What is a DDos attack? How does the node SSR service prevent and handle attacks?

What is a DDos attack? node How does the SSR service prevent and deal with DDos attacks? The following article will take you to understand DDos attacks, and introduce how the node SSR service prevents and handles DDos attacks. I hope it will be helpful to everyone!

Preventing and dealing with DDos attacks is an important part of stability construction. If it is not prevented in advance, once it is attacked, the service will fall into an unavailable state. , may bring great losses to the business

This article will be biased towards the node ssr service perspective, front-end development students should pay more attention to this aspect. [Related tutorial recommendations: nodejs video tutorial]

What is a DDos attack?

To give a common example, our website can be compared to a bank. Under normal circumstances, the bank can handle the business of up to 100 people at the same time. Normally, you can just walk into the bank and get a number. Can be served

Suddenly a rogue organization wanted to collect protection fees, but the bank refused to give it, so the rogue sent 3,000 or even 30,000 people to get the number at the same time. After passing the number, continue to take the number. The result is that the server cannot handle it, and a large number of normal customers have been waiting. This is a DDOS attack. It initiates a large number of requests in a short period of time, exhausts the server's resources, and is unable to respond to normal access, causing the website to actually degrade. Wire.

DDOS is not an attack, but a general term for a large class of attacks. There are dozens of types, and new attack methods are constantly being invented. Every aspect of website operation can be a target of attack. As long as one link is broken and the entire process cannot run, the purpose of paralyzing the service will be achieved.

Among them, one of the more common attacks is the cc attack. CC attacks are targeted at web pages. CC attacks themselves are normal requests. Normal requests for dynamic pages on the website will also interact with the database. When this "normal request" reaches a certain level, the server will not be able to respond. , thereby collapsing.

baike.baidu.com/item/cc�%…

The following content of this article is aimed at cc attacks.

How to prevent?

First understand the path between a request coming to our services

Business service cluster as For the bottom layer and core assets of the service link, complete upper-layer protection is very important

After intercepting malicious traffic in the outer layer, the business cluster does not need frequent operation and maintenance (capacity expansion and contraction, limit flow, etc.), reducing operation and maintenance costs

• The business cluster does not need to prepare too many additional resources to attack traffic, saving costs
• It has good versatility and is easy to be transplanted to other services, bringing To stabilize the income

The prevention methods are also introduced in this order

Access to the CDN layer
nginx current limit
Connect to WAF firewall
Other protection layers
Improve the processing capabilities of the origin site.
• For the SSR service, there are 2 suggestions

  
  

  Let the SSR service only handle the return of the root HTML, and all other resources must be placed on the CDN
  When an attack occurs, temporarily downgrade SSR to CSR

1. Access the CDN layer

The CDN layer will be the outermost layer, which is convenient for emergency situations. You can enable CDN caching or enable CDN paid projects to protect the security of other internal services. For example:

For example, if instantaneous traffic of millions, tens of millions or more comes in, it is possible that the load balancing layer will be down, which will affect the entire company's business. , it’s not just the service that was attacked
CDN’s protection capabilities include: CDN cache, Robot detection, IP reputation database, and building a custom protection rule set (combined with historical attacks Features and business forms), etc. (enabled by paid level)
Another aside (personal opinion), CDN vendors have countless servers around the world, and large CDN vendors can almost against all attacks, and will also charge according to the protection level (protection fee). I personally think that some attacks are probably caused by CDN vendors colluding with illegal companies. It is equivalent to rogues charging protection fees. If they don’t pay the protection fees, they will smash the store (attack) to let you know the pain, and then buy CDN protection services. And it can activate more than tens of millions of QPS. Except for CDN manufacturers (which have many servers), it should be difficult for ordinary people

#

2. nginx current limit

3. Connect to WAF firewall

Let’s talk about these two together, which is also biased The operation and maintenance level is company-level infrastructure, and the specific access methods and specific configurations vary from company to company. I won’t go into detail here

What is nginx current limit?

• You can search by yourself

What is a WAF firewall?

