DDoS is a household word in security circles. Since the birth of DDoS, countless network security engineers have been deeply disgusted with it, and giant companies with strong technical strength such as Google and Amazon can not avoid DDoS attacks.

It is safe to say that DDoS is one of the most powerful and most difficult attacks to defend against today, a world-class problem that has no solution, only mitigation.

We can't help but wonder why DDoS attacks are unsolvable. Is it a lack of skill, or something else?

DDoS without solution

The principle of DDoS is not complex, is to use a large number of chickens, imitate the real user behavior, so that the target server resources are exhausted, and ultimately can not provide services for users.

Just like a hot pot restaurant came to a group of thugs, light seats do not call meals, resulting in normal customers have no seats, can not order meals, hot pot restaurant can not open a normal shop.

Let's take an example to see why DDoS can't be solved.

CC attacks are a type of DDoS in which the attacker uses a proxy server to generate legitimate requests from the victim host.

I believe that everyone has had such an experience, when a website or app is doing a second kill, limited time activities, buying activities, the number of visits increases suddenly, resulting in the page opening speed is slow, if the number of people exceeds the server load, the page may not open completely.

The result of an attacker launching a CC attack is exactly the same as in the example above. For defenders, it can be difficult to tell who is the real user and who is the attacker's chicken, and the enemy does not know who is, let alone launch an attack.

Cost is hard damage

While DDoS attacks cannot be solved, there are technical measures that can be adopted to mitigate or raise the threshold for attacks.

The cost of the defense side mainly comes from the purchase of cloud protection products such as DDoS cloud cleaning, high-defense CDN, the labor cost of the technical means used, the cost of purchasing hardware equipment, and so on.

Similarly, there is a cost to an attacker to launch a DDoS attack, such as the cost of time, the cost of buying chickens, the cost of buying 0day and other vulnerabilities, the cost of writing or buying DDoS programs, and perhaps even the cost of commissioning a DDoS to a third party.

The better the defender's defense, the higher the cost. By the same token, the larger the attack the attacker wants to launch, the higher the cost.

If the attacker wants the cost of launching an attack to be higher than the benefit of the attack, then DDoS will not be launched. On the other hand, if the cost is right, the attacker will launch the attack and enjoy the benefits of the attack.

DDoS mitigation

Although there is no solution to DDoS attacks, a variety of means can be used to mitigate and prevent, or to dispel the intention of the attacker to launch DDoS, or to make the attacker's expected revenue decline "beyond the means."

Commonly used means are the following:

(1) Use high-performance network equipment

Ensure the performance of network devices such as routers, switches, and hardware firewalls, and have sufficient performance and capacity to counter DDoS when it occurs.

(2) Check the server system vulnerabilities regularly

Use the latest system, install security patches in time, and delete unused services and close unused ports to reduce the risk of hackers using vulnerabilities to launch DDoS.

(3) Sufficient network bandwidth assurance

The size of the network bandwidth directly determines the ability to resist DDoS, but in general, other technical means and methods are more effective and less costly than increasing bandwidth.

(4) Deploy the CDN

A CDN can distribute the content of a website to multiple servers for users to access nearby, which can not only improve the user experience, but also serve as a supplementary means to defend against DDoS.

(5) Use professional safety protection products

Professional anti-D products can help websites filter abnormal traffic, even if DDoS is in progress, the company's business can be carried out normally without being affected.

postscript

Again, it's a matter of cost, DDoS doesn't happen the same way, and if hackers have a better way to reach their targets, they will use a better way.

Many websites may have performance bugs, and the database system will crash after a few simple requests;

Many systems will have network planning, configuration bugs, may be a few simple packets can crash the entire network;

Even if the protection measures of the computer room are not strict, or there are loopholes, the attacker directly sneaked into the computer room to shut down the power supply, but also the overall business of the company will be paralyzed;

How much water can be held depends not on the highest board of the barrel, but on the lowest board. Website, app security, is the same, in addition to using some means to defend against DDoS attacks, we should also pay attention to other aspects of security, to achieve comprehensive defense.