Before studying this issue, let's talk about DDOS:
What is DDOS:
DDoS (Distributed Denial of Service) attacks are simple and fatal network attacks by exploiting TCP/IP protocol vulnerabilities. Due to the session mechanism vulnerabilities of TCP/IP protocol, therefore, there is no direct and effective defense means. A large number of instances prove that the use of traditional devices for passive defense is basically futile, and the existing firewall devices will be paralyzed due to limited processing capabilities and become a bottleneck in network operation. In addition, during the attack, the target host is also paralyzed.
DDOS attacks mainly use syn flood and its variants. Now, new attacks such as CC belong to this category, but CC attacks are more intelligent, it uses the method of reading files from the same Server Multiple times. The existing DDOS firewall and firewall software use the method to prevent SYN and FLOOD attacks and do not detect repeated packets, as a result, most firewalls have no effect on cc ddos attacks. Firewalls are based on the kernel-based bridge-type repeated packet detection, syn flood filtering, and ARP filtering. Even if you are a counterfeit packet, however, because the firewall does not have this ARP Address, this is an invalid package and is filtered out by the firewall. If a packet wants to pass through this firewall, it must meet the following characteristics, first, the existing ARP can be verified as the correct ARP, second, the packet is not a duplicate packet (within NS), and third, the connection address exists, 4. The status of this packet is a persistent connection. If it is not a persistent connection, the packet is filtered out.
One of the most popular DDOS attacks is CC attacks and CC variant attacks, which attack Port 7000.7100, which often occurs on the online game server, causing players to enter the game interface to choose and establish characters. The basic principle is: attacker host repeatedly sends an attack to the target host through the HTTP proxy Server (HTTP proxy) in the network) when an HTTP request is initiated on a CGI page with a large overhead, the target host will be Denial of Service ). This is a clever Distributed Denial of Service attack (Distributed Denial of Service). Unlike a typical Distributed Denial of Service attack, attackers do not need to look for a large number of bots, the proxy server acts as the proxy server.
So can the hardware firewalls used by the data center defend against DDOS attacks?
To solve this problem, we should first look at the hardware firewalls used in the domestic data centers: in fact, the domestic anti-DDOS firewall is well-known, at the same time, the credibility and use effect should also be better than black hole, gold shield and Dosnipe products. Some other so-called "XX shield DDoS firewall" are mostly plagiarized and tampered with, or completely ineffective, just to cheat money.
Dosnipe Firewall:
The hardware architecture of the Dosnipe firewall is based on industrial computers (IPC), which can withstand harsh operating environments and ensure stable operation of devices. The software platform is FreeBSD, the core part of the algorithm is the one-way one-time illegal data packet identification method independently developed, and all the Filter mechanisms are mounted on the driver level. It can completely defend against all dos/ddos attacks (synflood, ackflood, udpflood, icmpflood, igmpflood, arpflood, and full connection). For CC attacks, DosNipe V8.0 has been released, this core is extremely efficient and secure. Based on the past defense against all denial-of-service attacks, a new anti-CC attack is added. The new algorithm can efficiently defend against all CC attacks and their variants, with a recognition accuracy of 100%, there is no possibility of misjudgment.
After the upgrade of the Dosnipe firewall last year, more new features are available:
· Completely resolves the latest M2 attacks.
· Supports multi-line and multi-route access.
· Supports traffic control.
· More powerful filtering functions.
· The latest upgrade completely and efficiently solves all DDOS attacks. The cc attack recognition rate is 100%.
Black hole anti-DDoS Firewall
Black hole anti-DDoS Firewall is a widely used anti-DoS and DDoS attack product in IDC in China. Its technology is mature and its protection effect is remarkable, it has been recognized by various IDCs. Black hole is currently divided into two products: Mbit/s and Gbit/s, which can effectively defend against high-intensity attacks in the corresponding network environment, with far better performance than similar protection products. The gigabit black hole is mainly used to protect network devices such as firewalls and routers on Backbone lines. The 10-Gigabit black hole is mainly used to protect subnets and servers, and multiple algorithms are used to identify attacks and normal traffic, in a high-traffic attack environment, it can ensure a connection retention rate of more than 95% and a new connection initiation success rate of more than 95%. The core algorithm is implemented by assembler and the instruction set is optimized for the Intel IA32 architecture. The standard TCP status is simplified and optimized, and the efficiency is much higher than the popular SYN Cookie and Random Drop algorithms.
Black Hole Protection:
· Self-security: no IP address, and the network is invisible.
· Protection against various DoS attacks, such as SYN Flood, UDP Flood, ICMP Flood, and (M) Stream Flood.
· It can effectively prevent connection depletion, actively clear the residual connections on the server, improve the quality of network services, and suppress the spread of Network Worms.
· Protects DNS Query Flood and ensures normal operation of DNS servers.
· It can provide confusing information to various port scanning software, so it can also defend against other types of attacks.
