Considerations and testing methods for DDOS Security Products in the Internet cloud ecosystem (2)

Considerations and testing methods for DDOS Security Products in the Internet cloud ecosystem (2)
The early DDOS defense of traditional solutions is detected and implemented through firewalls and routers. Such a solution has a certain protective effect on earlier attacks, and the firewall has a great effect on protocol layer protection. However, with the development of the Internet, DDOS attacks are becoming more and more skillful and the attack capability is getting stronger and stronger. using firewalls to defend against DDOS attacks is obviously insufficient:
Firewalls and routers are valid only for protocol layer attacks, and more DDOS attacks are at the application layer. Firewalls are not designed specifically for DDOS attacks, traffic Monitoring and cleaning for DDOS will affect the normal functions of the firewall in terms of performance, which is an unnecessary test for the firewall. The deployment and expansion of large networks are far more complex than software upgrades, DDOS attacks initiated by programs are more flexible than network device defenses;

 

As mentioned above, there is no absolutely effective solution for DDOS Defense. Although large Internet environments are eager for more and more defense solutions, however, at present, the defense of large Internet systems is more of a combination of various solutions.

As mentioned above, DDOS Defense is a semi-automatic process. The so-called DDOS defense system is nothing more than traffic detection, abnormal traffic cleaning, policy rules, control system, and manual processing.

Traffic Detection

There are two types of traffic detection technologies: DPI (Deep Packet Inspection Deep Packet detection) and DFI (Deep/Dynamic Flow Inspection, Deep/Dynamic Flow Detection.

DPI

Traditional traffic analysis only analyzes the 5-tuple information in the IP Address Header, including the basic information of the source address, target address, source port, destination port, and protocol type at lower layers, DFI is a traffic Detection and Control Technology Based on the application layer. This technology reads the content of the IP packet and reassembles the application layer information in the IOS7 protocol to obtain the content of the application. Three types are identified by protocol type and DPI:

Protocol Feature Word Recognition Technology

Different applications use non-pass protocols. These protocols usually have their special fingerprints (such as specific ports, strings, bit sequences, etc.). You can identify the fingerprint information in the packets to determine the business bearer applications; taking the well-known BT as an example, the Protocol feature of Handshake is ". BitTorrent Protocol ";

Application Layer Gateway Recognition Technology

If the business flow does not have any features, you can use the Application Layer Gateway identification technology. The Application Layer Gateway identifies the control flow, and then selects a Specific Application Layer Gateway Based on the control flow protocol to parse the business flow to identify the corresponding business flow. For example, RTP (Real-time transmission Protocol, Real-time Transport Protocol) information is obtained through detecting the interaction between SIP (Session Initiation Protocol) and H323;

Behavior Pattern Recognition Technology

Behavior patterns are mainly used to determine business conditions based on protocols. For example, the business content of spam and normal emails is the same, and malicious behaviors must be identified through the behavior pattern.

DFI

Different from DFI traffic recognition, DFI is an Application Layer Recognition Technology Based on Traffic behavior. It identifies non-applicable applications in session connection and data stream status.

 

DFI establishes a traffic feature model based on traffic behavior characteristics. It analyzes the packet length, connection speed, byte size, interval, and other information comparison stream models of session connection streams to identify application types.

 

The differences between the two technologies are as follows:

Processing speed: DFI only needs to analyze the traffic and compare the background model. Compared with the DPI that requires package-by-package analysis, the processing speed is faster. DPI needs to constantly update protocols and new applications and regular expression matching formulas, high maintenance costs; DPI precisely identifies application types and protocols, and DFI can only perform rough analysis; DPI cannot identify the control flow of encrypted transmission; abnormal traffic Cleaning Equipment

When I analyzed the first packet discard and TCP Proxy, I mentioned an idea: isolate all Network Layer Security Detection and Identification defense logic from business processing, currently, the Security Detection and defense functions are completed, mainly for cleaning devices with abnormal traffic.

Generally, traffic cleaning equipment can implement multi-level security defense by means of abnormal traffic speed limit, rule filtering, and so on, and filter out network-layer and application-layer attacks.

Multi-layer protection

Multi-layer protection refers to defense at the network layer and application layer through static feature detection, dynamic rule filtering, speed limit, and human-machine identification. In fact, no matter which defense means, only the cleaning effect of the network layer can be ensured. The application layer adopts more traffic limiting measures, and the false blocking rate is very high.

Network Layer

Network Layer Protection, in most cases, targets various flood attacks.

Speed Limit

The most common defense method is that users set thresholds for their applications, including pps, bps, qps, newcons, and concurcons, to limit the traffic exceeding the user threshold.

Syn cookie defense

For more information about Syn cookie protection, see the previous section.

Syn reset

The Syn reset method is similar to the first packet discard method mentioned above. Compared with the method of passively waiting for client retransmission in the first packet discard, the syn reset simulates the server to send syn + ack packets, when a normal client judges that the serial number in ack is incorrect, it sends an rst packet and terminates the connection.

Tcp status

During TCP transmission, normal clients use normal protocol stack communication and have corresponding state change models. Generally, the attack does not simulate a valid protocol stack. In this case, you can use status monitoring to determine the packets whose status is supplemented and discard the packets. For example, some attacks that have not completed three handshakes have not completed the state change model of the three handshakes.