• You can read this articlewww.huaweicloud.com/zhishi/waf0…

To summarize the WAF layer, it will pass the pre- Set up a rich reputation database to detect and intercept threats such as malicious scanners, IPs, and cyberhorses

• Comprehensive attack protection: supports SQL injection, XSS cross-site scripting, Detect and intercept threats such as file inclusion, directory traversal, sensitive file access, command\code injection, web Trojan upload, third-party vulnerability attacks, etc.

• Human-computer recognition

• Interface speed limit, WAF can set a flexible speed limit policy based on IP or cookie

• Based on a rich combination of fields and logical conditions, precise control

  • Supports rich field conditions: based on common HTTP parameters and fields such as IP, URL, Referer, User-Agent, Params, etc. Condition combination.
  • Supports a variety of conditional logic: supports logical conditions such as inclusion, not inclusion, equal, not equal, prefix equal, prefix not equal, etc., and sets blocking or releasing policies.

#4. Other protective layers

Different companies may have other protection layers corresponding to different businesses and their own characteristics. Protection layer, such as overload protection for single instances (determine whether the current service status is overloaded, and then dynamically discard some low-priority requests based on the priority of the traffic to ensure the normal operation of the service as much as possible)

There are many kinds of protective layers here. If you are interested, you can learn more about it

5. Improve the processing capabilities of the origin station

Forging iron requires one's own hard work

This is easy to understand. Improving the processing capacity of the service will naturally allow it to handle more traffic.

For SSR services, there are several suggestions as follows

Suggestion 1: Let the ssr service only handle the return of the root HTML, and all other resources must be placed on the CDN

For the ssr service, it is very important to give a Suggestions

• Let the ssr service only handle the return of the root HTML, and all other resources must be placed on the CDN

• Here It is easy to understand if we take juejin as an example. We can see from the figure below that juejin itself is also an SSR service. The origin site only processes the root HTML, and all other resources (js, css, pictures, fonts, etc.) are placed in on CDN. The purpose of this is also to improve the processing capabilities of the origin site, which puts a lot of pressure on the CDN

Suggestions 2: When an attack comes, temporarily downgrade SSR to CSR

SSR rendering is more CPU-intensive (requires compilation and parsing to generate HTML) , so the QPS capability of the ssr service is not high. It is easy to be defeated when facing attacks

Solution: Temporarily downgrade SSR to CSR

How to downgrade SSR?

• Downgrade to CSR (client-side rendering), so that there is no need to generate complex HTML on the server side, and only need to return simple HTML.

  CSR is a single-page application. The simplest example is the UI component library. As you can see in the picture below, this HTML is very simple and static. Returning this static HTML does not consume much server resources.

• And you can also cache the root HTML file in memory, which can increase the processing power of the server. Improved dozens or even hundreds of times

I will write about how to achieve SSR downgrade in a later article

6. Others

For example, there may be elastic expansion and contraction capabilities, which can only resist small traffic attacks

How to deal with emergency situations after being attacked?

has been attacked, and the service has started to be very slow, or even directly blocked. At this time, it is too late to optimize the code layer, and can only do some configurations at the operation and maintenance layer

I mainly list the following three points here, welcome to add

• Expansion

• Upgrade protection strategy

• Enable CDN caching

1. Capacity expansion

can only deal with small traffic attacks

2. Upgrade protection strategy

This is a bit involving business secrets... I don’t dare to write about it. Friends who are interested can search for it by themselves, or ask about the company’s operation and maintenance

Anyway, there is one thing I guessed. Generally, after paying money to the CDN, there may not be attacks later. Even if there are, they may only be attacks with small traffic and easy to protect.

3. Turn on CDN caching

ssr service, if the CDN cache is not turned on during normal access, you can temporarily turn on the CDN cache when it is attacked.

Summary

• The sooner you take preventive measures, the better. Don’t start taking them only after you are attacked, because a lot of losses may have already been caused.

• Only when you have done what you need to do and answered what needs to be done, you will have room to operate the configuration when you are actually attacked. Otherwise, you can only pray to God to attack quickly. Stop... Or you can only passively accept blackmail

Safety is no trivial matter, may the world be peaceful

For more node-related knowledge, please visit:nodejs tutorial !

The above is the detailed content of What is a DDos attack? How does the node SSR service prevent and handle attacks?. For more information, please follow other related articles on the PHP Chinese website!