Introduction to major anti-DOS devices in China

Green Alliance black hole:X86 architecture, Linux kernel and proprietary anti-syn-Flood Algorithm. It works well against a single type of SYN, UDP, and ICMP DoS, but it is slightly less effective when multiple types of mixture are used. The advantage is fast update and good technical support. syn-flood has an absolute advantage in a M environment. The disadvantage is the lack of documents and information, and the work (both software and hardware) is not very stable.
Self-built: used for emergency response.
Radware fireproof:ASIC/NP architecture, synapps technology, mainly signature-based 4-7 layer filter algorithm and supplemented syn-Cache Technology. The advantage is that the single type of denial-of-service attacks have a good effect and high efficiency. The disadvantage is that due to the current design, the system lacks flexibility. When a special type of variant attack occurs, it may be powerless.
Self-built: When an enterprise originally planned to purchase radware devices as a regular application, it may consider purchasing the fireproof module as a backup.
F5 big-IP:X86 architecture, based on FreeBSD kernel, syn-Cache Technology with threshold value random discard algorithm and ICMP (may also have UDP ?) So it can mitigate and resist SYN-type denial-of-service attacks at a certain level. The actual effect is acceptable.
Not suitable for professional anti-denial-of-service products. It can be used as an additional function of the Server Load balancer device for value-added consideration.
Skynet Firewall:It was originally based on the OpenBSD kernel and X86 architecture. Now it should be the Linux kernel. Anti-syn-flood function has been added for a long time. It should be an improved or enhanced version of syn-Cache/syn-Cookie. The actual test SYN traffic 64b packet resistance limit is about 25 MB. If it is less than 20 mb, the effect can still be seen. At the same time, combined with good firewall policies, we should also be able to impose limits on UDP/ICMP and other types.
Self-built: firewalls generally make them better for their own professional purposes (Access Control). Of course, in the case of production enterprises that are not very important to network businesses, it is also good to buy a firewall with simple anti-Syn function.
Tianyuan longma:Anti-dos products have never been used, but they do not have a good impression of their firewall products, and their functions are too simple.
Others:Many Firewall Products claim that they also have anti-dos functions, among which netscreen and Nokia/checkpoint are the most famous. Test results:
Netscreen 500 (ASIC architecture) 64 B packet syn. When the SYN protection switch is enabled, the attack traffic is about 18 MB, the system resource consumption is 99%, and the network cannot be connected. The initial determination of netscreen 500 SYN resistance limit is 20 m. (Results of Multiple tests in multiple locations)
Nokia i740 (NP architecture, low-end and early product-less than 340 is actually X86 architecture, ipso/Based on BSD kernel) 64b package SYN, automatic SYN protection, attack traffic ...... miserable ......> 10 MB, 99% of system resources are consumed, the network cannot be connected, and the management interface also loses response. However, after a sustained attack for a long time, the system returns a response after the attack is stopped, indicating that the system is still stable (netscreen is also the same. The stability of the two companies is also good during normal reproduction of working hours, ).
It is easy to understand: the anti-Denial-of-Service Performance of Nokia and netscreen should not be improved.
The products of arbor and Riverhead have not been in touch yet. Please be familiar with them.
Other solutions include syncookie/syn-cache in Linux/BSD, network Buffer Queue and network parameter adjustment in Aix/NT, and network-Level 4-7 layer switch processing, such as using css11000 for load balancing or deep filtering, and limiting the traffic rate on network devices and on/off networks. These methods can mitigate or mitigate the threat of denial-of-service attacks at a certain level, but they are not a fundamental solution. You can consider the situation. Maybe when technologies such as IP traceback and NetFlow are more widely promoted, the situation will be better. It's a dark dream.
In the last point, denial of service is a troublesome and difficult problem-because it is too complicated, it may occur at the link layer, network layer, and application layer of the network, but everyone cannot avoid it. As a product of the network morality or cultural field, it is hard to cure the problem only at the technical level. We should keep in mind three 80/20 rules in the selection of countermeasures:
1. 80% normal time and 20% attack time. Of course, the time will affect the loss. You should consider the balance between your loss and the cost required to avoid it;
2. 80% of common attacks and 20% of special attacks. No device can handle all attacks, so how to deal with the failure of the special case section and consider your input-output ratio from this rule is also an important issue.
3. 80% normal working time and 20% device failure time. The device may have software, hardware, logic, or Rp problems when it becomes invalid. For example, I purchased two professional anti-Denial-of-Service Products from a vendor, which showed normal performance during testing and acceptance. However, I found out when I was attacked one day and launched the product online, failed to start one hardware! The other has no protection against such attacks! What should I do in this situation? Do you want to acknowledge my dereliction of duty to the leaders, or wait for the manufacturers to work out their solutions? I'm afraid it's hard to solve.
The three principles are as follows. Maybe the probability of his appearance is not an estimate of 80/20, but even if the probability is only 1%, We need to enlarge it by a hundred times. For 1% of accidents, we also need to worry about whether our investment will be put into full use due to the failure rate of the 1% measures in the 1% period.
Advanced technologies may not solve the problem. Reasonable technologies are what we need.