Can the hardware firewall of the engine room be able to prevent DDoS?

Source: Internet
Author: User
Tags filter execution http request implement new features access firewall

Before we look at this issue, let's talk about what DDoS is:

What is DDoS:

DDoS (Distributed denial of service) attack is a simple and fatal network attack using TCP/IP protocol vulnerability, because the TCP/IP protocol is unable to modify the session mechanism, so it lacks a direct and effective defense method. A large number of examples prove that the use of traditional equipment passive defense is basically futile, and the existing firewall equipment will be paralyzed due to limited processing capacity, become a network operation bottleneck, in addition, the target host in the course of the attack must be paralyzed.

DDoS mainly uses the SYN flood and its variant attack, now the new like CC's attack also belongs to this category but the CC is more intelligent, it uses is the way which reads the file which the same server exists many times, Existing DDoS firewalls and firewall software are used to prevent SYN and flood attacks did not do duplicate packet detection, so that most of the firewall on CC caused by DDoS attacks ineffective; Firewall is based on the kernel of the Network Bridge-type repeat packet detection, SYN flood filter, ARP filtering, So even if you're a fake bag, but because the firewall does not have this presence of the ARP address and cause this is an illegal packet to be filtered out by the firewall, if a packet want to pass through this firewall must conform to the following characteristics, one is already existing ARP this can be verified to be the correct ARP, The second is that this packet is not a duplicate packet (less than 200NS), the third is the existence of this connection address, four this packet state is a continuous connection, if not a continuous connection is filtered out.

DDoS is now more popular in one way is the CC attack and CC variant attack, attack 7000.7100 port, which often occurs on the network game server, causing the player to enter the game interface to select and build characters. The rationale for this is that attacking the originating host (attacker host) repeatedly initiates an HTTP request to a target host (target host) via an HTTP proxy server (HTTP proxy) on a large overhead CGI page in the network, resulting in a denial of service (denial Service). This is a very smart distributed Denial-of-service attack (distributed denial of service) Unlike a typical distributed Denial-of-service attack, the attacker does not need to look for a large number of dummy machines, and the proxy server acts as the role.

Then, the computer room used hardware firewall can be a good defense against DDoS attacks?

To study this problem, or first look at the domestic computer room are using which hardware firewall: In fact, the current domestic anti-DDoS firewall is more well-known, at the same time the credibility and the use of the effect is also relatively good should be black holes, golden shield and dosnipe products. Some other so-called "XX Shield DDoS Firewall" is mostly plagiarism tampering or completely is not the actual effect is only used to cheat money things.

Dosnipe Firewall:

Dosnipe Firewall hardware architecture Part of the main body to take industrial computer (IPC), can withstand poor operating environment, ensure the stable operation of equipment, software platform is FreeBSD, the core part of the algorithm is self-developed one-way one-time illegal data packet recognition method, All filter mechanisms are hung at the drive level. Can completely resolve all Dos/ddos attacks (Synflood, Ackflood, Udpflood, Icmpflood, Igmpflood, Arpflood, full connection, etc.), for CC attacks, has been launched Dosnipe V8.0 version, this core is extremely efficient and secure, in the past against all denial of service attacks on the basis of a new addition to resist the CC attack, the new algorithm can effectively resist all CC attacks and its variants, the recognition accuracy of 100%, without any possibility of miscalculation.

After the Dosnipe firewall upgraded last year, it has more new features:

• Complete resolution of the latest M2 attacks.

• Support multiple routes, multiple routing access function.

• Support flow control function.

• More powerful filtration capabilities.

• Latest upgrades, complete and efficient resolution of all DDoS attacks, CC attack recognition rate of 100%

Black hole anti-DDoS firewall

Black hole anti-DDoS firewall is a widely used in the domestic IDC anti-DOS, DDoS attack products, its technology is more mature, and the protection effect is remarkable, has been recognized by the major IDC organizations. Black hole is currently divided into hundreds of megabytes, gigabit two products, respectively, in the corresponding network environment to achieve the effective protection of high-intensity attacks, performance far more than similar protective products. The gigabit black hole is mainly used to protect the network equipment such as firewall on the backbone line, routers, hundred trillion black holes are mainly used to protect subnets and servers, using a variety of algorithms to identify attacks and normal traffic, in high attack traffic environment to ensure that more than 95% of the connection retention rate and more than 95% of the new connection initiation success rate, the core algorithm from the assembly implementation , the instruction set is optimized for the Intel IA32 architecture. The standard TCP state is streamlined and optimized, and the efficiency is much higher than the current popular SYN cookie and random drop algorithms.

The protection brought by black holes:

• Self-security: No IP address, network stealth.

• Ability to protect against various Dos attacks, such as Syn Flood, UDP Flood, ICMP Flood, and (M) Stream Flood.

