DDoS (Distributed denial of service) attack is a simple and fatal network attack using TCP/IP protocol vulnerability, because the TCP/IP protocol is unable to modify the session mechanism, so it lacks a direct and effective defense method. A large number of examples prove that the use of traditional equipment passive defense is basically futile, and the existing firewall equipment will be paralyzed due to limited processing capacity, become a network operation bottleneck. In addition, the target host is bound to be paralyzed during the attack.
China has more and more websites (Discuz, IM286, etc.) in the Strokes of the Lok Ma, so the newspaper reviewers, in collaboration with the local XX telecom operators in Chongqing, the establishment of the Internet Exchange Center (IXC), Cisco Riverhead Anti-DDoS attack system was tested ( At present, the system has only two sets of testing equipment in China. Provide you with a professional solution.
I. BACKGROUND information
The Cisco anti-DDoS attack solution used in this test was Cisco's acquisition and integration of products called Riverhead, which made a very important innovation in dealing with DDoS, and presented the concept of "guidance" and the two key defenses against DDoS attacks: anti-deception defense lines and statistical analysis lines.
The system is composed of intelligent DDoS protection system detector detector and protective device guard. In foreign telecom operators, portals, online gaming companies and online payment companies are widely used, its end users include the world's 5 major application software manufacturers, media companies and financial enterprises, At&t, Sprint, Rackspace, DataPipe and other ISPs are their customers.
This test, we will be XX telecom operators existing network structure and environment for example. As the customer of XX telecom operators to the network security, reliability and other indicators requirements, and network application types are also diverse, so, how to optimize the existing network scheme and improve the Internet Data Center (IDC) on the current popular DDoS attack defense capabilities, To become an IDC need to focus on the subject, the IDC topology structure as shown in Figure 1.
Figure 1
Ii. Principle of the scheme
To address these needs, Cisco Systems recommend DDoS defense based on guard and detector as the world's largest and strongest company in network security, as shown in Figure 2.
Figure 2