Briefly describe the difference between DOS and DDOS.

1. Authorize the dns server to restrict the recursive query function of the name server, and the recursive DNS server should restrict the clients that access recursively (white list IP segment is enabled).

2.zonetransfer transmits in restricted areas, and enables white list within the scope of master-slave synchronous DNS servers. DNS servers that are not in the list are not allowed to synchronize zone files.

Allow transmission {0};

Allow updates to {0};

3. Enable blacklists and whitelists

Known attack IP is blacklisted by bind, or access is prohibited on the firewall;

Set IP network segments that are allowed to be accessed through acl;

Set IP network segments that are allowed to be accessed through acl; Set IP network segments that are allowed to be accessed through acl;

4. Hide the version information of BIND;

5. Root binding; Have non-super user rights;

4. Hide the version information of BIND;

5. Root binding; Have non-super user rights;

6. Delete unnecessary other services on DNS. Services such as Web, POP, gopher and NNTPNews should not be installed when creating DNS server system.

Installing the following software packages is not recommended:

1)X-Windows and related software packages; 2) Multimedia application software package; 3) Any unnecessary compiler and script interpretation language; 4) Any unused text editor; 5) harmful client programs; 6) Other unnecessary network services. To ensure the independence of the domain name resolution service, the server running the domain name resolution service cannot open the services of other ports at the same time. Authoritative domain name resolution service and recursive domain name resolution service need to be provided independently on different servers;

7. use dnstop to monitor DNS traffic

# yuminstalllibpcap-deven curses-devel

Download the source code/tools/dnstop/src/dnstop-20140915.tar.gz.

#;

9. Enhance the defense function of DNS server against Dos/DDoS.

Use SYNcookie

Adding backlog can alleviate the TCP connection blocking caused by a large number of SYN requests to some extent.

Shorten the number of retries: The default tcp_synack_retries for Linux system is 5 times.

Limit synchronous frequency

Guard against synchronous attacks: # echo1> /proc/sys/net/IPv4/TCP _ synccookies Add this command to the file /etc/rc.d/rc.local;

10.: Monitor whether the domain name service protocol is normal, that is, use the corresponding service protocol or use the corresponding test tool to send a simulation request to the service port, analyze the results returned by the server, and judge whether the current service is normal and whether the memory data has changed. If possible, deploy multiple detection points in different networks for distributed monitoring;

1 1. The number of servers providing domain name services should be no less than 2, and it is recommended that the number of independent name servers be 5. It is recommended to deploy servers in different physical network environments; Use intrusion detection system to detect man-in-the-middle attacks as much as possible; Deploy anti-attack equipment around the domain name service system to deal with such attacks; Use tools such as traffic analysis to detect DDoS attacks so as to take emergency measures in time;

12.: Restrict the service scope of recursive service, and only allow users of specific network segments to use recursive service;

13.: Focus on monitoring the analysis results of important domain names, and give an alarm prompt in time once the analysis data is found to be changed; Deploy dnssec；;

14. Establish a perfect data backup mechanism and log management system. All the analysis logs of the last three months should be kept, and it is recommended to adopt 7×24 maintenance mechanism for important domain name information systems, and the emergency response time should be no later than 30 minutes.

What is the difference between ddos attack and pdos attack?

A: The difference between ddos and pdos attacks: Ddos is a distributed denial of service, while Pdos is a permanent denial of service.

The full name of DistributedDenialofService, which means "Distributed Denial of Service" in Chinese, refers to the use of a large number of legitimate distributed servers to send requests to the target, resulting in normal legal users unable to obtain services. Generally speaking, it is the use of IDC servers, personal PCs, mobile phones, smart devices, printers, cameras and other network node resources. A large number of attack requests are sent to the target, which leads to the congestion of the server and the inability to provide normal services to the outside world, so the gameover can only be announced.

Permanent Denial of Service Attack (PDoS), also known as phlashing, is an attack that seriously damages the system and needs to replace or reinstall the hardware. Unlike distributed denial of service attacks, PDO exploits security vulnerabilities to allow remote management of network hardware, such as routers, printers or other remote management networks, in the victim's hardware management interface. Attackers use these vulnerabilities to replace device firmware with modified, damaged or defective firmware images, which is called flash memory after legal completion. Therefore, this "brick" equipment cannot be used for its original purpose before maintenance or replacement.

PDoS is a pure hardware target attack, which is faster and requires less resources than using botnets or root/virtual servers in DDoS attacks. Because of these characteristics and the potential and high probability security NEED on networked embedded devices, this technology has attracted the attention of many hacker groups.

PhlashDance is a tool created by Rich Smith (employee of HP System Security Lab) at the 2008 EUSecWest Application Security Conference in London to detect and demonstrate PDoS vulnerabilities.

Source of this article:

What is a d-dos attack?

The full name of DDoS is DistributedDenialofService, which translates into "Distributed Denial of Service" in Chinese, that is, a large number of legitimate distributed servers are used to send requests to the target, resulting in normal legal users being unable to obtain services.

For example, if a hacker takes control of thousands of computers and then makes them make requests to the Web server at the same time. Moreover, the response ability of the server is limited, and it will soon stop responding because of the exhaustion of resources.

