Large-volume DDoS attack protection solution

Large-volume DDoS attack protection solution

With the increase in Internet bandwidth, DDoS attack traffic is growing, and more than Gbit/s of traffic-type attacks have become popular. For such large attack traffic, attacked customers often cannot cope with it alone. By deploying high-performance anti-DDoS devices on the backbone network, telecom operators can improve their anti-DDoS capability, but this is not a good strategy. Using Mainstream anti-DDoS devices and cleaning methods for near-source and near-Business hosts, the two-way and collaborative flow cleaning solution across the network can effectively defend against T (or higher) improve the ROI and improve the protection efficiency.

Introduction With the proliferation of DDoS attack tools and the development of the underground black industry market, more and more interest-driven DDoS attacks, especially with the advancement of the "Broadband China" strategy, the network access bandwidth of home users and mobile users has reached MB, with a large volume of DDoS attacks increasing and attack traffic increasing. A few years ago, enterprise users suffered about 1 GB of DDoS attack traffic, but now some DDoS attack traffic has started to rise to 300 GB and 500 GB, even T (1 T = 1000G) level. In the face of such attacks, enterprises with only 10 Gbit/s access link bandwidth have no way to seek help from telecom operators, but it is also difficult for telecom operators to effectively cope with such attacks. For example, Spamhous and CloudFlare are defeated by foreign DDoS attacks against Spamhous. In the face of such a large volume of DDoS attacks, how can we respond economically and effectively? How can we defend against future T-level DDoS attacks? In comparison, this paper first analyzes the current solution and its shortcomings, then proposes a two-way abnormal traffic cleaning solution, and discusses the design and implementation of the solution, A brief example is provided to illustrate the feasible deployment scheme and protection process.

1. the current situation of DDoS attack threats involves multiple types of DDoS attacks, such as traffic-based DDoS attacks (such as SYN Flood, UDP Flood, ICMP Flood, and ACK Flood) DDoS attacks at the application layer (such as Http Get Flood, connection depletion, and CC), slow DDoS attacks, and vulnerability-based DDoS attacks. Among them, the most difficult to deal with is Distributed Amplification DDoS attacks. For such attacks, from the perspective of being attacked, all data packets are normal, but the number is massive, generally, it can reach 300 Gbps-2 TB. With the advent of the broadband network era, the probability of occurrence is getting higher and higher. For enterprise users' servers, they are usually deployed in the IDCs of telecom carriers, and the 100/1000 M and 10g links of telecom operators are rented to access the Internet. Similarly, telecom operators generally use 100/1000 Mbps links to access the Internet in their own systems. In short, the user's network access bandwidth is very small for DDoS attacks with a traffic exceeding GB. In the event of a large-volume DDoS attack, the customer/operator will be greatly threatened and lost, mainly including: (1) the bandwidth of all lines is occupied, service Interruption (even if a large bandwidth is purchased) (2) the attack traffic exceeds the processing capability of the network device, resulting in service interruption or delay (3) the available bandwidth of the network is greatly reduced, as service levels decline, telecom operators are forced to invest heavily in expanding their networks (4) service capabilities decline or are interrupted, resulting in loss of users and direct economic losses (5) Loss of corporate reputation and brand damage

2. Existing abnormal traffic cleaning solutions and less than 2.1 Traditional abnormal traffic cleaning solutions and their shortcomings

DDoS attacks target the customer's business servers. These business servers are usually located in the carrier's IDC center or the enterprise's self-built network. Traditional abnormal traffic cleaning equipment is deployed near the service host. Due to the different construction subjects, there are usually two solutions, as shown in:

Figure 1 traditional abnormal traffic cleaning solution

Implementation principle: This solution is generally composed of abnormal traffic monitoring equipment and abnormal traffic cleaning equipment. (1) After the abnormal traffic detection device detects a DDoS attack, it automatically notifies the abnormal traffic cleaning device. (2) The abnormal traffic cleaning device uses BGP or OSPF or other routing protocols, all the communications sent to the Attacked Target host are redirected to the abnormal traffic Cleaning Device for cleaning. (3) The cleaned traffic is reinjected to the original network, and reinjection to the correct next-level network egress through policy routing or mpls lsp to normally access the target server. (4) After the abnormal traffic detection device detects that the DDoS attack has stopped, inform the abnormal traffic cleaning device. The abnormal traffic cleaning device stops traffic redirection and the network returns to normal.
Features: (1) Automatic abnormal traffic detection and cleaning; (2) close-to-service host cleaning, good protection effect; (3) High ROI.

