Anti-denial of service attack (DDoS): Is it sparse or blocked?

Anti-DDoS (distributed denial of service) attack system is to maintain the stability of the business system, continuous operation and high availability of network bandwidth to provide protection capabilities. However, since the 1999 Yahoo, ebay and other e-commerce sites were attacked by denial of service, DDoS has become a new security threat on the internet, which is very dangerous and very difficult to protect.

Especially with the development of hacker technology, DDoS attacks have some new trends and tendencies:

The high load-ddos attack through and the worm, the botnet unifies, has the certain automatic propagation, the centralized controlled, the distributed attack characteristic, because infects the host number, therefore the DDoS attack can produce up to 1G the attack traffic, for the current network equipment or the application service will cause the huge load.

Complexity-ddos attack itself from the original use of the three-layer/four-layer protocol, to use the application layer protocol to attack, such as DNS UDP Flood, CC attacks. Some attacks may be very small, but because the protocol is relatively complex, so the effect is very obvious, and protection is very high, such as the CC attack on the game server, is to use the online game itself some application protocol vulnerabilities.

The damage of large-ddos attacks has also changed, and the previous DDoS attacks have been mainly targeted at portal sites, and now the object of attack has changed. such as DNS server, VoIP authentication server or online games server, the Internet or business network key applications have become the object of attack, targeted at these services, compared to the past will bring greater losses to customers.

The game of sparse and blocking

In recent years, the worm is the biggest security problem on the Internet, some worm virus besides has the traditional characteristic, also embed the DDoS attack code, in addition to the appearance of botnet, the hacker can master a large number of dummy host to launch DDoS attack, cause its traffic is huge. In 2004, when the Tangshan hacker launched the Dos attack against a famous music website in Beijing, its attack traffic was as high as 700M, which caused great loss to the whole business system.

At present, most of the anti-Denial service attack system, although it is known as hardware products, but in fact, is the architecture of the X86 platform server or industrial computer, the key components are the use of Intel or AMD's general-purpose CPU, running in a cropped operating system (usually Linux or BSD), All packet parsing and protection work is done by the software. Due to CPU processing power and PCI bus speed constraints, the processing capacity of such products is greatly limited, usually this type of Denial-of-service attack products can not handle the highest processing capacity of more than 800,000 PPS.

However, in the face of DDoS attacks, the traditional X86 architecture of DDoS protection devices in the performance and stability is difficult to meet the requirements of protection, not to mention in the traditional anti-DDoS attack scheme, basically used in tandem deployment (ie: connected to the firewall, routers or switches between the protected network) mode, This pattern has many drawbacks: on the one hand, it increases the single point of failure in the network, while may cause the performance bottleneck, especially in the case that the attack traffic and background traffic exist simultaneously, may cause the equipment load to be too high, thus affects the normal business operation; The former DDoS protection equipment and firewall system are inextricably linked, so its protection function is mainly in the protocol stack of three-layer/four-tier implementation, such devices for the current load on the application layer protocol on the protection of DDoS attacks weak. (Programming Entry Network)

It is for this reason that we should redesign the entire anti-Denial-of-service attack device from the architecture to meet the further needs of current DDoS protection from performance, functionality, and stability.

Anti-mass denial of service attack, is a sparse and blocking game.

A pawn in a run-off

Recently, NSFocus launched a new black hole 2000 products, with the ability to deal with massive DDoS attacks. It not only supports the traditional series mode, but also realizes the bypass operation mode based on the technology of flow traction. On the one hand, the bypass mode eliminates the single point of failure in the network and avoids the impact of the device itself failure or overload on the network; meanwhile, through the flow traction, the black hole 2000 can only focus on the already shunt attack flow, thus increasing the commitment capacity to deal with the massive DDoS attacks.

In addition to stability and performance, Black Hole 2000 has made a qualitative leap relative to the original model, and more importantly, bypass mode supports the deployment of a variety of complex network environments. For example, for DDoS attacks on the core network of metropolitan area networks, Black Hole 2000 provides remote traffic traction based on MPLS; for DDoS attack protection under the convergence layer of the metropolitan Area Network, the black Hole 2000 product realizes the L3->L2 flow traction and injection mechanism. And in the large IDC or E-commerce site portal, is generally redundant network environment, if the use of black hole 2000 can provide good support for such applications, while ensuring network reliability requirements, but also save a lot of equipment investment costs.

The launch of the Black Hole 2000 realizes the protection of the massive DDoS attack in the complex network environment in a real sense. The processing capability of Gigabit line speed in 64 bytes, the bypass mode in complex network environment and the excellent protection algorithm for application protocol are not only the distinct features, but also the important indexes of evaluating the next generation Anti Denial service attack system. Black Hole 2000 as a gateway device against Denial-of-service attacks, the support of bypass mode marks the international level of green Union technology against denial-of-service attacks against large networks and complex networks. Black Hole 2000 has been applied to key projects of operators and financial industry users to ensure that their critical business is protected from DDoS attacks.