Alibaba Cloud Security Anti-DDOS Firewall
Developed by Hefei Zhongxin software Co., Ltd., yundun anti-DDOS Firewall is a professional firewall designed for ISP access providers and IDC service providers. It is suitable for all enterprises and individual users on the Internet platform, and plays an important role in security protection for the smooth network of some large entertainment sites and important enterprise sites.
The product currently uses the underlying Driver technology to provide comprehensive connection-oriented operations. During its long-term ISP operation and network security research, the company has developed a solution to defend against and resist denial-of-service attacks. The test results show that the current defense algorithm is immune to all known denial-of-service attacks, that is, it can completely resist known DoS/DDoS attacks.
Yundun anti-DDOS firewall can defend against various denial-of-service attacks and their variants, and defend against various DoS/DDoS attacks, such as SYN Flood, TCP Flood, UDP Flood, ICMP Flood and various variants such as Land, Teardrop, smurf, Ping of Death, etc.
It is said that nearly half of China's telecom and Netcom data centers have their own products. Alibaba Cloud Security Firewall is a specialized firewall designed specifically for DDOS attacks and hacker intrusion, the device uses a new generation of self-developed anti-Denial-of-attack algorithms to defend against 0.1 million-1 million concurrent attacks, without affecting the connection and use of normal users. The dedicated architecture can change the TCP/IP kernel, implement the Denial-of-attack defense algorithm at the core of the system, and creatively implement the algorithm in the network driver layer. The efficiency is not limited. At the same time, it can defend against multiple denial-of-service attacks and their variants, such as SYN Flood. TCP Flood, UDP Flood, ICMP Flood and its variants, such as Land, Teardrop, Smurf, and Ping of Death.
Analysis:
Of course, some technical personnel also put forward their opinions that, in principle, the above similar products cannot be called firewalls, so we should say that they are an abnormal traffic cleaning system. The current anti-DDoS technology also exists in firewalls, however, the firewall has limited capabilities, so it cannot thoroughly analyze and execute each Threshold Parameter. However, there is only one execution, and the measured execution is fixed; there is no further refinement after learning, which is the weakness of the firewall. However, such products are generally used in high-bandwidth environments. To put it bluntly, they are applied to carriers, therefore, the performance requirements of the products are very strict and they must be able to withstand the test. This is not a joke. Because of this, the operators need to collect money for the applications of value-added service customers, if the customer cannot defend against attacks with a certain amount of traffic, the customer will surely face it.
So what do you most care about: Can these hardware firewalls defend against DDOS attacks?
Whether these hardware firewalls can defend against DDOS Attacks:
In general, it is okay. According to our understanding, most data centers in China indicate that the effect of Alibaba Cloud security is still good, while that of black hole is better. Dosnipe has fewer data centers, there were not many feedbacks, but a telecom data center agent in Southwest China told me that the installation of the Dosnipe firewall in the data center has indeed eliminated many common traffic attacks.
However, if DDOS attackers increase attack traffic and consume the total outbound bandwidth of the data center, any firewall is equivalent to a firewall, no matter how powerful the firewall is, the outgoing bandwidth has been exhausted, and the entire IDC seems to be in a disconnected state, just like a door already crowded with people, no matter how many guards you have arranged in the door for inspection is useless, people outside are still unable to get in, but most of today's attacks are for commercial purposes and are prone to G-level attacks. Some data centers do not have sufficient bandwidth, A large-volume attack must have caused a large disconnection of the entire data center. Although the firewall detects the attack, it can only filter out the illegal data packets to protect internal network devices and servers from being damaged, however, the disconnection is caused by insufficient total bandwidth of the data center, so using a good firewall will not help.
Therefore, even if many data centers claim to adopt good hardware firewalls, they can defend against high-traffic attacks. However, if your servers are under heavy-traffic attacks, the data center will not dare to let you in, because it will affect the normal access of other servers, and there is not much charge for hosting a server. To make such a small business and cause great trouble, the operator will certainly feel that it is not cost-effective, the worst thing is that the network administrators of those data centers have to block IP addresses in disorder.
Summary:
Anti-DDOS is a complicated and huge system project. It is unrealistic to rely solely on a certain system or product to prevent DDOS attacks. It is certainly impossible to completely prevent DDOS attacks, however, appropriate measures can be taken to defend against 90% of DDOS attacks. Because both attacks and defenses have cost-effectiveness, if appropriate measures are used to enhance the ability to defend against DDOS attacks, this means that the attacker's attack cost is increased, so the vast majority of attackers will not be able to continue and give up, which is equivalent to successfully resisting DDOS attacks.
Therefore, the answer to the question of whether the hardware firewall can defend against DDOS attacks is actually very sad. In theory, there are indeed results, but what are the results, websites and servers under attack will be defended by various data centers and operators as a plague. In addition to some carriers with sufficient bandwidth and strength, basically no one dares to access such customers.