问题
I live in an open community.. I run a game on a dedicated server and have no idea about ddos security, I am trying to stop concurrent attacks against my game server but have no idea where to make my first movie, its like I am checkmated in an intense game of chess, do I use another hosts protection? do I build my own kind of protection.. what is the best wya to go here. I am looking to protect my game from http attacks and tcp attacks.
回答1:
DDOS protection is a process where you plan for, put things ready, act when needed and learn lessons from past incidents.
The whole has to be made to measure to fit your needs and possibilities.
Some ideas:
DDOS is used as an attack by the bad guys for typically two reasons:
- to make your service unavailable
- to demand money for protection from the perps themselves (maffia technique)
The amount of traffic even a wannabe perpetrator could send you is typically enough to saturate any incoming connection money can buy. The reason is that "botnets" can be rented real cheap and their combined output bandwidth by far exceeds any incoming bandwidth one could afford continuously (or for most even as a one-off). This means that if it comes to a "mine is larger than yours" situation: the victim always looses.
You can do things up front:
- make sure to be "mobile": Be ready to swiftly change where your service is located (e.g.: make sure to use relative small caching times (time to live) for DNS names, so you can quickly and nimbly switch servers for genuine users each time side-stepping the ongoing attack)
- have fallback servers ready: if you need to sidestep an attack, it really helps to have servers idling that can take over the real users at any time. CDNs can help here too, but make sure they won't abandon you or charge you excessive amount if you're under attack. This might well mean you want to replicate e.g. (crucial) (parts of) your databases on an ongoing basis as to make sure the alternate servers have the data they need.
- explore contracts up front: if you need to negotiate, your downtime will be longer. The important parts are to mitigate your costs while under attack for e.g. incoming bandwidth that you cannot control. Similarly that they won't drop you as a customer because you're under attack. For your alternate servers, you might want to minimise costs while not under attack. Etc.
- prioritise: What services do you really need while under attack ? Have smaller, lighter versions of your service ready to react on overload. For added bonus: make your services aware of "current" load and overload conditions and adapt the service accordingly automatically.
- low impact services: the less impact a visitor has on your server resources, the harder it is to take you out (or the les effect there is). e.g. Make sure the costly services are for authenticated users only, not for public consumption. (that way you can lock out abusive users more easily)
- Have communication plans made up: determine what is going to be communicated by whom (to whom) over what medium up front. Don't worry too much about info you give to your attacker: they know already if they're a tiny bit smart. You need to inform your regular customers/users and gain a bit of PR back for a diminished service/quality you're able to provide under the difficult circumstances.
- Make sure every decision maker agrees to have a policy to NEVER EVER pay for the attack to stop, as it will only come back worse. If you're a likely target, make this policy public.
回答2:
I see a lot of websites using CloudFlare to protect from DDOS
https://www.cloudflare.com/case-studies-eurovision/
If you were interested in learning how to stop it all by yourself though this is probably a good place to start your learning journey: https://en.wikipedia.org/wiki/Denial-of-service_attack#Defense_techniques
来源:https://stackoverflow.com/questions/33468868/what-is-the-best-way-to-protect-against-ddos-attacks