Network security-DDoS Attack and Defense

Background: There are many types of DDoS attacks, including traffic attacks that consume network bandwidth and application layer attacks that consume server resources. Which has a huge impact and makes large companies and small companies "awe-inspiring" Traffic attacks. Today, when traffic is getting cheaper, the attack traffic is several hundred megabytes, while the attack traffic is several GB, or even more. The hardest hit by DDoS attacks is generally in the highly competitive gaming industry, especially when private servers became popular in the past few years.

 

Common defense methods:

1. enterprise-level DDoS firewall: it has used DDoS firewalls from many manufacturers, such as yundun, lumeng, and AO shield. These firewalls are similar in principle and basically have powerful counting timers, then we can defend against the attacks based on the characteristics of the TCP/IP protocol family. For example, the number of SYN semi-open connections generated per second is an attack, and the number of ICMP traffic generated per IP per second is an attack, there are also some protocols that carry some special bytes starting from those bits, and so on. The defensive effect for some attacks with a small amount of traffic is quite obvious.

2. Carrier-level DDoS protection: only carriers can defend against traffic-heavy attacks, and operators have greater network resource advantages. Carriers generally provide two defense methods: one is to directly block IP addresses, such as using rtbh technology, and the other is to clean IP traffic, for example, Shanghai provides traffic cleaning services in a quad-core environment, which many banks and Internet companies prefer.

 

Common DDoS firewall deployment methods, such:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/45/B2/wKioL1PptT_BJEqYAAEue6eTssM539.jpg "Title =" dd.png "alt =" wkiol1pptt_bjeqyaaeue6etssm539.jpg "/>

1. directly connect to the network on the left side. In this case, all IP addresses and services can be protected at any time.

2. In the case of the right side, the bypass mode is used to complete network drainage, cleaning, reinjection, and other functions. In this case, only anti-DDoS protection is required, which is flexible.

 

Here are several examples of previous processing:

1. UDP traffic attacks are also common attack methods.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/45/B1/wKiom1PptEeANaMlAAfCv9z5Msc072.jpg "Title =" qq20140812135720.png "alt =" wkiom1ppteeanamlaafcv9z5msc072.jpg "/> 650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/45/B1/wKiom1PptGLBVTmZAAXr43wL2OI366.jpg "Title =" 58.png" alt = "wkiom1pptglbvtmzaaxr43wl2oi366.jpg"/>

It can be seen that there was a large amount of UDP Attack traffic in an instant. Because the source IP address is relatively fixed, the source IP address is directly blocked, but the source IP address is usually not fixed, in order not to affect others, only the destination IP address is blocked.

2. ICMP traffic attack

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/45/B2/wKioL1PptcjQdOO2AAtlJO7QGZA833.jpg "Title =" ddddd.png "alt =" wkiol1pptcjqdoo2aatljo7qgza833.jpg "/>

3. Syn Attack

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/45/B2/wKioL1PpthTxD_aiAAYv7ItHf2g198.jpg "Title =" ds.png "alt =" wkiol1ppthtxd_aiaayv7ithf2g198.jpg "/>

I remember that the SYN attack traffic lasted for a few hours, but basically it was intercepted by the DDoS firewall and no IP address was blocked. Now the DDoS firewall is very mature, generally, traffic attacks and SYN attacks are well protected.

 

Below: DDoS attacks are far from complete, the source is difficult to trace, and the attack cost is very low. The rest may be passive. How can we effectively solve these problems in the future: Using CDN? Use SDN? Or use future networks such as FIA and Xia?

This article from the "the brightest star in the night sky" blog, please be sure to keep this source http://wangxl.blog.51cto.com/621714/1538982