Today, I accidentally learned about the traffic cleaning system to prevent DDoS attacks. The main principle of this system is
When DDoS attack traffic is high, the traffic is redirected to a safe place for cleaning, and then normal packets are taken back.
Go to the target host. The following is an excerpt.
The traffic cleaning service is a network security service that is provided to government and enterprise customers who rent IDC services to monitor, alert, and defend against DoS/DDoS attacks. This Service monitors the data traffic entering the customer's IDC in real time, and promptly discovers abnormal traffic, including DoS attacks. Clean abnormal traffic without affecting normal services. This effectively satisfies customers' requirements for IDC operation continuity. At the same time, this service improves the customer's network traffic visibility and security status through time announcements, analysis reports, and other services.
The attack detection system detects illegal attack traffic hidden in the network traffic. After an attack is detected, it promptly notifies and activates the protection device to clean the traffic. The attack mitigation system uses professional traffic purification products, the suspicious traffic is redirected from the original network path to the purification product for malicious traffic identification and stripping, and the restored legal traffic is reinjected to the original network and forwarded to the target system, the forwarding paths of other valid traffic are not affected; the monitoring and management system centrally manages and configures traffic Cleaning System devices, displays real-time traffic, alarm events, status information monitoring, and outputs traffic analysis reports and attack protection reports in a timely manner.
Test equipment and protection equipment are deployed at the IDC egress through bypass, and customer traffic cleaning is guided through routing to implement DDoS protection.
[Img]
Http://cu.idcun.com/article/kj/pic/z10b.jpg
[/Img]
The anti-DDoS product (abnormal traffic management system) consists of three modules: detector, guard, and manager: the detector module is responsible for real-time Association Analysis of traffic on different network nodes. After locating the source of abnormal traffic, the guard module is notified to complete the redirection and filtering of abnormal traffic, the Manager manages and audits the detector and guard devices in the network in a unified manner. The system works collaboratively through three modules, completes network-wide traffic analysis, abnormal traffic redirection, DDoS attack filtering, P2P identification and control, and abnormal traffic bandwidth restrictions to help users understand Network Operation Conditions in real time, promptly detects network problems and automatically responds to abnormal behaviors, so as to quickly eliminate the dangers caused by abnormal traffic.
◆ Detector: includes one or more hardware collectors (agents) and one central server. It adopts distributed processing, complete network traffic data collection, traffic analysis, and abnormal traffic redirection. Detector can be used as an abnormal traffic detection module in the abnormal traffic management system or separately.
◆ GUARD: uses a high-performance hardware platform to complete DDoS attack filtering, P2P identification and control, and abnormal traffic speed limiting. Guard can be used as an abnormal traffic cleaning module in the abnormal traffic management system or separately.
◆ MANAGER: a complete management center that centrally manages, monitors, and audits all detector and guard devices on the network, making users more timely and simpler, more comprehensive management of network emergencies and abnormal traffic.
The operating principle of the system is as follows:
1. Detect attack streams: the detector detects abnormal traffic through traffic collection, such as NetFlow, to determine whether a suspicious DDoS attack exists. If yes, the guard of the abnormal cleaning device is reported.
2. traffic channeling: Guard, the abnormal traffic cleaning device deployed in series, cleans all the traffic that passes through the bypass, and guard, the abnormal traffic cleaning device deployed in Bypass mode, is released through dynamic routing, drag the traffic destined for the IP address of the target to itself for cleaning.
3. Traffic cleaning: abnormal traffic cleaning guard identifies and cleans attack traffic through features, baselines, reply confirmation, and other methods.
4. Traffic reinjection: After cleaning by the abnormal traffic cleaning guard device, normal access traffic is injected into the original network to access the destination IP address. From the perspective of protected hosts, there is no DDoS attack and the service returns to normal.
During the installation of professional anti-DDoS products, different deployment methods are used based on different networks to better defend against attacks. At the same time, anti-DDoS products are constantly developing.
Note:
DDoS Defense
1) use high-performance network devices
First, we must ensure that network devices do not become bottlenecks. Therefore, when selecting routers, switches, hardware firewalls, and other devices, we should try our best to choose products with high reputation and good reputation. In addition, it would be better if there is a special relationship or protocol with the network provider, when a large number of attacks occur, it is very effective to ask them to limit the traffic at the network point to defend against some types of DDoS attacks.
2) Adequate network bandwidth guarantee
Network bandwidth directly determines the ability to defend against attacks. If only Mbps of bandwidth is available, no matter what measures are taken, it is difficult to defend against the current synflood attack. At present, at least 1 GB of shared bandwidth must be selected, of course, the best thing is hanging on the 10g trunk.
3) upgrade host server hardware
If the network bandwidth is guaranteed, upgrade the hardware configuration as much as possible. to effectively defend against 0.1 million Syn Attack Packets per second, the server configuration should be at least: dual-core CPU, 4-8 GB memory, and high-speed processing Nic. In short, you must make your server's Hardware processing capabilities powerful enough to withstand the storms.
4) make the website a static page
Making websites as static pages as much as possible not only greatly improves the anti-attack capability, but also brings a lot of trouble to hacker intrusion. If you do not need a dynamic script call, you can get it to another single host to avoid the primary server from being attacked. In addition, it is best to deny access by proxy in scripts that require database calls, because experience shows that 80% of your website access by proxy is malicious.