DDoS attack defense scheme has a large number of recent DDoS attack events (Analysis of DDoS attack events in 2014). We are all thinking about how to defend against DDoS attacks in the face of ddos attacks? In the green alliance Technology Security + Technology Publication, we specially invited Green Alliance technology's DDoS experts on operators to talk about anti-DDoS solutions.
The current situation of DDoS attack threats involves multiple types of DDoS attacks, such as traffic-based DDoS attacks (such as SYN Flood, UDP Flood, ICMP Flood, and ACK Flood) DDoS attacks at the application layer (such as Http Get Flood, connection depletion, and CC), slow DDoS attacks, and vulnerability-based DDoS attacks. Among them, the most difficult to deal with is Distributed Amplification DDoS attacks. For such attacks, from the perspective of being attacked, all data packets are normal, but the number is massive, generally, it can reach 300 Gbps-2 TB. With the advent of the broadband network era, the probability of occurrence is getting higher and higher.
For enterprise users' servers, they are usually deployed in the IDCs of telecom carriers, and the 100/1000 M and 10g links of telecom operators are rented to access the Internet. Similarly, telecom operators generally use 100/1000 Mbps links to access the Internet in their own systems. In short, the user's network access bandwidth is very small for DDoS attacks with a traffic exceeding GB.
Existing abnormal traffic cleaning solutions and their shortcomingsThe traditional solution is insufficient to support 40 gddos attack traffic
DDoS attacks target the customer's business servers. These business servers are usually located in the carrier's IDC center or the enterprise's self-built network. The traditional abnormal traffic cleaning equipment is deployed near the service host. Due to the different construction subjects, the equipment is usually composed of abnormal traffic monitoring equipment and abnormal traffic cleaning equipment. Therefore, the solution is insufficient:
1. The cleaning capability of abnormal traffic cleaning equipment is generally below 20 GB or 40 GB (implemented by means of abnormal traffic cleaning equipment cluster). For DDoS attacks with high cleaning capability, service interruption or service level decline;
2. Even if the attack traffic is less than 20 GB, the service level and user experience will be reduced as the attack traffic occupies a large amount of bandwidth;
3. It cannot defend against internal DDoS attacks (from bottom to bottom, out of the protection scope of abnormal traffic cleaning devices.
Blindly pursuing high-performance solutions leads to a decline in service capabilities
For traditional abnormal traffic cleaning solutions, the biggest shortcoming is that the cleaning capability of the equipment is insufficient. Therefore, the first thing that comes to mind is to improve the cleaning capability of attack traffic. Due to the limited bandwidth of the network access link of the Service server and the limited processing capability of the Access Router, the deployment location of the abnormal traffic cleaning system needs to be moved up, traffic cleaning equipment is usually deployed on the provincial egress router (of course, abnormal traffic cleaning equipment can also be deployed on the metropolitan area network router, but this solution has the same protection capabilities, more devices will be used, with a higher investment ). Insufficient solutions:
1. DDoS attacks over GB cannot be handled;
2. DDoS attacks from the man (from bottom up, out of the protection scope of abnormal traffic cleaning devices) cannot be protected;
3. The backbone networks of telecom operators have a large amount of useless DDoS attack traffic, wasting valuable backbone network bandwidth and equipment processing capabilities, resulting in a decline in network service levels;
4. High protection equipment prices and low cost performance.
Large-volume DDoS attack cleaning solution from the trend of DDoS attacks, the traffic of DDoS attacks will increase in the future. If only the abnormal traffic cleaning solution near the business host is adopted, even if the protection equipment is more powerful, it cannot catch up with the growth of DDoS attack traffic and meet the protection requirements. The near-source cleaning method is used to distribute abnormal traffic cleaning devices in close proximity to the attack source. Each cleaning device only cleans a portion of the devices, it has a huge amount of abnormal traffic cleaning capability, and its protection capability is very flexible, not only to meet the current needs, but also to meet the needs of higher large-volume DDoS attacks.
Abnormal traffic cleaning requires the combination of detection and cleaning capabilities. If only near-source traffic cleaning is used, the attack traffic is small and the alarm threshold is low, which may lead to misjudgment and missed determination. Therefore, our overall design philosophy is as follows:
Separation of detection and cleaning capabilities. From the perspective of improving detection sensitivity and economics, try to deploy the detection device close to the service host, or perform detection on the core network. For cleaning devices, try to deploy as close as possible to the attack source.
Combination of near-source and near-Business host cleaning methods. By deploying cleaning devices in the near-source environment, you can obtain high exceptional traffic cleaning capabilities and elasticity, and reduce costs. However, if a part of attack traffic is missed at each abnormal traffic cleaning point, for example, if the traffic under the threshold of the traffic cleaning action is enabled, the traffic is aggregated to the business host, which forms a DDoS attack, therefore, you need to deploy cleaning devices near the business host to handle this situation.
