DDoS (Distributed denial of service) attack is a simple and fatal network attack using TCP/IP protocol vulnerability, because the TCP/IP protocol is unable to modify the session mechanism, so it lacks a direct and effective defense method. A large number of examples prove that the use of traditional equipment passive defense is basically futile, and the existing firewall equipment will be paralyzed due to limited processing capacity, become a network operation bottleneck. In addition, the target host is bound to be paralyzed during the attack.
China has more and more websites (Discuz, IM286, etc.) in the Strokes of the Lok Ma, so the newspaper reviewers, in collaboration with the local XX telecom operators in Chongqing, the establishment of the Internet Exchange Center (IXC), Cisco Riverhead Anti-DDoS attack system was tested ( At present, the system has only two sets of testing equipment in China. Provide you with a professional solution.
I. BACKGROUND information
The Cisco anti-DDoS attack solution used in this test was Cisco's acquisition and integration of products called Riverhead, which made a very important innovation in dealing with DDoS, and presented the concept of "guidance" and the two key defenses against DDoS attacks: anti-deception defense lines and statistical analysis lines.
The system is composed of intelligent DDoS protection system detector detector and protective device guard. In foreign telecom operators, portals, online gaming companies and online payment companies are widely used, and its end users include the world's 5 major application software manufacturers, media companies and financial enterprises such as,at& ISPs such as T, Sprint, Rackspace and DataPipe are their customers.
This test, we will be XX telecom operators existing network structure and environment for example. As the customer of XX telecom operators to the network security, reliability and other indicators requirements, and network application types are also diverse, so, how to optimize the existing network scheme and improve the Internet Data Center (IDC) on the current popular DDoS attack defense capabilities, To become an IDC need to focus on the subject, the IDC topology structure as shown in Figure 1.
Figure 1
Ii. Principle of the scheme
To address these needs, Cisco Systems recommend DDoS defense based on guard and detector as the world's largest and strongest company in network security, as shown in Figure 2.
Figure 2
1. At the outset, guard does not protect the protected object, and no data flow flows through guard, at which point guard is an offline device. Detector received the switch through the port mirroring the data flow to the protection object, through algorithm analysis and policy matching, found that the protected object is being attacked.
2.Detector establishes an SSH connection to the guard and notifies the guard to protect the protected object.
3.Guard informs the BGP peer associated with the BGP routing update that the router sends the data stream of the destination unprotected object to guard. The data stream, which is not the object being protected, flows normally and is unaffected (Figure 3).
Figure 3
4. Through strategy matching and algorithm analysis, identify the type of attack, and process the data stream (identify the source address forgery, filtering illegal packets, rate limits, etc.), at this stage, the attack data is cleared.
5. The filtered data stream is again sent back to the BGP peer (or the other three-tier device downstream of the peer), so the legitimate data flow connection is still working properly.