Analysis on How to thoroughly implement DDoS Defense in vro settings

VroConfiguration implementationDDoSWhat are the defensive operations? First, we need to understand what the principles of DDoS attacks are before we take anti-DDoS measures, and then analyze the causes one by one and take measures.

I. Discussion on principles of DDoS Attack Based on vro settings

In the Distributed Denial of Service (DDoS) attack process, a group of malicious hosts or hosts infected with the malicious host willServerSend a large amount of data. In this case, network nodes close to the edge of the network will become exhausted. There are two reasons: first, the node close to the server usually requires only a small amount of user data to be processed during design; second, because of the aggregation of data in the core network area, nodes on the edge will receive more data. In addition, the server system itself is vulnerable to attacks and suffers from extreme overloading.

DDoS attacks are considered a resource management issue. The purpose of this article is to protect the server system from receiving excessive service requests in the global network. Of course, this mechanism can easily become a protection for network nodes. Therefore, a preventive measure must be taken to prevent attacks by adjusting the traffic on the router on the transfer path before the attack packets are clustered to paralyze the server. The specific implementation mechanism is to set a threshold value for the upstream router with several levels of distance from the server. Only the data volume within this threshold value can pass through the router, other data will be discarded or routed to other routers.

One of the main factors in this defense system is that each route point outputs "appropriate" data volumes. "Appropriate" must be determined by the allocation of requirements at the time, so dynamic negotiation between the server and the network is required. The negotiation method in this article is initiated by the server S). If the server runs below the designed capacity of Us, no threshold value needs to be set for the router; if the server load is Ls) when the design capacity is exceeded, you can set the threshold value on the upstream router of the server for self-protection.

After that, if the current threshold value cannot make the load of S lower than Us, the threshold value should be lowered; otherwise, if Ls <Us, the threshold value should be increased; if the increase of the threshold does not significantly increase the load during the peak period, you can cancel the threshold. The goal of the control algorithm is to control the server load within the range of [Ls, Us.

Obviously, it is impossible to retain the status information of all network servers, because this will lead to an explosion of status information. However, it is feasible to select a protection mechanism as needed, which is based on the assumption that DDoS attacks are a phenomenon rather than a common situation. In any period of time, we believe that only a few networks are under attack, and most networks are running in "healthy" status. In addition, malicious attackers usually select the "Main Site" that has the most access to users. These sites can use the following network structure to ensure their own security.

2. Discussion on the pattern of the system in which the router is set to implement DDoS Defense

All data volumes and server loads mentioned in this article are measured in kbps. The system network topology is shown in Figure 1. This article provides the network model G = (V, E), where V represents a series of nodes and E represents the edge. All leaf nodes are host and data sources. The internal node is a router, which does not produce data but can receive data from the host or forward data from other routers. R indicates the internal route node, and all routers are assumed to be trustworthy. Host H = V-R, divided into normal user Hg and malicious user Ha, E is the network link model, default is bidirectional.

The leaf node V is treated as the target server S. Normal users send data packets to S at a speed of [0, rg. A malicious attacker sends data packets to S at a speed of [0, ra]. In principle, it can assume that rg <Us) but the value of ra is difficult to determine. In fact, the value of ra is much higher than that of rg.

When S is attacked, it starts the threshold protection mechanism mentioned above. To facilitate representation, assuming that an overloaded server can still enable the protection mechanism, there is no need to set the threshold value for each router. R (k) indicates that the router is located at the k-layer or shorter than the router at the k-layer, but they are directly connected to the host.

I would like to share with you the analysis on how to implement anti-DDoS in vro settings. I hope you can understand it through the above introduction.