Bidirectional abnormal traffic cleaning. For some network access points or service hosts in the network area, they may be subject to external DDoS attacks, and they will also send DDoS attack data to the outside, and these two situations may occur at the same time, therefore, two-way abnormal traffic cleaning is required.
Unified management and collaboration. For a specific large-volume DDoS attack, once the device detects the attack, it needs to mobilize the corresponding cleaning device as needed to clean the abnormal traffic according to the unified policy, therefore, it is necessary to manage all cleaning equipment in a unified manner and coordinate operations.
In addition, in order to reduce false positives and false positives, the detection data of abnormal traffic detection equipment must be aggregated for screening, comparison and analysis to improve the detection accuracy and reduce false negative rate, the cleaning equipment to be mobilized can be identified based on the attack source.
Key Technology Implementation Analysis
This solution includes attack traffic detection, abnormal traffic cleaning, and management platform. The attack traffic detection section is slightly different from the preceding solution. The other two sections are highlighted here.
Management Platform. After receiving the traffic detection data, the management platform needs to summarize, filter, and analyze the data. Once an abnormal traffic attack is identified, it can start the generation and scheduling of an abnormal traffic cleaning policy. At this time, it must be clear: 1) attack source area to identify the cleaning device to be mobilized. In this case, you can use the corresponding attack source tracing system or use the IP address library to analyze the IP address of the attack data source. 2) the cleaning policy of the specific device. From the implementation point of view, it is divided into near-source cleaning policies and near-Business host cleaning policies. Different cleaning policies need to be allocated based on the deployment location of specific cleaning devices.
Abnormal traffic cleaning. Unlike the previous abnormal traffic cleaning equipment, the cleaning equipment in this solution must have two-way traffic cleaning capability. In terms of implementation principle, once the traffic cleaning device receives the corresponding cleaning request, it can perform traffic redirection according to the policy. After cleaning, close-to-source cleaning devices can renote clean traffic up (to the core network), while close-to-service host cleaning devices can renote clean traffic down (to the business host.
For telecom operators, the main sources of DDoS attacks include:
Local man home terminal
Local Mobile Internet smart phone terminal
Business host of IDC Center
Self-owned business host in the region Network
China Internet network endpoint
International network endpoint
For abnormal traffic detection devices, they can be deployed at the egress routers of the provincial branches, the IDC center egress routers, and the egress routers of self-owned business hosts in the region network to detect attack traffic across the network.
For abnormal traffic cleaning devices, they can be mounted on a router near the attack source, such as IDC egress router, Metro egress router, grouped core network egress router, self-owned business network egress router, domestic or international interconnected interface router, etc. The specific deployment location can be adjusted according to different network conditions.
In addition, a security management platform is deployed on the network to interconnect with all attack traffic detection devices and attack traffic cleaning devices. The deployment location is not limited.
Attack protection process description
To simplify the process, we will take the IDC centers in Beijing, Shanghai, and Guangzhou for collaborative protection as an example. The system protection solution is as follows.
Figure 3 system protection Overview
Now, if the server in the Shanghai IDC center is under heavy DDoS attacks, the protection process is as follows.
1,Attack DetectionIn the event of a DDoS attack, the attack traffic monitoring device deployed inside the core network and at the exit of the IDC center sends the Netflow data collected in real time to the security management platform, after judging whether a DDoS attack has occurred, the province and Access Point of the attack source will be identified based on the IP address information of the attack source. Here we assume that the IDC centers from Beijing and Guangzhou are included.
After clarifying the information of the attack source province and access point, the security management platform will issue a traffic cleaning policy to the traffic cleaning devices in Beijing and Guangzhou IDCs, at the same time, the traffic cleaning policies for near-Business hosts are issued to traffic cleaning devices in the Shanghai IDC center.
2,Attack ProtectionAfter receiving the command to start the cleaning policy, traffic cleaning devices deployed in Beijing and Guangzhou IDCs will be redirected Based on the IP address of the service host of the attacked Shanghai IDCs, all traffic destined for the attacked IP address is redirected to the traffic cleaning device. After cleaning, the traffic is reinjected to the IDC center egress router and forwarded upwards.
When a packet containing the remaining part of the attack traffic arrives at Shanghai IDC, the abnormal traffic cleaning device will clean the traffic according to the received traffic, all traffic destined for the attack IP address is redirected to the traffic cleaning device. After cleaning, clean traffic is reinjected to the Access Router of the IDC center and forwarded to the service host, this completely cleans attack traffic.
Aligreennet anti-DDoS Solution
Using the large-volume DDoS attack protection solution discussed in this article will enable telecom operators to achieve elastic and large-volume DDoS attack protection capabilities, and make full use of the purchased security protection equipment to save investment. In addition, it significantly reduces abnormal traffic on the backbone network and unnecessary bandwidth consumption.
With the prevalence of large-volume DDoS attacks, DDoS protection devices built by IDC tenants cannot meet the protection requirements, telecom operators can rely on this elastic and large-volume DDoS attack protection capability to provide value-added anti-DDoS protection services for IDC center tenants, thus gaining additional economic benefits.