Some considerations and testing methods of DDoS security products under Internet cloud Ecology (II.)

Source: Internet
Author: User
Tags http cookie

Common defense systems and solutions for DDoS security products traditional Solutions

Early DDoS defenses are detected and implemented through firewalls and routers, which have some protection against early attacks, and firewalls are very effective in protecting the protocol layer. However, the development of the Internet makes DDoS attacks more and more skillful, and the ability to attack more and more powerful, using firewalls to defend against DDoS is obviously powerless:

    1. Firewalls and routers are only effective against protocol layer attacks, and more and more DDoS attacks are applied at the application level;
    2. Firewall is not specifically designed for DDoS, used for DDoS traffic monitoring and cleaning will affect the performance of the firewall normal function, which is an unnecessary test for firewalls;
    3. Large-scale network deployment and expansion is far more complex than software upgrades, through the program-initiated DDoS attacks, more flexible than network equipment defense;

As mentioned earlier, DDoS defenses do not have an absolutely effective solution, and while the large Internet environment is hungry for more and more defensive solutions, the current defenses of large Internet systems are more of a combination of solutions.

As mentioned earlier, defense against DDoS is a semi-automatic process, so-called DDoS defense system, is nothing more than traffic detection + abnormal traffic cleaning + policy rules + Control system + manual processing.

Flow detection

Flow detection currently has two technologies, DPI (deep Packet inspection depth packet detection) and DFI (deep/dynamic flow inspection, depth/dynamic flow detection), both of which are different.

Dpi

Traditional traffic analysis only through the IP header of the five-tuple information analysis, including the source address, destination address, source port, destination port and protocol type, and other basic information below 4, and DFI is an application-level based traffic detection and control technology. This technology uses the content of the IP packet to reorganize the application layer information in the IOS7 protocol to obtain the content of the application. By protocol type, DPI recognition is divided into three categories:

    1. Protocol feature word Recognition technology

Different applications do not pass the protocol, these protocols usually have their special fingerprint (such as a specific port, string, bit sequence, etc.), can be identified in the message of these fingerprint information to determine the business hosting applications, in the user-known BT as an example, its handshake of the Protocol feature word ". BitTorrent Protocol ";

    1. Application Layer Gateway Identification technology

If the business flow does not have any characteristics, you can use the Application Layer Gateway recognition technology. Through the application layer gateway to identify the control flow, and then according to the control Flow protocol select the specific application layer gateway to the business flow analysis, identify the corresponding business flow. For example, through the detection of SIP (Session Initiation Protocol)/H323 protocol interaction to obtain the completion of RTP (real-time transmission protocol, real-time Transport Protocol) information;

    1. Behavior Pattern Recognition technology

Behavioral patterns are primarily used in situations where business is not judged by agreement. For example, spam and normal mail business flow content is the same, must pass the behavior pattern to identify malicious behavior.

DFI

Unlike DFI traffic recognition, DFI is an application-layer recognition technology based on traffic behavior, which identifies the status of a session connection and data flow through an application that is not type.

DFI based on the behavior characteristics of traffic, a traffic characteristic model is established to analyze the packet length, connection speed, byte size, interval and other information contrast flow models of the session connection flow, and realize the application type identification.

The differences between the two technologies are as follows:

    1. Processing speed: DFI only need to analyze the traffic and background model, compared to the DPI that needs to be analyzed by packet, processing speed faster;
    2. DPI needs to constantly update protocols and new applications and regular matching formula, high maintenance costs;
    3. DPI is accurate for application type and protocol recognition, DFI can only do rough analysis;
    4. DPI does not recognize the control flow of encrypted transmissions;
Abnormal flow cleaning and cleaning equipment

The previous analysis to the first packet discard and TCP proxy, mentioned a thought-all network layer Security detection and identification of defense logic and business processing isolation, currently complete security check identification and defense functions, mainly abnormal traffic cleaning equipment.

Generally speaking, the flow cleaning equipment can achieve multi-level security defense by means of abnormal traffic speed limit, rule filtering and so on, filtering out the attack of network layer and application layer.

Multi-Layer Protection

Multi-layer protection refers to the defense of Network layer and application layer through static feature detection, dynamic rule filtering, speed limit and man-machine recognition. In fact, no matter what kind of defense means, can only guarantee the network layer cleaning effect, the application layer is to take the means of limiting current, the rate of manslaughter is very high.

Network layer

Network layer Protection, in most cases for a variety of flood attacks.

Speed limit

The most common defense, in general, users will set thresholds for their own applications, including PPS, BPS, QPS, newcons, concurcons, etc., can be more than the user threshold of traffic speed limit.

Syn Cookie Defense

The defense of the Syn cookie is shown in the previous section.

Syn Reset

The Syn Reset method is similar to the first packet discard mentioned earlier, compared to the method of passively waiting for client retransmission in the first packet discard, the SYN Reset simulation server sends the SYN+ACK message, and the normal client determines the error in the ACK sequence, then sends the RST message and terminates the connection.

TCP Status

When TCP is transmitted, the normal client uses the normal protocol stack to communicate and has the corresponding state transition model. A generic attack does not mimic a legitimate protocol stack, in which case the state-complete message is determined and the option to discard is selected. For example, some attacks that did not complete 3 handshakes did not complete the state transition model of the 3 handshake.