Insufficient solutions: (1) the cleaning capability of abnormal traffic cleaning equipment is generally 20 GB or 40 GB (implemented by means of abnormal traffic cleaning equipment cluster) and below, for DDoS attacks with high cleaning capability, service interruption or service level decline; (2) even if the attack traffic is less than 20 GB, the service level and user experience will be decreased because the attack traffic occupies a large amount of bandwidth; (3) It cannot defend against internal DDoS attacks (from bottom to top, out of the protection scope of abnormal traffic cleaning devices.

2.2 high-performance and abnormal traffic cleaning solutions and their shortcomings for traditional abnormal traffic cleaning solutions, the biggest shortcoming of which is the lack of equipment cleaning capabilities, so the first thing that comes to mind is to improve the attack traffic cleaning capabilities. Due to the limited bandwidth of the network access link of the Service server and the limited processing capability of the Access Router, the deployment location of the abnormal traffic cleaning system needs to be moved up, traffic cleaning equipment is usually deployed on the provincial egress router (of course, abnormal traffic cleaning equipment can also be deployed on the metropolitan area network router, but this solution has the same protection capabilities, more devices will be used, with a higher investment ).

Shows the composition and deployment methods of the solution:


The implementation principle of this solution is the same as that of the traditional abnormal traffic cleaning solution. Its Characteristics and shortcomings are as follows. Solution features: (1) close-to-service host cleaning is still adopted; (2) high-performance abnormal traffic cleaning equipment or cluster equipment can effectively defend against DDoS attacks between 40 GB and GB; (3) A unified security management platform is adopted to achieve unified management of devices and security policies.

Insufficient solutions: (1) DDoS attacks with up to GB of traffic cannot be handled; (2) DDoS attacks from Man (from bottom up, out of the protection scope of abnormal traffic cleaning equipment) cannot be protected; (3) a large amount of useless DDoS attack traffic on the backbone networks of telecom operators, wasting valuable backbone network bandwidth and equipment processing capabilities, resulting in a decline in network service levels; (4) the cost of protection equipment is high, and the solution is cost-effective.

3. large-volume DDoS attack cleaning solution 3.1 design ideas from the trend of DDoS attacks, DDoS attack traffic will become larger in the future, if only near-Business host abnormal traffic cleaning solution is adopted, even if the capabilities of the protection equipment are higher, it cannot catch up with the growth of DDoS attack traffic and meet the protection requirements. The near-source cleaning method is used to distribute abnormal traffic cleaning devices in close proximity to the attack source. Each cleaning device only cleans part of the devices, in combination, it has a huge amount of abnormal traffic cleaning capabilities, and its protection capabilities are very flexible, not only to meet the current needs, but also to meet the needs of higher DDoS attacks.

Abnormal traffic cleaning requires the combination of detection and cleaning capabilities. If only near-source traffic cleaning is used, the attack traffic is small and the alarm threshold is low, which may lead to misjudgment and missed determination. Therefore, our overall design philosophy is as follows: (1) The detection and cleaning capability are separated to deploy the detection equipment close to the service host as much as possible from the perspective of improving detection sensitivity and economics, or perform detection on the core network. For cleaning devices, try to deploy as close as possible to the attack source. (2) cleaning methods of near-source and near-Service hosts can be combined to deploy cleaning devices in near-source mode, which can greatly improve the exceptional traffic cleaning capability and elasticity, and reduce costs. However, if a part of attack traffic is missed at each abnormal traffic cleaning point, for example, if the traffic under the threshold of the traffic cleaning action is enabled, the traffic is aggregated to the business host, which forms a DDoS attack, therefore, you need to deploy cleaning devices near the business host to handle this situation. (3) Two-way abnormal traffic cleaning for some network access points or business hosts in the network area, it may be subject to external DDoS attacks, and it will also send DDoS attack data, both cases may occur at the same time, so two-way abnormal traffic cleaning is required. (4) unified management and collaboration: for a specific large-volume DDoS attack, once the device detects the attack, it is necessary to mobilize the corresponding cleaning equipment as needed to clean abnormal traffic according to the unified policy. Therefore, it is necessary to manage all cleaning equipment in a unified manner and coordinate the operations. In addition, in order to reduce false positives and false positives, the detection data of abnormal traffic detection equipment must be aggregated for screening, comparison and analysis to improve the detection accuracy and reduce false negative rate, the cleaning equipment to be mobilized can be identified based on the attack source.

