1. NTP reflection and amplification attacks, whether based on DNS or NTP, are ultimately based on UDP protocol. In the UDP protocol under normal circumstances, the client sends the request packet to the server side, the server returns the response packet to the client, but the UDP protocol is non-connected, so the client sends the source IP of the request package is easy to forge, when the source IP is modified to the victim's IP, the response packet returned by the end server will return to the victim Ip. This creates a reflection attack.
How to defend against hardened NTP services
1. Upgrade the NTP server to 4.2.7p262. Turn off the monlist feature of the NTP service now and add the ' Disable Monitor ' option 3 in the ntp.conf configuration file. Block UDP 123 ports on the network exit against NTP Reflex and amplification attacks 1. Because of the obvious characteristics of this attack, you can use the network layer or the operator to implement ACLs to defend
2. Cleaning with anti-DDoS devices Note: Access control List (LIST,ACL) is a list of instructions for the router and switch interfaces that control the packets that are in and out of the port. ACLs apply to all routed protocols, such as IP, IPX, AppleTalk, and so on.
2, NetFlow Flow calculation method: The system needs to process the number of flow per second: (The system needs to analyze the traffic size x1024x1024x1024)/(500x384x8) (280x1024x1024x1024)/(1000x384x8) = 97867.09333 280G bandwidth; sample ratio: 1000:1 384 The average packet length of packets in a class-like network traffic is 384 Byte3, intrusion detection-ids make an image analogy: If the firewall is a building lock, then IDs is the building's monitoring system. The workflow of an intrusion detection system is broadly divided into the following steps:
1. The first step in information-gathering intrusion detection is information collection, which includes the content of network traffic, the status and behavior of user-connected activities.
2. Signal analysis of the information collected above, generally through three technical means of analysis: pattern matching, statistical analysis and integrity analysis. The first two methods are used for real-time intrusion detection, while integrity analysis is used for post-mortem analysis.
3. Real-time recording, alerting, or limited counterattack: the fundamental task of IDs is to respond appropriately to the intrusion, including verbose logging, real-time alarms, and limited counter-attack sources.
4, intrusion prevention-ips (intrusion prevention System) is a computer network security facilities, is the anti-virus software (Antivirus Programs) and firewall (Packet Filter, Applicationgateway) Supplement. Intrusion Prevention Systems (Intrusion-prevention system) is a computer network security device capable of monitoring network data transmission behavior of network or network equipment, which can interrupt, adjust or isolate some abnormal or harmful network data transmission behavior instantly.
5, Multiprotocol Label Switching (MPLS) is a system for fast packet switching and routing, which provides the capability of target, routing address, forwarding and exchanging for network data traffic. More specifically, it has the mechanism to manage a variety of different forms of communication flow.
6, bras is mainly used for dialing user authentication, address management, billing, etc., SR is mainly used for dedicated line users of business control, quality of service and control.
7, Ebgp―― (External Border gateway Protocol) external border Gateway protocol, used to exchange routing information between different autonomous systems.
8. The main function of the Ibgp―― internal BGP Protocol (IBGP) is to provide more information to your internal routers. The IBGP router must be connected in a fully meshed structure to prevent the routing loopback. If a route reflector or routing federation is used, then the IBGP mesh structure may encounter convergence problems and lead to a routed black hole.
9, China Telecom Internet Data Center (hereinafter referred to as Chinese telecom IDC) is based on the carrier-class computer room and network resources, based on a high level of professional technical support team, providing equipment hosting and related value-added services for all kinds of customers, and regularly to the customer to collect the corresponding service fee of a product. IDC basic business includes hosting, bandwidth leasing, server leasing, VIP room rental, virtual hosting, IP address rental, power supply and other services.
10. Remote triggering black hole based on destination address and source address http://www.cisco.com/c/dam/en/us/products/collateral/security/ Ios-network-foundation-protection-nfp/prod_white_ Paper0900aecd80313fac.pdf This article is about the protection principle of the cloud dike, the cloud dike is mainly based on the destination address of the RTBH, based on the source address of rtbh not used, Remote triggered Black Hole (RTBH)--- Remote trigger black hole simply put, in order to deal with DDoS attacks, configure the host's Hole routing and PBR on the boundary network device, tag the attack stream and boot to the empty interface discard. The disadvantage is that the attack traffic cannot be analyzed.