The status diagram for TCP is as follows:

Fingerprint identification

The narrow fingerprint definition refers to the finger marks or photocopies, the generalized fingerprint can refer to any representative characteristics, traces and features can describe the characteristics of evidence.

The fingerprint recognition here, in fact, is a machine learning process for fingerprint features such as tcp/ip,http, which collects statistical features of normal traffic and models them according to these statistical features. Abnormal traffic compared to such a model, usually a feature will significantly exceed normal traffic, thus filtering.

Application Layer

It was mentioned that the application layer attack is different from the network layer attack, because it belongs to the upper layer protocol, is closer to the business logic, and even has no strict boundary with normal business. In addition, this level of attack often seriously consumes the service side of the broadband or host resources, a lot of damage.

Most of the application-layer attacks are focused on HTTP, with a small portion of DNS.

Domain Speed limit

A separate speed limit can be made to the request in the domain name.

DNS first packet Drop

The DNS First packet drop method is seen in the common DDoS attacks DNS query flood defense section.

DNS TC Retry

The DNS First packet drop method is seen in the common DDoS attacks DNS query flood defense section.

HTTP Cookie Authentication

See the HTTP Flood defense method to restrict the Access frequency section.

Online Solutions & Bypass Solutions

Internet DDoS Defense can generally be divided into online deployment and bypass deployment, both for different users and environments and different deployment methods, each has pros and cons.

In general, large-scale internet or carrier networks generally take the bypass deployment, such a way does not affect the backbone network topology, does not affect the normal business, to facilitate the expansion. In addition, the bypass deployment generally has a special scheduling system, in addition to ensure the control of cleaning, there are flow drops (black hole) and other control.

In general, small networks typically employ online deployment scenarios, which have the advantage of detecting and protecting them together and keeping them in a clean state. The disadvantage is that the reliability requirements are very high, and the lack of specialized scheduling system, its own poor flexibility, the face of complex attacks appear relatively thin.

Online deployment

The typical online deployment scenario is as follows:

Traffic passing through the router goes directly to the cleaning device, and the traffic goes to the switch and finally to the business destination address after the cleaning is over. Cleaning process, can be added to the cleaning equipment control, this method can be verified by the cleaning effect at any time to change the cleaning strategy.

Bypass deployment

The typical bypass deployment scenario is as follows:

Bypass deployment and online deployment are a lot more complex than other aspects, including the following:

Flow detection

Bypass deployment generally has a special flow detection system, through the analysis of the image of the optical separation to determine abnormal traffic, and trigger the scheduling system, the abnormal flow cleaning or discard operations;

Flow traction

Flow traction is the control end to the cleaning equipment to send cleaning instructions, cleaning equipment and core routers to interact, through the BGP protocol and other methods to specify IP traffic to the cleaning equipment;

Flow Cleaning

The cleaning equipment identifies the incoming traffic and filters and cleans the attack packets.

Flow back Note

The cleaning equipment will be cleaned after the flow back to the core router, the core router to boot these traffic to the normal user network;

Hybrid deployment

Some hybrid deployment also has a certain significance, such as the online deployment can be modified, cleaning equipment is not directly connected to the user network switch, but in the bypass location, still use the way of flow callback to ensure non-loop connectivity, in this case, although there is no special traffic detection module for mirroring traffic analysis, The scheduling system can still maintain a variety of policy control of the cleaning equipment, deployment examples are as follows:

As mentioned above, this hybrid scheme is essentially a bypass deployment for cleaning equipment, but in form and effect is an on-line solution (switchable to bypass effect) and ensures the absolute control and flexibility of the core dispatch for traction and back-injection.

Flow traction and back-note

The flow traction and callback process is as follows:

Traction

When the abnormal traffic is detected to be cleaned, a traction command is sent to the cleaning device, at which point the cleaning device sends a BGP route (no-advertise) to the nearest router for the attacked segment, specifying the next-hop address as the cleaning device, and the route does not need to spread across the network.

Because the BGP policy takes precedence over the normal route, the next address of the traffic is specified as a cleaning device.

In addition to BGP, Policy Routing and MPLS can achieve traffic traction technology.

Back note

As with the flow traction, the process of the callback is also implemented by specifying a router policy, which avoids the formation of loops after the traffic in the cleaning device arrives at the router.

Traffic callback can generally take 3 ways, Policy Routing, routing policy and VLAN.

The policy route takes precedence over the normal route, can specify the next hop address at the message entry, so that the traffic is prioritized when the policy route is hit, instead of cleaning the device;

The GRE and MPLS protocols can specify the destination address of the message, encapsulate the callback traffic as GRE or MPLS packets, send back to the core router, the core router forwards the GRE and MPLS packets to the target address device, the target device parses the GRE and MPLS packets, and sends them to the user network, thus avoiding the formation of loops;

Using the two-layer forwarding feature of the VLAN (the switch can locate the VLAN port through the MAC address, otherwise send the message to all the ports in the VLAN), the cleaning device and the target device are configured in the same VLAN, and the traffic of the callback is reached for the purpose of the user network.

Some considerations and testing methods of DDoS security products under Internet cloud Ecology (II.)

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.