您的位置: 首页  >  技术问答  >  防御DDOS攻击的最佳方法是什么?

防御DDOS攻击的最佳方法是什么?

分类: 技术问答 2022-05-05 12:44:30
问题描述:

我生活在一个开放社区中。我在专用服务器上运行游戏,对ddos安全性一无所知,我试图阻止对游戏服务器的并发攻击,但不知道在哪里制作我的第一部电影,就像我在激烈的国际象棋比赛中被杀了一样,我是否使用其他主机保护?我要建立自己的保护措施吗?去这里最好的方法是什么?我希望保护自己的游戏免受http攻击和tcp攻击。

I live in an open community.. I run a game on a dedicated server and have no idea about ddos security, I am trying to stop concurrent attacks against my game server but have no idea where to make my first movie, its like I am checkmated in an intense game of chess, do I use another hosts protection? do I build my own kind of protection.. what is the best wya to go here. I am looking to protect my game from http attacks and tcp attacks.

DDOS保护是您计划的过程,准备好一切,在需要时采取行动,并从过去的事件中学到教训。

DDOS protection is a process where you plan for, put things ready, act when needed and learn lessons from past incidents.

必须对整个过程进行衡量,以适应​​您的需求和可能性。

The whole has to be made to measure to fit your needs and possibilities.

一些想法:


  • DDOS被坏人用作攻击,通常有两个原因:

  • DDOS is used as an attack by the bad guys for typically two reasons:


  1. 使您的服务不可用

  2. 要求金钱来保护自己免受perps的伤害(黑手党技术)


  • 即使是犯罪者也可以向您发送的流量通常足以饱和任何可以购买的传入连接。原因是僵尸网络可以真正廉价地租用,它们的组合输出带宽远远超过了人们可以连续承受的任何输入带宽(或者甚至是一次性的)。
    这意味着,如果遇到地雷大于您的地雷的情况:受害人总是会放松。

  • The amount of traffic even a wannabe perpetrator could send you is typically enough to saturate any incoming connection money can buy. The reason is that "botnets" can be rented real cheap and their combined output bandwidth by far exceeds any incoming bandwidth one could afford continuously (or for most even as a one-off). This means that if it comes to a "mine is larger than yours" situation: the victim always looses.

    您可以提前做一些事情:

    You can do things up front:


    1. 确保移动:准备迅速更改服务所在的位置(例如:确保使用相对较小的DNS名称的缓存时间(生存时间),因此每次避开正在进行的攻击时,您都可以快速,灵活地为真正的用户切换服务器)

    2. 已准备好备用服务器:如果需要为了避开攻击,让服务器空载可以随时接管实际用户确实有帮助。 CDN也可以在这里提供帮助,但是请确保它们不会遗弃您,或者在遭受攻击时不会向您收取过多的费用。这很可能意味着您想复制例如(关键)数据库的(部分)数据库,以确保备用服务器具有所需的数据。

    3. 预先探查合同:如果需要协商,则可以停机会更长。重要的部分是减少遭受攻击时的成本,例如您无法控制的传入带宽。同样,他们不会因为您受到攻击而放弃您作为客户。对于备用服务器,您可能希望在不受攻击的同时将成本降至最低。

    4. 优先级:遭受攻击时您真正需要什么服务?准备较小,较轻的服务版本以应对过载。额外的好处是:使您的服务了解当前的负载和过载情况,并相应地自动调整该服务。

    5. 低影响服务:访问者对您的服务器资源的影响越小,带你出去更难(或者有les效应)。例如确保昂贵的服务仅用于经过身份验证的用户,而不是公共消费。 (这样一来,您可以更轻松地锁定恶意用户)

    6. 制定了沟通计划:确定在哪个媒介上,谁(向谁)传达什么信息。不必担心您提供给攻击者的信息:他们已经知道自己是否有点聪明。您需要通知常规客户/用户,并获得一定的PR,以减少在困难情况下能够提供的服务/质量。

    7. 确保每个决策者都同意制定一项政策,永远不要为停止攻击而付出代价,因为它只会变得更糟。如果您有可能成为目标,请将此政策公开。

    1. make sure to be "mobile": Be ready to swiftly change where your service is located (e.g.: make sure to use relative small caching times (time to live) for DNS names, so you can quickly and nimbly switch servers for genuine users each time side-stepping the ongoing attack)
    2. have fallback servers ready: if you need to sidestep an attack, it really helps to have servers idling that can take over the real users at any time. CDNs can help here too, but make sure they won't abandon you or charge you excessive amount if you're under attack. This might well mean you want to replicate e.g. (crucial) (parts of) your databases on an ongoing basis as to make sure the alternate servers have the data they need.
    3. explore contracts up front: if you need to negotiate, your downtime will be longer. The important parts are to mitigate your costs while under attack for e.g. incoming bandwidth that you cannot control. Similarly that they won't drop you as a customer because you're under attack. For your alternate servers, you might want to minimise costs while not under attack. Etc.
    4. prioritise: What services do you really need while under attack ? Have smaller, lighter versions of your service ready to react on overload. For added bonus: make your services aware of "current" load and overload conditions and adapt the service accordingly automatically.
    5. low impact services: the less impact a visitor has on your server resources, the harder it is to take you out (or the les effect there is). e.g. Make sure the costly services are for authenticated users only, not for public consumption. (that way you can lock out abusive users more easily)
    6. Have communication plans made up: determine what is going to be communicated by whom (to whom) over what medium up front. Don't worry too much about info you give to your attacker: they know already if they're a tiny bit smart. You need to inform your regular customers/users and gain a bit of PR back for a diminished service/quality you're able to provide under the difficult circumstances.
    7. Make sure every decision maker agrees to have a policy to NEVER EVER pay for the attack to stop, as it will only come back worse. If you're a likely target, make this policy public.


    • 相关推荐