See how vro settings completely implement DDoS Defense

Source: Internet
Author: User

As for the current network environment, vro settings are becoming more and more important. So I have studied how to completely implement DDoS Defense in vro settings. Here I will share with you, hoping to help you. What are the operations on vro settings to implement DDoS defense? First, we need to understand what the principles of DDoS attacks are before we take anti-DDoS measures, and then analyze the causes one by one and take measures.

I. Discussion on principles of DDoS Attack Based on vro settings

In the Distributed Denial of Service (DDoS) attack process, a group of malicious hosts or hosts infected by Malicious Hosts will send a large amount of data to the attacked server. In this case, network nodes close to the edge of the network will become exhausted. There are two reasons: first, the node close to the server usually requires only a small amount of user data to be processed during design; second, because of the aggregation of data in the core network area, nodes on the edge will receive more data. In addition, the server system itself is vulnerable to attacks and suffers from extreme overloading.

DDoS attacks are considered a resource management issue. The purpose of this article is to protect the server system from receiving excessive service requests in the global network. Of course, this mechanism can easily become a protection for network nodes. Therefore, a preventive measure must be taken to prevent attacks by adjusting the traffic on the router on the transfer path before the attack packets are clustered to paralyze the server. The specific implementation mechanism is to set a threshold value for the upstream router with several levels of distance from the server. Only the data volume within this threshold value can pass through the router, other data will be discarded or routed to other routers.

One of the main factors in this defense system is that each route point outputs "appropriate" data volumes. "Appropriate" must be determined by the allocation of requirements at the time, so dynamic negotiation between the server and the network is required. The negotiation method in this article is initiated by the server S). If the server runs below the designed capacity of Us, no threshold value needs to be set for the router; if the server load is Ls) when the design capacity is exceeded, you can set the threshold value on the upstream router of the server for self-protection. After that, if the current threshold value cannot make the load of S lower than Us, the threshold value should be lowered; otherwise, if Ls <Us, the threshold value should be increased; if the increase of the threshold does not significantly increase the load during the peak period, you can cancel the threshold. The goal of the control algorithm is to control the server load within the range of [Ls, Us.

Obviously, it is impossible to retain the status information of all network servers, because this will lead to an explosion of status information. However, it is feasible to select a protection mechanism as needed, which is based on the assumption that DDoS attacks are a phenomenon rather than a common situation. In any period of time, we believe that only a few networks are under attack, and most networks are running in "healthy" status. In addition, malicious attackers usually select the "Main Site" that has the most access to users. These sites can use the following network structure to ensure their own security.

2. Discussion on the pattern of the system in which the router is set to implement DDoS Defense

All data volumes and server loads mentioned in this article are measured in kbps. The system network topology is shown in Figure 1. This article provides the network model G = (V, E), where V represents a series of nodes and E represents the edge. All leaf nodes are host and data sources. The internal node is a router, which does not produce data but can receive data from the host or forward data from other routers. R indicates the internal route node, and all routers are assumed to be trustworthy. Host H = V-R, divided into normal user Hg and malicious user Ha, E is the network link model, default is bidirectional. The leaf node V is treated as the target server S. Normal users send data packets to S at a speed of [0, rg. A malicious attacker sends data packets to S at a speed of [0, ra]. In principle, it can assume that rg <Us) but the value of ra is difficult to determine. In fact, the value of ra is much higher than that of rg.

When S is attacked, it starts the threshold protection mechanism mentioned above. To facilitate representation, assuming that an overloaded server can still enable the protection mechanism, there is no need to set the threshold value for each router. R (k) indicates that the router is located at the k-layer or shorter than the router at the k-layer, but they are directly connected to the host.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.