Seven mistakes in DDoS cleaning solution Selection

As DDoS attacks become increasingly fierce, the scale of attacks is also growing. How Should users choose DDoS cleaning solutions and products to avoid unnecessary equipment procurement? Finally, they can choose their own products to control costs while effectively defending against DDoS attacks. This article describes seven mistakes in the selection of DDoS cleaning products, as well as relevant precautions.

Misunderstanding 1: Select firewall or intrusion detection IPS to clean DDoS

Analysis: firewalls and intrusion detection IPS are usually deployed in the downstream gateways of the network. They are access control systems based on status detection and are DDoS attack targets, it becomes a bottleneck when new connections and status connections are exhausted.

Anti-DDoS best practices are: Traffic cleaning center plus operator BGP Route scheduling control;

Misunderstanding 2: The Performance of the cleaning device is much higher than the egress bandwidth.

Analysis: Some customers have a network egress bandwidth of only 100 M, but vendors recommend 1g or even 4G cleaning devices.

The standard cloud cleaning statement is a local application-oriented DDoS attack, and a traffic-based DDoS attack on the cloud.

Misunderstanding 3: When the cleaning system is selected, only the hardware indicators of the equipment are checked, ignoring the professional capabilities of the manufacturer's attack cleaning technology.

Analysis: The manufacturer lacks experienced and skilled cleaning experts and does not have the ability to communicate with upstream operators in real time to quickly detect attacks and attack emergency disaster recovery capabilities. The customer only buys a hardware box, which is usually invisible and is eager to debug.

The best practice of DDoS cleaning is "Three-Point product technology and seven-point design service ".

Misunderstanding 4: When you select a cleaning device, you only need to check the port throughput performance, ignoring the processing performance of the packet processing capability and regular matching.

Analysis: the nominal processing performance indicators of the cleaning equipment are usually the laboratory testing standards. The Performance drops sharply under the actual packet attacks on the current network and regular matching, the cleaning capability of 10 Gbit/s cleaning devices is only about 4 Gbit/s.

Misunderstanding 5: Select the cleaning system to check the abnormal traffic performance of hardware cleaning, ignoring the passing performance of normal business traffic after cleaning.

Analysis: The cleaning device has no predictable normal traffic passing capability. When the hardware resources of the cleaning DDoS system are occupied by abnormal traffic, the normal traffic passing capability drops sharply, the system cannot configure hardware resources to handle abnormal traffic and normal traffic.

Misunderstanding 6: Select the DDoS cleaning service and want to provide acceleration and other functions.

Analysis: Application acceleration and traffic cleaning interfere with each other at the same data center exit. When others are attacked, they are easily affected.

Application acceleration and traffic cleaning provide a realistic solution for both small-scale attacks.

Misunderstanding 7: The cleaning location of the cloud cleaning service provider is too close to the downstream and does not have the BGP Route scheduling control capability.

Analysis: When a large-scale DDoS attack occurs, the upstream and downstream of the entire network fails. The biggest problem for the customer is that he does not know who to call to solve the problem.

Cloud cleaning service providers must have autonomous domain AS numbers for BGP Route scheduling control and DNS full-network policy control capabilities to bring the customer's network service availability to a peaceful cloud day