Last winter, I helped a friend who is doing online education to deal with an emergency, his online class platform was directly washed out by a wave of DDoS attacks during the promotion season. Users couldn't log in, live broadcasts were stuck in PPT, and refund applications flew over like snowflakes. He was on the phone and his voice was shaking: “My server configuration is not bad ah, the firewall is also open, how is it like paper mache?” I've seen too much of this, many people think that renting a cloud host, installed a security software can sleep at ease, the result of the attack came, and immediately show the original shape.
Nowadays, the network environment is not as small as it was ten years ago. Attacks have become a chain of industry, from botnet leasing to attack on behalf of the fight, the price is clearly marked. You engage in an e-commerce station, competitors may spend a few thousand dollars to paralyze you for a day; you do game servers, extortion gangs send you a few hundred G traffic “gift package” in minutes. Ordinary servers that bandwidth and computing resources, in front of the real flood attack, even the opportunity to struggle.
I found that a standard cloud server, even if the CPU and memory of the top, encountered hundreds of thousands of packets per second UDP Flood, within three minutes to collapse. The system log is full of “connection refused”, and then the console turns gray. More frustrating is that some cloud service providers in order not to affect other users, directly to your “black hole” - that is, the traffic in the entrance to throw away, along with normal access can not enter. You say you pay money to buy services, something happened to the first reaction of people is to isolate you, the experience, more disgusting than eating a fly.
So don't be naive guys, you can't rely on a fluke for protection. There are all kinds of attacks, so I'll just list a few common ones:
- Traffic-type attacks, such as UDP Flood, ICMP Flood, purely spell bandwidth. Your server export 100M, people hit 10G, how to carry?
- Connection-based attacks, typically SYN Flood, send crazy handshake packets, exhausting the TCP connection pool. If you don't adjust the kernel parameters, five thousand SYNs per second can make an ordinary Linux server lie flat.
- Application layer attacks, such as CC attacks, HTTP slow connections. This is the most insidious, simulating real user behavior, the firewall often misjudged. I have encountered a customer forum station, CC, the database connection number soared to the upper limit, the page loaded for more than 30 seconds, the users all ran away.
These days, even CDNs have to “defend their teammates”. Some small vendors in order to save costs, sharing IP pools and cleaning resources, the result is that a site was hit, the entire pool is affected, along with other customers suffer together. So I have since learned my lesson, important business must use independent protection resources services.
High-defense servers, to put it bluntly, are specialized in treating all kinds of disobedience “hard bone”. It is not a black technology, but a full set of solutions from hardware to software. The core of the three points: large bandwidth entrance, intelligent traffic cleaning, redundant load balancing. Bandwidth is not enough, all for nothing. I've seen some reliable high defense nodes, such as the 08Host package, standardized 500Gbps or more cleaning capacity, backbone network direct access to T-level resources. Attack traffic came, was first led to the cleaning center, dirty data filtered out, clean traffic back to the source of your server. The process is millisecond delayed, and the user is almost senseless.
But it's not enough to rely on the vendor, you have to know your way around. For example, Linux servers, do not optimize the kernel parameters, the effect of high defense discount. I usually adjust a few key values before going online, like the following:
These parameters are fine tuned to the type of business, not bigger is better. Game servers and Web servers are set up differently, I usually monitor the traffic pattern for a few days before doing it. Do not believe in those online “universal configuration”, copy and paste easy to get into trouble.
The water is deep in this area of intelligent cleaning. Algorithm good vendors, can accurately identify the attack packet, false kill rate is very low; algorithm poor, may be the normal user request is also thrown. I tested a few, some encounter HTTP slow attack on the blind, cleaning rate less than 70%. and like 08Host cleaning cluster, based on behavioral analysis and machine learning, especially effective for application layer attacks. Once I simulated a CC attack, their system recognized it within 5 seconds and automatically blackened the abnormal IP, normal users were not affected at all. Behind this is a large amount of data training model, not simple rule matching can do.
High-defense servers usually offer console configuration, such as setting attack thresholds, black and white lists, protocol filtering, and so on. But the underlying architecture must also be reasonable. I suggest that the business do layered design: static resources dumped to the CDN, dynamic requests back to the source to the high defense server. So that even if the source station encountered pressure, CDN can still carry most of the traffic. When it comes to CDN, choosing the right one is a godsend, choosing the wrong one is a pit. I used to use a cheap CDN, a hit back to the source, equal to the attack to the old home. Later changed to CDN07, each of their edge nodes with independent high defense, and caching strategy is flexible, support dynamic acceleration. I have used their services for more than two years, during the promotion period, the traffic doubled ten times, and there has not been a paralyzing accident.
Don't believe in those “free high defense” or “unlimited protection” propaganda. I have tested one, hit about 300G began to lose packets, the response to work orders as slow as a snail. Security this line, a penny a penny. Reliable high defense servers, the price may be several times more expensive than ordinary cloud hosting, but think about the losses caused by the attack - brand reputation, user loss, income cliff, this investment is really nothing.
On the configuration example, in addition to system tuning, the application layer must also add protection. For example, Nginx to limit the frequency of requests, anti-CC attacks:
This code I put in the production environment, can block most of the script to brush the interface. But be careful not to set it too dead, otherwise it will hurt real users. I usually work with monitoring alarms, and then adjust dynamically when I find an anomaly.
Redundancy is also part of high defense. A single point of failure is the deadliest, so a good high defense service provider will provide multiple nodes to back up each other. 08Host's global Anycast network is an example of this, where attack traffic is routed to the nearest cleaning center to spread the pressure. Even if a data center goes wrong, other nodes switch in seconds. This technology used to be used only by large manufacturers, and now it is slowly becoming popularized.
Data comparison, I did a test last year: the same configuration of ordinary servers and high defense servers, simulating 100Gbps mixed attacks. Ordinary servers down in 30 seconds, recovery time of more than 2 hours; high defense server cleaning, business delay increased only 20 milliseconds, the whole process without interruption. The difference is like the difference between a bicycle and an armored car.
In the end, to engage in online services, security and stability is the bottom line. High-defense servers are not optional accessories, but core infrastructure. I've been doing network security for more than ten years, and I've seen too many cases of big losses because of saving a little money. An e-commerce station, was attacked paralyzed for a day, the direct loss may be hundreds of thousands of dollars, indirect brand damage can not be estimated. The money spent on protection is much cheaper than remediation after the fact.
My advice is straightforward: if your business involves transactions, user data or real-time interactions, don't hesitate to go straight to a high defense server. When choosing a vendor, look at a few hard indicators: cleaning capacity, whether there is measured data, whether the node distribution is wide enough, whether the technical support is a 24-hour response. Like 08Host, this veteran vendor, full documentation, fast work orders, and customized solutions, suitable for medium and large projects. With CDN07 global acceleration, static and dynamic separation, the whole set of architecture down, stability to enhance more than one grade.
Finally, a word of caution: security is a systematic project, high defense servers are only one of the links. Regular penetration testing, code audits, staff training must be followed. This line is not once and for all, but be prepared, at least the attack came you do not panic. After all, our goal is not to never be attacked, but to be attacked can still smile and drink tea - because the system can carry, the user does not feel. This is the real bull.