reduce the points that can be attacked and increase the attack cost of the attacker:

Ensure that the server's system files are the latest version and update system patches in a timely manner.

Check all server hosts to clarify the source of visitors.

Filter unnecessary services and ports. For example, for a WWW server, only port 80 is opened, all other ports are closed, or a blocking policy is set on the firewall.

Limit the number of SYN semi-connections that are opened at the same time, shorten the timeout time of SYN semi-connections, and limit SYN/ICMP traffic.

Carefully check the logs of network equipment and server systems. Once a vulnerability occurs or the time changes, it means that the server may have been attacked.

Limit network file sharing outside the firewall. Reduce the chances of hackers intercepting system files. If hackers replace it with a Trojan horse, the file transfer function will be paralyzed.

Make full use of network equipment to protect network resources. Policy configurations for flow control, packet filtering, semi-connection timeouts, garbage packet drop, false source packet drop, SYN thresholds, and disabling ICMP and UDP broadcasts should be considered when configuring your router.

Use software firewalls such as iptable to restrict new TCP connections for suspected malicious IPs, and limit the connection and transmission rates of suspected malicious IPs.

4. Business Monitoring and Incident Response Service

4.1 Focus on Basic Anti-DDoS Monitoring

When your business suffers a DDoS attack, basic DDoS will send alarm messages through text messages and emails by default. Basic Anti-DDoS protection against large-traffic attacks also supports telephone alarms. It is recommended that you take emergency response as soon as you receive the alarm.

5.1 Web Application Firewall (WAF)

For website applications, such as the common http Flood (CC attack) attack, WAF can be used to provide effective defense against connection layer attacks, session layer attacks, and application layer attacks.

5.2 Anti-DDoS Protection Package

Things to avoid

DDoS attacks are recognized as public enemies in the industry. DDoS attacks not only affect the attacked, but also affect the stability of the service provider's network, thus causing losses to the business of other users under the same network.

At present, there is no best cure for DDOS attacks, and there is no way to completely defend them. We can only take various measures to mitigate attack damage to a certain extent. Therefore, basic guarantees must be provided for the operation and maintenance work of the server in ordinary times, and learn from the solutions shared in this article to minimize the losses caused by DDOS attacks.