For online enterprises, especially the data center networks of telecom operators, the emergence of Distributed Denial of Service (DDoS) attacks is undoubtedly a disaster, and effective protection for it has always been a challenge in network applications.
DDoS has always been a headache for people. It is an attack method that is difficult to use traditional methods to defend against. In addition to servers, bandwidth is also the target of DDoS attacks. Like traffic jams, DDoS has become a type of network hazard.
Traditional protection: powerless
To prevent DDoS attacks, the black hole method, routing access control list filtering, and connection firewall security devices are commonly used.
Black Hole Method: when the server is under attack, set access control in the network to put all the traffic into the black hole and discard it. This method can deny all attacks when the attack traffic comes, so as not to affect the entire backbone network, but it also blocks normal traffic, as a result, the server is unable to provide external services and its contact with users is interrupted.
Set routing access control list filtering: in this way, enterprise users do not deploy themselves. Instead, service providers such as China Telecom configure backbone networks and deploy them on routers. Now there are two ways to deploy a vro: ACL and access control list, and data restriction. Both of these methods can be attributed to ACL. The biggest problem is that if the attack is from the internet, it will be difficult to create an access list for the source address, because the source address has a lot of randomness, unable to locate accurately, the only thing we can do is to list the access control policies for this server in the target address ACL, and discard all the data packets connected to the request, your services will be greatly affected. Another drawback is that setting such an access control list on the backbone of China Telecom will bring great difficulties to access control management. In addition, this method has great limitations. It cannot identify false and attacks against the application layer.
Connected firewall security devices: To Deal With DDoS attacks, another method is to connect firewalls. For carrier backbone networks with dozens of Gbit/s of traffic, due to the limited firewall capability and technical level, several G Firewall devices may be overloaded, leading to abnormal network operation, and the firewall throughput with anti-DDoS function will be lower, even the "top experts" in the firewall are powerless and cannot shoulder this heavy burden. In addition, this method cannot protect upstream devices and lacks scalability. In addition, it cannot effectively protect user-oriented resources.
The solution lies in "intelligence"
The above analysis is not difficult to understand, the traditional method of dealing with DDoS is not efficient, and there are still some insurmountable and unsolved problems. The intelligent anti-DDoS system consists of a detector and a guard. It is easy to use and easy to deploy. It eliminates the need to change the original network architecture and implement dynamic protection, which fundamentally solves the DDoS protection problem.
The protection device is connected in parallel to the backbone network without any impact on the network structure. When there is a bad traffic in the network to attack the network, the detector will send an alarm to the defender, so that the DDoS defender can know the situation of the server being attacked in the network, the purpose of the attack, and the addresses from which the server is attacked. At this time, the defender immediately starts to work and notifies the router to send all traffic destined for these addresses to the defender, temporarily taking over the data traffic in the network, and analyze and verify the traffic, all illegal and malicious traffic will be intercepted and discarded here, and normal traffic and data will be transmitted to the destination.