The rapid traffic brought by each event promotion is a severe test for technicians. If you suffer a malicious DDoS attack from a black product during the event, it will undoubtedly make things worse. The characteristics of e-commerce are that they are usually not subject to large-traffic DDoS attacks under normal business conditions, and are sensitive to delays, so they only need to use DDoS protection on demand during the event. In this article, a professional security team will share with you how to adjust the protection strategy in real time according to the DDoS attack situation and business health, so as to ensure business stability and save a lot of security protection and operating costs.
If your website or application suddenly sees a large amount of suspicious traffic, and normal users cannot access or connect to the server, it is likely to have suffered a DDoS attack. DDoS is a mature and common attack method in the black industry chain of the Internet. The attack is simple and rude, but effective, it is difficult to trace the source, and the crime cost is low.
1. How exactly does DDos attack?
We can help you understand it more vividly with an example:
Xiao Wang opened a restaurant, which is not large and can only accommodate up to 50 guests at the same time. However, due to the delicious food and the ample amount of food, there is an endless stream of customers dining every day. The booming business aroused the jealousy of this street hooligan, and he sent more than 100 people to Xiao Wang's shop to make trouble. These people look no different from ordinary customers. Xiao Wang and the waiters can only provide normal services, but these people just keep asking about the dishes and prices, not ordering, occupying all the seats and waiters, making other guests unable to function normally. dining, which eventually led to the closure of the restaurant.
This is a typical DDoS attack mode, which initiates a large number of requests in a short period of time, exceeding the system's processing range, exhausting the target network or system resources, causing the service to be temporarily interrupted or stopped, and normal users cannot access.
The full name of DDoS is Distributed Denial-of-Service, where Denial-of-Service means denial of service, and its purpose is to make the service inaccessible. Distributed is distributed, which means that the attack does not come from one source, but may come from thousands of devices.
With the development of the IoT industry, the number of IoT devices increases, the online time is long, and the vulnerability update cycle is long, which has become a hotbed for attackers to exploit vulnerabilities. IoT devices have gradually become the main force of DDoS attacks. According to statistics, mixed DDoS attacks will increase significantly in 2021, an increase of 80.8% compared with 2020. In 2022, the threat of DDoS attacks will hit an all-time high, and the continuous growth of ultra-large-scale attacks has become the norm.
2. The main attack methods of DDoS
Generally speaking, there are two main forms of DDoS:
Traffic attacks are mainly attacks on network bandwidth, that is, a large number of attack packets cause network bandwidth to be blocked, legitimate network packets are flooded by fake attack packets and cannot reach the host, including UDP flood attack, ICMP flood attack, Ping of death, teardrop attack, etc.
Resource exhaustion attacks are mainly attacks on the server host, that is, the host's memory is exhausted or the CPU is occupied by the kernel and applications due to a large number of attack packets, resulting in the inability to provide network services, including SYN flood, LAND attack, CC attack , botnet attacks, application-level flood attacks and other attack methods.
According to industry authoritative reports, botnets are no longer limited to a single DDoS attack method, but choose to cooperate with ransomware and mining Trojans to attack, and some turn to distributed blasting attacks. Gray output can further reduce the cost of DDoS attacks and improve the attack effect.
3. How to prevent DDoS attacks?
Although we cannot prevent malicious attackers from sending a large amount of unreal access data information to the server, we can prepare in advance and improve the load processing ability. For example, it can expand the bandwidth, rapidly expand the capacity of the website in a short period of time, provide several times or dozens of times the bandwidth, and withstand the request of large traffic. You can also purchase IP high-defense service. You only need to resolve the domain name to be protected in the CNAME to the secure domain name configured by JD Cloud at the DNS service provider to complete the access, effectively defending against SYN Flood, UDP Flood, and ICMP. Flood and other high-traffic attacks. The total protection capability of IP Anti-DDoS Pro reaches TB level, easily resisting large traffic attacks.
