安全 – DDoS.我们那无奈吗?

参见英文答案 > I am under DDoS. What can I do?                                    4个
随着最近与wikileaks相关的DDoS事件,我不禁感到几乎所有在线网站都非常容易受到此类攻击. Visa,MasterCard(仅举几例)因此而关闭.

所以我的问题是:

> DDoS是如此强大的攻击形式吗?
>公司可以采取哪些措施来应对这种情况?

编辑:
我想我可能也会“非常”地表达我的问题.我知道什么是DDoS(来自维基百科和其他网站).

我真正的问题是:为什么这些大公司不采用反DDOS技术?不要告诉我Paypal和MasterCard不怕服务中断或攻击.我已经查看了其中一些解决方案的成本,但与Paypal或VISA一年制造的费用相比,它们看起来并不昂贵.真正的问题是他们为何如此毫无准备? (或者DDoS的规模是否比预期的要大得多?)

有一个类似的问题here

The challenge with this question is
that it asks for a solution to a
fundamentally unsolveable problem.
There’s no tool or practice you can
adopt that is going to protect you
from a moderately competant attacker
who is determined to take down your
service.

mod_evasive is about as good a
solution as you’re going to get to
this problem in the short term. It
implements “best practices” throttling
of requests, and will prevent your
system from being taken down by a 5
line Perl script.

In the longer term, when your
application becomes successful, you’ll
inevitably wind up deploying a load
balancer in front of it. The
mainstream commercial load balancers
(like F5’s Big-IP) all implement “DOS
protection” throttling, so you can
turn that feature on when you upgrade.
But don’t upgrade just to get that
feature.

The problem with solving modern DDOS
attacks is that they are launched from
numerous unrelated unpoints (often,
from huge botnets). Web application
firewalls like Citrix/NetScaler,
Imperva, and F5 will do a decent job
with the canned attacks, but skilled
analysts (preferably from your own
team) are going to be needed to stop
“real” attackers who know your name;
you do that job by analyzing the
attack traffic, finding
characteristics in it particular to
the attacker, and filtering it.

I think you’re on the right track with
free “plug-and-play” defenses for
this, especially with a new
application.

@tqbf

翻译自:https://serverfault.com/questions/211944/ddos-are-we-that-helpless

转载注明原文:安全 – DDoS.我们那无奈吗?