3.2 key technology implementation analysis this solution mainly includes attack traffic detection, abnormal traffic cleaning, and management platform. The attack traffic detection section is slightly different from the previous section. The other two sections are highlighted here. 1. Some management platforms of the Management Platform need to summarize, filter, and analyze the traffic detection data. Once an abnormal traffic attack is identified, the system can initiate the generation and scheduling of an abnormal traffic cleaning policy, in this case, it should be clear: (1) the attack source area to determine the cleaning device to be mobilized. This can be achieved through the corresponding attack source tracing system, or through the analysis of the IP address library to attack the data source IP address; (2) Cleaning policies for specific devices. From the implementation perspective, they are mainly divided into near-source cleaning policies and near-Business host cleaning policies, different cleaning policies need to be assigned based on the deployment location of the specific cleaning device.

2. The abnormal traffic cleaning part is different from the previous abnormal traffic cleaning equipment. The cleaning equipment in this solution must have two-way traffic cleaning capability. In terms of implementation principle, once the traffic cleaning device receives the corresponding cleaning request, it can perform traffic redirection according to the policy. After cleaning, close-to-source cleaning devices can renote clean traffic up (to the core network), while close-to-service host cleaning devices can renote clean traffic down (to the business host.
3.3 deployment scheme for telecom operators, the main sources of DDoS attacks include: (1) local man home terminal (2) local mobile Internet smart phone terminal (3) business hosts in the IDC Center (4) self-owned business hosts in the local network (5) domestic network endpoint (6) International network endpoint
For abnormal traffic detection devices, they can be deployed at the egress routers of their respective provinces, the IDC center egress routers, and the egress routers of their own service hosts in the primary network to detect attack traffic across the network. For abnormal traffic cleaning devices, they can be mounted on a router near the attack source, such as IDC egress router, Metro egress router, grouped core network egress router, self-owned business network egress router, domestic or international interconnected interface router, etc. The specific deployment location can be adjusted according to different network conditions. In addition, a security management platform is deployed on the network to interconnect with all attack traffic detection devices and attack traffic cleaning devices. The deployment location is not limited.

3.4 description of attack protection process in order to simplify the process, we will take the IDC centers in Beijing, Shanghai, and Guangzhou for collaborative protection as an example. The system protection solution is as follows:


Now, if the server in the Shanghai IDC center is under heavy DDoS attacks, the protection process is as follows. 1. Attack Detection when a DDoS attack occurs, the attack traffic monitoring device deployed inside the core network and the IDC center exit sends the Netflow data collected in real time to the security management platform, based on the aggregation analysis, the security management platform identifies the province and Access Point of the Attack Source Based on the IP address information of the attack source. Assume that the security management platform includes IDC centers from Beijing and Guangzhou. After clarifying the information of the attack source province and access point, the security management platform will issue a traffic cleaning policy to the traffic cleaning devices in Beijing and Guangzhou IDCs, at the same time, the traffic cleaning policies for near-Business hosts are issued to traffic cleaning devices in the Shanghai IDC center.

2. Attack Protection traffic cleaning devices deployed in Beijing and Guangzhou IDCs are redirected to traffic based on the IP address of the service host of the attacked IDCs after receiving the command to start the cleaning policy, all traffic destined for the attacked IP address is redirected to the traffic cleaning device. After cleaning, the traffic is reinjected to the IDC center egress router and forwarded upwards.

When a packet containing the remaining part of the attack traffic arrives at Shanghai IDC, the abnormal traffic cleaning device will clean the traffic according to the received traffic, all traffic destined for the attack IP address is redirected to the traffic cleaning device. After cleaning, clean traffic is reinjected to the Access Router of the IDC center and forwarded to the service host, this completely cleans attack traffic.

4. summary The large-volume DDoS attack protection solution discussed in this article will enable telecom operators to achieve elastic and large-volume DDoS attack protection capabilities, and make full use of the purchased security protection equipment to save investment. In addition, it significantly reduces abnormal traffic on the backbone network and unnecessary bandwidth consumption.
With the prevalence of large-volume DDoS attacks, DDoS protection devices built by IDC tenants cannot meet the protection requirements, telecom operators can rely on this elastic and large-volume DDoS attack protection capability to provide value-added anti-DDoS protection services for IDC center tenants, thus gaining additional economic benefits.