Detailed introduction of how to prevent abnormal traffic in telecom IP network

Nowadays, many operators have a headache for abnormal traffic attack, which is a serious challenge in the telecom field. Telecom operators should construct the prevention system of abnormal flow. The prevention work is an important work within the telecom operators, and it needs the support of the Government and the cooperation of the industry.

Security challenges for IP networks

The first of the security challenges that IP networks are facing is massive traffic attacks. The scale of attack traffic has a great impact on the current network, such as using botnet to carry out large-scale DDoS (distributed denial of service) attacks, sending garbage traffic, etc. As of the first half of 2006, China has 700多万个 IP address of the host by the botnet control, where the number of nodes more than 5000 of the botnet has 199. In addition to using botnet to launch DDoS attacks as the main attack mode, it is also necessary to pay close attention to the new attack of resource exhaustion type. It can be said that the problems faced by operators will become increasingly difficult.

The second characteristic, the attack means highly intelligent, the technique is quite concealed. Now the means of attack will fuse some technical features, such as worms, viruses, trojans and so on, the scope of attack is more and more widespread, the harmfulness is more and more big. The use of kernel-level backdoor, covert channels, jump attacks, multi-layer springboard and other technologies to make the attack more covert, will provide a convenient botnet.

A third important feature is the increasing commercialization of attack purposes. Previous attacks were a way for hackers to display technology, but now the attacks have been increasingly commercialized and the phenomenon of high-technology crime has emerged. Why is there such a phenomenon? Now the attack has a clear goal, the majority of the focus on game sites and internet cafes, attack these places will gain a certain profit. This attack will directly affect the availability of telecom IP networks. such as telecommunications operators are often subject to large-scale abnormal traffic attacks, there have been telecom operators in the botnet attacks by up to 20Gbps of traffic, resulting in serious network congestion.

Guard against three things to do

Faced with the security challenges of telecom networks, the current telecom operators to improve the ability of network prevention, first of all within the scope of telecommunications can be controlled to do the following three points:

First, abnormal flow monitoring and early warning mechanism. When you build a highway, you need to have some monitoring systems to clean up some black sheep.

Second, to do a good job of network infrastructure and support system protection. Highway infrastructure is not well, the road is not very smooth, it is easy to cause a lot of problems occur, once attacked, the network will basically be paralyzed.

Third, take certain means to be able to kick out these black sheep, the abnormal flow of diversion and control. In addition, to the customer network to extend the ability to prevent, because often the customer network is both the source of attack, but also may be the source of victimization, to try to put such a marginalized network at the root of the processing.

Establish the abnormal flow monitoring and warning mechanism, establish the terminal customer network, so as to provide more accurate information for operators. When discovered this kind of attack, can release some early warning promptly, informs operator's operation personnel to deal with the crisis. In addition, the telecommunications network infrastructure and support system protection is very important, the use of business provision layer and backbone layer of the network structure separated, can achieve backbone network and customer isolation, so as to ensure the security of backbone network, at the same time can effectively control the scope of the impact on customer security.

In addition, for operators, infrastructure and support system protection mainly through two aspects: the first is the protection of network security boundaries, the second is to do denial of service attack prevention. The IP address of the backbone routing device and network management system can be hidden by route filtering or ACL (access control list). In addition, QoS suppresses virus traffic, opens Urpe to prevent source address spoofing, shuts down equipment unnecessary service, deploys two firewalls to protect intranet, deploys 3A (building, Office, communication automation) system to authenticate, these are very necessary protection means.

Flow guidance and control

In addition to the above infrastructure and support system protection, for operators, abnormal flow of the guidance and control strategy is more important. Because this kind of attack for the operator, simply to rely on people to track, plugging is not enough, but also to rely on a number of technical means, there are mainly three means:

The first is a black hole network, not a black hole technology. Because telecommunications operators are able to control the entire network and perceive them, they can filter on the edge rather than on a single point. It is not enough to filter on a certain stage after a malfunction, and it must be controlled in a larger scope.

The second is the flow cleaning network, the existing way is basically through overflow to solve. China Telecom now has an advantage is that there are now two nets, of which CN2 (next generation of the host network) can provide differentiated services, so the use of CN2 to do customer network addressing, so as to provide customers with differentiated services, that is, end-to-end services. China Telecom in the construction of the entire flow cleaning center is also considered, the first to do a large area, and then slowly spread to the network, forming a network concept, to provide customers with network cleaning services.

The third is QoS suppression. When attacks exist, often not from one place, but from the network in all directions, congestion of the network's export traffic. When this kind of flow is found, some actions must be taken to discard or suppress the attack traffic at the edge of multiple metropolitan area networks.

Since telecom operators are able to see the global state, when this happens, it is possible to call on these metropolitan areas to trigger the routing of black holes and suppress these flows before they come up. Then through a concentrated starting point to do edge control, including mobile routing control, this will be better for traffic suppression. The adoption of this method is the advantage of using the operator.