Detailed explanation on how vro is configured to implement DDoS defense and detailed explanation on router ddos Defense
What are the operations on vro settings to implement DDoS defense? First, we need to understand what the principles of DDoS attacks are before we take anti-DDoS measures, and then analyze the causes one by one and take measures.
I. Discussion on principles of DDoS Attack Based on vro settings
In the Distributed Denial of Service (DDoS) attack process, a group of malicious hosts or hosts infected by Malicious Hosts will send a large amount of data to the attacked server. In this case, network nodes close to the edge of the network will become exhausted. There are two reasons: first, the node close to the server usually requires only a small amount of user data to be processed during design; second, because of the aggregation of data in the core network area, nodes on the edge will receive more data. In addition, the server system itself is vulnerable to attacks and suffers from extreme overloading.
DDoS attacks are considered a resource management issue. The purpose of this article is to protect the server system from receiving excessive service requests in the global network. Of course, this mechanism can easily become a protection for network nodes. Therefore, a preventive measure must be taken to prevent attacks by adjusting the traffic on the router on the transfer path before the attack packets are clustered to paralyze the server. The specific implementation mechanism is to set a threshold value on the upstream router with several levels of distance from the server. Only the data volume within this threshold value can pass through the router, other data will be discarded or routed to other routers.
One of the main factors in this defense system is that each route point outputs "appropriate" data volumes. "Appropriate" must be determined by the allocation of requirements at the time, so dynamic negotiation between the server and the network is required. The negotiation method in this article is initiated by the server (S). If the server runs below the designed capacity (Us), no threshold value needs to be set. If the server load (Ls) when the designed capacity is exceeded, you can set the threshold value on the upstream of the server for self-protection. After that, if the current threshold value cannot lower the load of S than Us, the threshold value should be lowered; otherwise, if Ls "Us", the threshold value should be increased; if the increase of the threshold does not significantly increase the load during the peak period, you can cancel the threshold. The goal of the control algorithm is to control the server load within the range of [Ls, Us.
Obviously, it is impossible to retain the status information of all network servers, because this will lead to an explosion of status information. However, it is feasible to select a protection mechanism as needed, which is based on the assumption that DDoS attacks are a phenomenon rather than a common situation. In any period of time, we believe that only a few networks are under attack, and most networks are running in "healthy" status. In addition, malicious attackers usually select the "Main Site" that has the most access to users. These sites can use the following network structure to ensure their own security.
2. Discussion on the pattern of the system in which the router is set to implement DDoS Defense
All data volumes and server loads mentioned in this article are measured in kbps. The system network topology is shown in Figure 1. This article provides the network model G = (V, E), where V represents a series of nodes and E represents the edge. All leaf nodes are host and data sources. The internal node is a router, which does not produce data but can receive data from the host or forward data from other routers. R indicates the internal route node, and all routers are assumed to be trustworthy. Host H = V-R, divided into normal user Hg and malicious user Ha, E is the network link model, default is bidirectional.
The leaf node V is treated as the target server S. Normal users send data packets to S at a speed of [0, rg. A malicious attacker sends data packets to S at a speed of [0, ra]. In principle, the attacker can access S based on how the user normally accesses S) but the value of ra is difficult to determine. In fact, the value of ra is much higher than that of rg.
When S is attacked, it starts the threshold protection mechanism mentioned above. To facilitate representation, assuming that an overloaded server can still enable the protection mechanism, there is no need to set a threshold value on each vro. R (k) indicates that the router is located at the k-layer or shorter than the router at the k-layer, but they are directly connected to the host.
The square node in the figure indicates the host, and the Circular node indicates the router. The leftmost host is the target server S, and the router in R (3) is the green part in the figure. Note that the lowest vro in R (3) is only two layers apart from S, it is included because it is directly connected to the host.
3. vro threshold algorithm for implementing DDoS Defense
In the example in figure 1, the number (except S) on each host minus the rate at which the current host sends data to S. If Ls = 18 and Us = 22 are set, the load sent to S exceeds Us, so the threshold value is enabled at S. After the algorithm is completed, S determines that the threshold value is 6.25 and customizes this rate to the routers in R (3. In Figure 1, the number above the vro represents the data rate of S, and the number in the brackets below represents the data transfer rate (adjusted ). After adjustment, the load at S is limited to 20.53. The adjusted speed in R (3) is the server load fair value.
So far, we have only discussed how to use the basic threshold algorithm. R (k) will increase rapidly as k increases. Therefore, if some paths are not under attack, the router resources on these paths will be wasted. If the router between S and R (k) can monitor the packet data rate to S, the situation can be improved without affecting the performance.
Figure 2 shows how the monitoring router is introduced between S and R (3) in Figure 1. Note that the thresholds of the three routers to which R (3) belongs are canceled because there are no attacks on these routes.
Iv. Configure vrouters to implement various assessment and measurement standards for DDoS Defense
A basic indicator of performance measurement is the extent to which the threshold can defend against DDoS attacks. In addition to basic metrics, you must also consider the cost of installing this mechanism. Therefore, the following evaluation criteria can be used:
1. Number of common users in the server;
2. Number of routers to be involved when S is protected;
3. Ability to respond to changes in user requirements.
Generally, attackers are more aggressive than normal users. However, a malicious attack can allow a large number of other hosts to participate in malicious attacks. Although each host looks like a common user, they together will still cause DDoS attacks. In essence, it is difficult to defend against such attacks.
The following requirements must be observed when such protection mechanisms are actually deployed. First, the reliability of the threshold value must be ensured. Otherwise, the mechanism itself may become an attack point. To ensure reliability, the threshold message must be verified first when it is accepted by the edge router to the network. Second, ensure that these messages are securely sent from the starting point to the destination point. Because the message sending volume of the threshold value is small, the authentication and transmission priority should be acceptable. Moreover, the server may be overloaded instantaneously because the control method must receive feedback, to ensure that the adjustment mechanism is still running, you can use a coprocessor or help device. Third, the threshold protection mechanism may not be supported in the entire network, but only one vro on the attacked route can support this mechanism.
Now you know what anti-DDoS operations are performed on vro settings. We will share with you later.