The TCP status chart is as follows:

Fingerprint Recognition

 

In a narrow sense, fingerprint refers to the marks or photocopies of the fingertip. in a broad sense, fingerprint can refer to any evidence that represents the characteristics, traces, and features that can describe the characteristics.

 

Fingerprint Recognition is actually a machine learning process for fingerprint features such as TCP/IP and HTTP-collect statistical features of normal traffic and perform modeling based on these statistical features. Compared with such a model, abnormal traffic usually exceeds normal traffic for filtering.

Application Layer

As mentioned earlier, application-layer attacks are different from Network-layer attacks because they belong to upper-layer protocols, which are closer to business logic and even have no strict boundaries with normal services. In addition, such attacks consume the bandwidth or host resources of the server, which is destructive.

Most application-layer attacks are concentrated on HTTP, and a few are targeted at DNS.

Domain Name Speed Limit

Requests can be individually limited in the unit of domain names.

First DNS package discarded

For more information about how to discard the first DNS package, see DNS query flood defense for common DDOS attacks.

Dns tc retry

For more information about how to discard the first DNS package, see DNS query flood defense for common DDOS attacks.

HTTP Cookie Verification

For more information, see the section on HTTP flood defense measures to limit access frequency.

Online solution & bypass Solution

Internet DDOS defense can be divided into online deployment and bypass deployment. The two are deployed in different ways for different users and environments, and each has its own advantages and disadvantages.

Generally, large Internet or operator networks adopt bypass deployment. This method does not affect the topology of the backbone network, and does not affect normal services, which is conducive to expansion. In addition, the bypass deployment usually has a dedicated scheduling system, in addition to ensuring cleaning control, there are also traffic discarding (black hole) and other control.

Generally, a small network uses an online deployment solution. The advantage of this solution is that it is tested and protected together and keeps cleaning. The disadvantage is that it has high requirements on reliability and lacks a dedicated scheduling system, which has poor flexibility and is relatively thin in the face of complicated attacks.

Online deployment

Typical online deployment solutions are as follows:

The traffic passing through the router directly enters the cleaning device. After cleaning, the traffic enters the switch and finally to the business target address. In the cleaning process, you can add control to the cleaning device. This method can change the cleaning policy at any time by verifying the cleaning effect.

Bypass deployment

 

A typical bypass deployment scheme is as follows:

 

 

Bypass deployment is much more complex than online deployment, mainly including the following aspects:

Traffic Detection

In bypass deployment, a special traffic detection system is usually deployed. By analyzing the split image traffic to identify abnormal traffic, the scheduling system is triggered to clean or discard abnormal traffic;

Traffic redirection

Traffic redirection means that the control end sends cleaning instructions to the cleaning device, the cleaning device interacts with the core router, and the IP traffic is redirected to the cleaning device through BGP protocol and other methods;

Traffic cleaning

The cleaning device identifies the redirection traffic and filters and cleans the attack packets;

Traffic Reinjection

The cleaning device reinjects the cleaned traffic to the core router. The core router directs the traffic to the normal user network;

Hybrid deployment

Some hybrid deployment also has a certain significance. For example, the online deployment can be transformed, and the cleaning equipment is not directly connected to the user's network switch, but placed in the bypass location, we still use the traffic reinjection method to ensure non-loop connectivity. In this case, although there is no dedicated traffic detection module for image traffic analysis, the scheduling system can still control various policies for cleaning devices. The deployment instances are as follows:

 

As mentioned above, this hybrid solution is essentially a bypass deployment for cleaning equipment, but the form and effect are an online solution (which can be switched to the bypass effect ), it also ensures the absolute control and flexibility of core Scheduling for traction and reinjection.

Traffic redirection and reinjection

The process of traffic redirection and reinjection is as follows:

 

Channeling

When abnormal traffic needs to be cleaned, the cleaning device sends a channeling command to the cleaning device. At this time, the cleaning device sends a BGP Route (no-advertise) of the attacked network segment to the nearest router ), specify the next hop address as the cleaning device, and the route does not need to spread across the network.

Because the BGP policy takes precedence over common routing, the next address of the traffic is specified as the cleaning device.

 

In addition to BGP, both policy routing and MPLS can achieve traffic redirection.

 

Reinjection

Like traffic redirection, the Reinjection process is also implemented by specifying a vro policy to avoid forming a loop when traffic in the cleaning device reaches the vro.

Traffic reinjection generally uses three methods: Policy Routing, routing policy, and vlan.

A policy route takes precedence over a common route. You can specify the next hop address at the packet entry, so that the traffic reinjection takes precedence over the policy route rather than cleaning the device;

GRE and MPLS protocols can specify the destination address of a packet, encapsulate the Reinjection traffic into GRE or MPLS packets, and send them back to the core router. The core router forwards the GRE and MPLS packets to the target address device, the target device parses GRE and MPLS packets and sends them to the user network to avoid forming a loop;

Use the L2 forwarding feature of a Vlan (the switch can locate the vlan port through the mac address, otherwise it will send packets to all ports in the vlan), and configure the cleaning device and the target device in the same vlan, realize the goal of reinjecting traffic to the user's network.