However, some enterprise users do not suffer from large-traffic DDoS attacks under normal business conditions and are sensitive to delays. Therefore, users hope not to use DDoS protection products and services under normal conditions. Only during important event scenarios such as corporate promotions, exhibitions, product launches, and new business launches, as well as major events related to corporate development, such as corporate financing, mergers and acquisitions, and listings, are extremely vulnerable to malicious DDoS attacks by competitors and black products. Use DDoS protection products and services as needed during the event. A professional security team provides 7*24-hour security re-assurance, monitors DDoS attacks and business health, and adjusts protection strategies in real time to ensure business stability and save a lot of security protection and operating costs.
4. DDoS customized protection services emerge in response to the trend
An e-commerce customer on JD Cloud received threat intelligence in the early stage of the big promotion. During the event, there will be a large number of DDoS attacks from overseas. According to the observation of the JD Cloud security team, nearly 40% of the attack traffic comes from overseas, and there are many CC attacks. Since customers have access to IP high-defense products, CC attacks are effectively protected. After the attacker found that the CC attack failed to cause denial of service at the customer's origin site, he began to attempt a four-layer high-traffic attack. The peak of the attack exceeded the customer's IP high-defense minimum bandwidth. After the elastic protection took effect, it began to generate charges on a daily basis.
In order to reduce the overall investment in DDoS protection for customers, JD Cloud has launched a customized DDoS protection service (Anti-DDoS Premium Service) to provide professional DDoS attack protection solutions for such users who have the need for active re-insurance, and provide customized solutions according to user application scenarios. Provides services such as near-source cleaning, traffic suppression, and DNS refresh to ensure the continuous and stable operation of user services.
In the above case, the JD Cloud security team assisted the customer to turn on the traffic suppression function and banned overseas traffic, which effectively reduced the attack traffic entering the IP high-defense node, reduced the customer's protection pressure, and successfully completed the customer's promotion and re-protection protection task.
The JD Cloud security team can provide 7*24 hours of remote support, monitor attack trends and business health in real time, and ensure continuous and stable business operations. Comprehensively analyze the security threats faced by customers, and provide exclusive DDoS protection solutions for customers' major business activities. And customize service content according to customer scenarios, flexible billing, to help customers save costs.
Five, DDoS custom protection service architecture principle
DDoS customized protection services include near-source cleaning, traffic suppression, DNS refresh and other services. Customized services can be provided according to specific customer scenarios:
Near source cleaning
Close-to-source cleaning is to provide large-traffic DDoS attack cleaning on the backbone network of the operator, cleaning close to the attack source, which can effectively relieve the protection pressure of user IP high-defense instances and JD Cloud origin stations, and reduce the probability of attacked services entering the black hole.
flow suppression
Traffic suppression is to implement traffic blocking on the backbone network on the operator side. You can choose the blocking area independently according to the geographical distribution of traffic that is actually attacked by the business. For example, when a user finds that overseas traffic accounts for a high proportion of DDoS attacks, and the business itself does not provide services overseas, the user can choose to block overseas traffic, and also supports the user to unblock it at any time.
DNS flush
Domain Name System (DNS) is one of the basic systems of the entire Internet service. It is responsible for converting Internet domain names accessed by people into IP addresses. This conversion process is called "domain name resolution", so DNS is also known as "domain name resolution". system".
Each node of the Domain Name System consists of several DNS servers. Among these node servers, the servers that have the authority to manage domain name resolution configuration are called authoritative DNS servers. There is no domain name resolution configuration management authority, but it can synchronize the authoritative DNS server data, and use the synchronization cache to provide resolution services, which is called a cache DNS server. Authoritative DNS servers only have data for some domain names and are not directly related to each other. In order to provide more comprehensive domain name resolution services, recursive DNS servers are generated, and recursive DNS servers in the Internet are usually managed by operators.
DNS refresh is the synchronization process initiated by the operator's recursive DNS server with the authoritative DNS server. The synchronization process takes effect in seconds, ensuring smooth user service access and switching.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。