How to defend against DDoS attacks on data centers

Source: Internet
Author: User
Tags how to defend against ddos nss labs firewall

Arbor Networks's Darren Anstee details the growing number of distributed denial of service (DDoS) threats, and suggests how data center managers should set out to build a multi-level defense-based solution to address DDoS threats.

The firewall is losing its effect. This is the conclusion of a recent survey by NSS Labs, an independent security testing agency. The survey found that six of the firewall products in the acceptance of stability testing, there are three failed to play the normal effect. These firewalls are tested to include industry giants ' products.

Because firewalls have always been a well-established basis for securing borders, these test results are particularly shocking for managers of data centers: the threat they face in service availability is more severe and pervasive than ever before.

For example, Arbor Networks's Global Infrastructure security report shows that capacity depletion attacks and application-layer distributed denial of service (DDoS) attacks originating from botnets remain the most significant threats to network operators in the future.

Increasingly serious DDoS threats

DDoS attacks can be grouped into three categories: capacity depletion attacks (volumetricattack), which attempt to deplete the forwarding or link capacity, and state table exhaustion attacks (state-exhaustion attacks), which attempt to deplete the State table in the infrastructure and servers; and application-level attacks, which attempt to deplete the application-tier resources. In all of these attacks, attackers attempt to prevent real users from accessing a particular network, service, and application.

Although DDoS attacks have been around for more than a decade, DDoS has not caught the attention of mainstream media until December 2010, when they destroyed the WikiLeaks website. Subsequently, people sympathetic to the WikiLeaks website launched a counterattack against a number of targets including Wansdaka (Mastercard), PayPal, Visa and other reputable institutions.

According to the Global Infrastructure Safety report released by Arbor Networks, DDoS attacks, which deplete resource capacity, first breached the 100Gbps mark in 2010. In short, DDoS attacks consume a lot more resources. The report also disclosed, perhaps more worryingly, the increasing frequency and sophistication of application-level DDoS attacks against data centers, as well as the increasing impact on data center operations.

What impact does this attack have on the data center?

The report disclosed the findings of Internet Data Center (IDC) operators who claimed that application-level DDoS attacks resulted in prolonged outage, increased operating expenses (OPEX), customer churn, and loss of revenue. Most of the objects surveyed by the Global Infrastructure Safety Report (77%) discovered application-level attacks, while nearly half (49%) experienced a firewall or intrusion prevention system (IPS) failure due to DDoS attacks.

Although IPs, firewalls, and other security products are essential components of a multi-level defense strategy, they do not solve the DDoS problem. Firewalls and IPs are designed to protect network boundaries from infiltration, compromise, and policy execution points in the Enterprise security architecture. They use stateful traffic checking techniques to enforce network policies and ensure integrity.

Unfortunately, the firewall or IPs can maintain a limited state, as the attackers know, so when the resources inside the device are depleted, the result is a loss of traffic, a lock in the device, and a possible crash.

Application-tier DDoS is also a threat to operators of data centers, as data centers are an environment where many goals can be targeted. Firewalls and IPs generally do not detect or block application-level DDoS attacks, and thus require alternative solutions.

How can you reduce risk?

As a best practice, multi-level defense has been accepted and recognized by the security industry, and in response to the increasingly rampant threat of DDoS, the same approach is needed. Internet service providers/management Security Service providers (ISP/MSSP) must prevent capacity depletion attacks and large-scale state-table exhaustion attacks, but find that application-level DDoS attacks typically need to be done at the edge of the ISP or within the data center. That is because it is difficult to discover application-tier DDoS attacks, which are often not discovered by detection solutions deployed to monitor large ISP networks that host dozens of or kilometers of gigabit traffic.

DDoS detection and mitigation solutions located at the data center boundaries should be able to provide packet-based detection capabilities that provide immediate protection against a wide range of DDoS attacks; however, ISP/MSSP also needs cloud solutions to block high-bandwidth attacks outside the data center. Capacity exhaustion attacks and state table exhaustion attacks, which may deplete links to upstream ISPs.

In an ideal environment, these two solutions work together through signaling technology, providing a fully automated multi-level defense mechanism to protect against DDoS attacks.

For best results, data center operators must work closely with ISPs to provide this multi-pronged solution and design a solution that protects services from DDoS attacks-whether those customers are companies or manage security service providers, for their customers.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.