The server is busy, please try again later. How to solve it?

1. Check whether the network connection is stable. Suggest trying to change the wireless network.

2. Try to update the software version.

3. Settings-Application Manager/Applications-More-Reset application preferences.

4. Back up data (contacts, text messages, pictures, etc.). ), restore the factory settings and try to reinstall.

5. Update the mobile phone system version.

What is a DDOS attack? What is its principle? What is its purpose? The more detailed, the better! Thank you?

The biggest headache of the website is being attacked. Common server attacks mainly include these categories: port penetration, port penetration, password cracking and DDOS attacks. Among them, DDOS is one of the most powerful and difficult attacks at present.

So what is a DDOS attack?

Attackers forge a large number of legitimate requests to the server, occupying a large amount of network bandwidth, resulting in paralysis of the website and inaccessible. Its characteristic is that the cost of defense is much higher than that of attack. A hacker can easily launch 10g and 10g attacks, but the cost of defending 10G and 10G is very high.

At first, people called DDOS attack a denial of service attack. Its attack principle is: if you have a server and I have a personal computer, I will use my personal computer to send a lot of junk information to your server, which will block your network, increase your data processing burden and reduce the efficiency of server CPU and memory.

However, with the development of science and technology, one-on-one attacks like DOS are easy to defend, so DDOS-distributed denial of service attack was born. Its principle is the same as DOS, but the difference is that DDOS attacks are many-to-one attacks, and even tens of thousands of personal computers attack a server at the same time, which eventually leads to the paralysis of the attacked server.

Three common attack methods of DDOS

SYN/ACKFlood attack: the most classic and effective DDOS attack, which can kill network services of various systems. Mainly by sending a large number of SYN or ACK packets with forged source IP and source port to the victim host, the host's cache resources are exhausted or busy sending response packets, resulting in denial of service. Because the sources are forged, it is difficult to trace, but the disadvantage is that it is difficult to implement and needs the support of high-bandwidth zombie hosts.

TCP full connection attack: This attack is designed to bypass the inspection of traditional firewall. Under normal circumstances, most conventional firewalls have the ability to filter DOS attacks such as TearDrop and Land, but they will let go of normal TCP connections. I don't know that many network service programs (such as IIS, Apache and other Web servers) can accept a limited number of TCP connections. Once there are a large number of TCP connections, even if they are normal, the website access will be very slow or even inaccessible. TCP full connection attack is to establish a large number of TCP connections with the victim server through many zombie hosts until the server's memory and other resources are exhausted and dragged across, resulting in denial of service. The characteristic of this kind of attack is to bypass the protection of general firewall and achieve the purpose of attack. The disadvantage is that many zombie hosts need to be found, and this DDOS attack method is easy to be tracked because of the IP exposure of zombie hosts.

Brush script attack: This attack is mainly aimed at the website system with ASP, JSP, PHP, CGI and other scripts. And call MSSQLServer, MySQLServer, Oracle and other databases. Its characteristic is to establish a normal TCP connection with the server, and constantly submit queries and lists to the script, which consumes a lot of database resources. The typical attack method is small and wide.

How to defend against DDOS attacks?

Generally speaking, we can start with hardware, a single host and the whole server system.

I. Hardware

1. Increase bandwidth

Bandwidth directly determines the ability to resist attacks, and increasing bandwidth hard protection is the theoretical optimal solution. As long as the bandwidth is greater than the attack traffic, it is not afraid, but the cost is high.

2. Upgrade the hardware configuration

On the premise of ensuring network bandwidth, try to upgrade the configuration of hardware facilities such as CPU, memory, hard disk, network card, router and switch, and choose products with high popularity and good reputation.

3. Hardware firewall

Put the server in the computer room with DDoS hardware firewall. Professional firewalls usually have the function of cleaning up and filtering abnormal traffic, and can resist traffic DDoS attacks such as SYN/ACK attacks, TCP full connection attacks and brush script attacks.

Second, a single host.

1. Fix system vulnerabilities in time and upgrade security patches.

2. Shut down unnecessary services and ports, reduce unnecessary system add-ins and self-startup items, minimize processes in the server, and change the working mode.

3、iptables

4. Strictly control the account authority, prohibit root login and password login, and modify the default port of common services.

Third, the whole server system.

1. Load balancing

Load balancing is used to distribute requests evenly to all servers, thus reducing the burden on a single server.

2、CDN

CDN is a content distribution network built on the network. It relies on the edge servers deployed in various places, and through the distribution and scheduling function module of the central platform, users can get the required content nearby, which reduces network congestion and improves the response speed and hit rate of users' access. Therefore, CDN acceleration also adopts load balancing technology. Compared with high-security hardware firewall, CDN is more reasonable, and multiple nodes share the infiltration traffic. At present, most CDN nodes have 200G traffic protection function, and with the protection of hard defense, it can be said that they can cope with most DDoS attacks.

3. Distributed cluster defense

The characteristic of distributed cluster defense is that each node server is configured with multiple IP addresses, and each node can withstand DDoS attacks not less than 10G. If a node is attacked and cannot provide services, the system will automatically switch to another node according to the priority setting, and all the attacker's packets will return to the sending point, paralyzing the attack source.