• Can effectively prevent the connection exhaustion, active clear the residual connection on the server, improve the quality of network services, inhibit the spread of network worms.

• You can protect your DNS Query Flood by protecting your DNS servers from running properly.

• Can give various port scanning software feedback confusing information, so it can also play a protective role for other types of attacks.

Shield Anti-DDoS firewall

Shield anti-DDoS firewall is developed by Hefei New Software Co., Ltd., which is a professional firewall which is specialized for ISP and IDC service provider development. For the Internet platform for all enterprises and individual users, especially for some large entertainment sites and important corporate sites network fluency plays an important role in security protection.

Products currently use the most low-level drive technology, providing a complete connection-oriented operation. The company has researched and invented a solution for defending and resisting denial of service attacks in the long term ISP operations and research into network security. The results of the test show that the current defense algorithm is immune to all known denial-of-service attacks, that is, it is completely resistant to known Dos/ddos attacks.

Shield anti-DDoS firewall protects against a variety of denial-of-service attacks and variants, and protects against various types of dos/ddos attacks, such as SYN Flood, TCP flood,udp flood,icmp Flood, and various variants such as land,teardrop,smurf,ping Of death.

It is said that nearly half of the country's telecommunications and netcom computer room has its products, the Shield firewall is dedicated to DDoS attacks and hacker intrusion design of professional-level firewall, the device using self-developed new generation of anti-rejection attack algorithm, can achieve 100,000-1 million concurrent attacks of defense capabilities, It has no effect on the connection and use of normal users. The dedicated architecture can change the TCP/IP kernel, implement the attack rejection algorithm in the system core, and creatively implement the algorithm in the network drive layer, and the efficiency is not limited. At the same time can defend a variety of denial-of-service attacks and their variants, such as: SYN Flood. TCP Flood, UDP Flood, ICMP Flood and its variants land, teardrop, Smurf, Ping of death, and so on.


Of course, there are some technicians who point out think that in principle, the above similar products can not be said to be a firewall, it should be said that an abnormal flow cleaning system; Now the DDoS defense technology in the firewall also has, but the ability of the firewall is limited, not very in-depth for each threshold parameter analysis and execution, and only one implementation, And the measure of execution is dead; there is no more refinement after learning, this is the weakness of the firewall, but this product is generally in the high bandwidth flow of the environment application, white point, is put to the operator above application, so the product performance requirements are very stringent, to withstand the test, this is not a joke; Because of this set of things, Operators take to value-added services to customers to apply, to collect money, if you can not withstand a certain flow of attack customers will certainly turn.

So, you are most concerned about the question: can these hardware firewalls in the end to prevent DDoS?

Can these hardware firewalls actually prevent DDoS:

In general, it is possible, according to our understanding, most of the domestic computer room is to show that the effect of the Golden shield is passable, black hole effect is better, and dosnipe due to the cooperation of the room relatively less, so received feedback is not much, However, a telecommunications room in the southwest of the agent told me that the engine room installed Dosnipe firewall did eliminate a lot of ordinary traffic attacks.

However, if the DDoS attacker increases the traffic of the attack, large consumption of the total bandwidth of the engine room, any firewall is equivalent to the device, because no matter how strong the firewall processing capacity, out of the bandwidth has been depleted, the entire machine room in the outside seems to be in a state of drop, like a door has been full of people, It doesn't matter how many security checks you have in the door. Outside people still can't get in, and now the behavior of the attackers is mainly for commercial purposes, the G-level attack, some room is not enough bandwidth, a large flow of attack is certainly the entire machine room large area drop, firewall although detected attacks, can only be filtered out of those illegal packets, protect the internal network equipment and servers are not hit, but the line is the total bandwidth of the machine room caused by the lack of a good firewall is useless.

Therefore, even if many computer rooms are known to adopt a good hardware firewall, can defend how much traffic attacks, but if your server is really a big traffic attack, the room is still afraid to let you in, because it will affect the normal access to other servers, and hosting a server charge is not much, In order to make such a small business and provoke big trouble, operators must feel that not cost-effective, the most pathetic or those of the computer room network management personnel, have to rush to the envelope IP.


Dealing with DDoS is a complex and huge system engineering, it is unrealistic to rely on a certain system or product to prevent DDoS, it is certain that it is impossible to completely eliminate DDoS at present, but it is possible to resist 90% DDoS attacks by proper measures. Based on the cost of attack and defense, if the appropriate way to enhance the ability to resist DDoS, also means to increase the attack costs of attackers, so the vast majority of attackers will not be able to continue to give up, the equivalent of a successful defense against DDoS attacks.

So, the answer to the question of whether the hardware firewall can prevent DDoS is really very sad, theoretically, it does have effect, but how it works, the site and the server will be attacked by each room and operators as a plague, in addition to the individual bandwidth sufficient, more powerful operators, Basically no one dares to take such a client.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.