The emergence of distributed Denial-of-service Attack (DDoS) is a disaster for online enterprises, especially the network of telecom operators, and its effective protection is always a difficult problem in network application.
DDoS has always been a very headache, it is a difficult to use traditional methods to protect the attack means, in addition to the server, bandwidth is its attack target. Like traffic jams, DDoS has become a network nuisance.
Traditional protection: Powerless
To prevent DDoS attacks, it is more common to have black hole method, set up routing access Control List filter and series firewall security equipment, etc.
Black hole Method: When the server is under attack, set access control in the network, put all the traffic into the black hole to throw away. This approach can attack traffic over time, will all the attacks shut out, to ensure that the entire backbone of the network does not affect, but it also will be normal flow in the door outside, resulting in the server can not provide services to the outside, the interruption of contact with the user.
Set up routing access Control List filtering: This method Enterprise users do not deploy themselves, but by telecommunications and other service providers to the backbone of the network configuration, deployed on the router. Now there are two ways to deploy on a router, one is acl--as an access control list, and one way to do this is to limit the data. Both of these methods can be attributed to ACLs, its biggest problem is that if the attack from the Internet, it will be very difficult to create a source-oriented access list, because the source address is very arbitrary, not accurate positioning, the only thing to do is the target-oriented address of the ACL, the access control for the server listed, Throw away all the data packets that are requested to connect, and the user's service will be greatly affected. Another drawback is that setting up such access control lists on the backbone of telecommunications will bring great difficulty to the management of access control. And this approach also has a great limitation, it does not recognize the false and attack against the application layer.
In-line firewall security equipment: to deal with DDoS attacks, there is a way to use the firewall series, for traffic has reached dozens of G operators backbone network, due to the firewall capability and technical level limit, a few G firewall equipment can easily overload caused the network can not operate normally, And the DDoS protection function of the firewall throughput will be lower, even the firewall in the "Top Master" is powerless to undertake this task. In addition, the use of such methods can not protect the uplink devices, lack of scalability, there is no effective protection of user-oriented resources.
The solution in the "smart"
From the above analysis is not ugly, the traditional method of dealing with DDoS is inefficient, and there are some problems that cannot be overcome and solved. The Intelligent DDoS Protection system is composed of detector and protective device. The utility model has the advantages of convenient operation, simple deployment, no need to change the original structure of the network, and the implementation of dynamic protection, and fundamentally solves the problem of DDoS protection.
The protective device is connected with the backbone network in a parallel way and has no effect on the network structure. When bad traffic in the network attacks the network, the detector sends an alarm to the guard, so that the DDoS guard can know how the server in the network is being attacked, the purpose of the attack, and the address from which. Now the shield starts and starts working, notifies the router that all traffic to these addresses will be sent to the guard, temporarily taking over the data traffic in the network, and analyzing and verifying that all illegal malicious traffic will be intercepted here and discarded, and normal traffic and data will continue to be transmitted to the destination.