This article is a mirror article of machine translation, please click here to jump to the original article.

Architect_Programmer_Code Agriculture Network»Architect Other Technologies Safe offense and defense IIS Defense Against Small-Scale DDOS Attack Instances
View: 12614|Reply: 0

[Safety Tutorial] IIS Defense Against Small-Scale DDOS Attack Instances

[Copy link]
Posted on 7/27/2016 7:16:26 PM | | | |

In recent days, the registration page of the company's official website and business system has been frequently attacked by DDOS, resulting in 100% CPU usage of the IIS application pool and 503 errors when accessing the website. The following is a summary of the countermeasures.

    1. Enable the CPU monitoring function of IIS

    This approach can be taken for low-frequency DDOS. w3wp.exe is an associated process of the application pool, and when the WEB traffic is high, w3wp.exe will take up a lot of system resources. Under DDOS attacks, the obvious phenomenon is that the w3wp.exe occupies 100% of the CPU, and the website is denied access, making it difficult to log in to the server remotely. For this situation, the following optimizations are made:

    1. Set up a separate application pool for each website in IIS.

    2. Set CPU monitoring function for each application pool: When the CPU of the w3wp.exe exceeds 50% or higher, it will automatically kill w3wp.exe process, and the monitoring frequency is 1 minute. Whenever an access request comes in, w3wp.exe restarts without affecting user access.

   

2. Flow cleaning

    When hackers find that low-level DDOS is no longer working, they intensify their attacks. At the beginning, the average number of concurrency on our official website was only a few thousand, but later it increased to an average of 16,000 concurrency, with a maximum of 70,000 concurrency, so that the CPU monitoring function above would be ineffective, because after the w3wp.exe restart, the CPU will reach 100% again in a very short period of time.

    The number of concurrent connections monitored at that time:

    CPU usage and traffic (bandwidth limit 10M):

    Fortunately, the official website domain name happens to be filed on Alibaba Cloud, and after we migrate to Alibaba Cloud, most of the abnormal traffic will be cleaned up by using the DDOS protection function of Cloud Shield, and the CPU will immediately be normal, and the official website will be resurrected with full blood.

    Note: Alibaba Cloud's free DDoS basic protection threshold is 5Gbps, and if the attack traffic is higher than this value, it will be blackholed and the service will not be accessible.

    Here are the parameters of the cloud server:






Previous:How to enable the CC Attack Protection module on IIS
Next:Microsoft open source framework orchard installation tutorial

Related Posts
Disclaimer:
All software, programming materials or articles published by Code Farmer Network are only for learning and research purposes; The above content shall not be used for commercial or illegal purposes, otherwise, users shall bear all consequences. The information on this site comes from the Internet, and copyright disputes have nothing to do with this site. You must completely delete the above content from your computer within 24 hours of downloading. If you like the program, please support genuine software, purchase registration, and get better genuine services. If there is any infringement, please contact us by email.
Mail To:help@itsvse.com