11. VMware Concept: Exsi you know? is the physical machine virtualization software, after more with the vcenter management, there is the concept of cluster cluster, unified deployment of the host in the cluster computing, storage resources, the network also has some. Vcenter and Exsi provide the network is based on 2 layer, is the switch level, vcenter in cluster IQ also proposed a virtual storage concept, is Vsan, in general, is the vcenter and exsi collectively known as vsphere, And then it's a very hot "hyper-fusion" of computing storage networks.
12, HTTP Flood defense HTTP flood attack defense mainly through the way of caching, as far as possible by the device's cache directly return the results to protect the backend business. Large Internet enterprises, there will be a large CDN node cache content. When advanced attackers penetrate the cache, the cleaning device intercepts HTTP requests for special processing. The simplest way is to count the HTTP request frequency of the source IP, and the IP address above a certain frequency to blacklist. This method is too simple, easy to bring manslaughter, and can not block the attack from the proxy server, so gradually abolished, replaced by JavaScript Jump man-machine recognition scheme. HTTP Flood is a program that simulates HTTP requests, generally does not parse the server to return data, not to parse the code such as JS. Therefore, when the cleaning device intercepts an HTTP request, a special JavaScript code is returned, and the normal user's browser handles the normal jump without affecting the use, and the attacker attacks the gouges.
13, DNS Flood defense DNS attack defense also has a similar HTTP defense means, the first scenario is caching. The second is the retransmission, which can be a direct drop of the DNS message causing the UDP level of the request to be re-sent, can be returned by a special response forcing the client to use the TCP protocol to re-send the DNS query request. Special, for the authorization domain DNS protection, the device extracts the received DNS domain name list and the Ispdns IP list in the normal period of business, and when the attack, non-list requests are discarded, greatly reducing the performance pressure. For domain names, implement the same domain name white list mechanism, non-whitelist domain name resolution requests, do discard processing.
14, slow connection attack defense Slowloris attack Defense is relatively simple, the main scheme has two. The first is to count the duration of each TCP connection and calculate the number of messages passed within a unit of time for precise identification. In a TCP connection, the HTTP message is too small and too many messages are not normal, too little may be a slow connection attack, too much may be an HTTP flood attack using the HTTP 1.1 protocol, send multiple HTTP requests in a TCP connection. The second is to limit the maximum allowable time for HTTP header transmissions. HTTP headers over a specified time have not been transferred, directly determine the source IP address for a slow connection attack, interrupt the connection and blacklist.
15, Enterprise-class defense Internet enterprises to defend against DDoS attacks, mainly using basic defense means, focusing on monitoring, organization and process management.
16. Introduction to Defense strategy: Turn on baseline learning and portrait learning to get a business traffic model and then configure the appropriate defense strategy based on the type of business.
17, routing policy and Policy Routing interpretation: routing strategy is based on a number of rules, using a policy to change the rules affect routing publish, receive or routing parameters to change the results of routing discovery, and ultimately change the contents of the routing table. is a function of routing discovery.
Policy Routing is in spite of the current optimal routing, but other forwarding paths are used separately for some special hosts (or applications, protocols) that do not use the forwarding path in the current routing table. Occurs when a packet is forwarded and does not change anything in the routing table. Because forwarding is at the bottom, the route is high, so the priority of forwarding is higher than the priority of the route, there are two types and levels of tables in the router, one is the routing table (routing-table) and the other is the forwarding table (forwording-table). The forwarding table is mapped by the routing table, and the policy route acts directly on the forwarding table, and the routing policy directly acts on the routing tables.
Drainage mode: When the detection device detects the abnormal flow of the object, it pulls the flow to the cleaning device mode.
Defense mode: The cleaning device detects the protection mode after abnormal flow.
Dynamic blacklist mode: During the defense process, the detected illegal source IP will be added to the dynamic blacklist by the cleaning device.
Cleaning bandwidth: Limits the amount of traffic that enters the protection-based defenses before the threshold, and messages that exceed the threshold are discarded directly. Single-IP Current limit: limits the traffic to a single address in the protection object to the threshold, and messages that exceed the threshold are discarded directly. Malicious traffic filtering: Triggers message filtering when the appropriate security policy is turned on. "Zombie creep, malicious domain name, Web injection, Dos attack tool"
Cloud Defender Popular Science ~ Network attack Professional noun carding