Some considerations and testing methods of DDoS security products under Internet cloud Ecology (i)

Introduction to DDoS Attacks

The three elements of security--"confidentiality," "integrity," and "availability," DOS (denial of service denial of services attacks) target the "availability" of the service. This attack method exploits the Network service function flaw of the target system or consumes the system resources directly (mainly network resources), which makes the target system unable to provide the normal service.

DDoS attacks (distributed denial of service distributed denial of service) means that an attacker manipulates multiple clients (known as broiler or puppet machines) and unites them to launch DDoS attacks against one or more targets (at the same time or in a certain policy attack) to increase the effectiveness of denial-of-service attacks.

In a sense, there is no "usability", What about "confidentiality" and "integrity"? Network services that lack DDoS defenses are at risk of "disappearing" from the network at all times. DDoS attacks are one of the strongest and most difficult attacks of all time, compared to purely technical attacks, where DDoS attacks are more like rogue or bandit behavior, known as rogue martial Arts.

Principle of DDoS attack and principle of common method attack

Most of the data in the network is transmitted using TCP/IP protocol (including other such as UDP, etc.), these packets must adhere to strict protocol standards, usually the package that satisfies these protocols is normal data for the target service and network equipment, especially the data containing the business logic, these are harmless , like the station inspector, if the passenger's ticket is legally identifiable and the ticket passengers are normal passengers, the check-in process is smooth and safe, and if the passenger's ticket is not lawful or is not lawful, or 10 passengers have 9 platform ticket (or even unauthorized), It is obvious that most of the inspector's energy is spent on the identification of illegal tickets or irregular passengers, thus affecting the normal passenger ticket flow, and if a large number of illegal passengers stranded on the train, will also cause normal passengers can not access the train. Ingress and service resources are the most vulnerable and targeted targets.

Similar to a ticket inspector's workflow: 1. When there are too many abnormal packets (garbage packets), it can cause overload of network equipment or server, 2. The use of some defects in the data packet or protocol, artificial creation of some incomplete malformed package, will also cause the network equipment Live server can not handle normally, resulting in a denial of service; 3. Although the packet is normal, but does not conform to the normal business logic of the target service, the mass transfer of this package can also cause a denial of service.

In general, there are two ways to view DDoS attacks:

1. Win by volume: This DDoS initiates a massive amount of data attacks, including a large number of attacks on normal packets and exception packs, causing the network devices and broadband loads to be too high, resources exhausted, and blocking the IDC portal; Because this attack is mostly in the upper layer protocol, closer to the business itself, the attack does not have strict boundaries to defend this " traffic type "DDoS makes ISP and ICP face great challenges; typical attacks such as UDP Flood;
2. Winding streets: Compared to this kind of attack is more dexterous, is a technical attack, often using a protocol server or some kind of software defects, only through a few packages can continue to occupy limited resources, so that the gorgeous target service can not handle the normal data, from the Internet temporarily disappear; this " resource-based "Attack in the famous such as slow connection attack Slowloris;

However, the actual network environment rarely has a single type of attack, mixed attack, and the combination of normal traffic and abnormal traffic, is the mainstream way of the current attack;

DDoS attacks are commonly used as follows:

Attackers often get a large number of chickens (dummy machines) from various corners of the internet and operate them through a controller to launch hybrid attacks against target services, such as SYN flood or DNS query flood, and even direct traffic from other sites to the target server. The so-called however persuasive outsmart, for a variety of DDoS attacks, there is no defense in the industry to protect the business while defending all types of DDoS attacks, more of the situation is to do a compromise between the two.

But the core purpose of DDoS is never to change, that is, "Unlimited misuse of limited resources", including direct abuse and indirect abuse, has achieved the purpose of destroying "usability".

Defense base common attack and Protection SYN Flood

SYN Flood is the most classic DDoS attack, it leverages the TCP/IP protocol three handshake design flaws, with small broad, has been active for decades, even now, SYN flood on the internet is already rampant. The reason that Syn flood is so powerful is that it is aimed at the flaw of the TCP/IP protocol, which is the foundation of this huge internet, which is almost impossible to repair or reconstruct.

Attack principle

The three-time handshake process is as follows:

1. The client sends a synchronous SYN packet to the server, containing the client port number and the initial ordinal x;
2. After the server receives the client package, it sends the SYN+ACK message to the client, including the confirmation number x+1 and the ACK initial ordinal number y;
3. The client sends an ACK message to the server, which contains the confirmation number y+1 and the ordinal x+1;

Three-time handshake in order to ensure the reliability of the TCP connection, some exception handling was done during the third handshake, including:

1. Do three times to retry, waiting for the client IP response; About 30s~120s traversal a wait list, such as the client IP response is still not received to abandon the connection;
2. The second handshake, when the server issued Syn+ack will reserve certain resources to store this information, for the third handshake to prepare;

If the connection is forged, the server allocates resources and time to wait for the third handshake to ensure the connection is reliable; When a large number of such forged requests are initiated, the server requires a large amount of resources to handle the three-time handshake, and the third handshake retries. The result is that there is no resource to handle the normal request connection, and the wait queue is filled with this malicious packet, which prevents the normal connection request from being processed, resulting in a denial of service.

Defensive means

The method of defending SYN Flood, the idea of the production is to make up for three times handshake flaw, on the one hand reduces the server resource pressure, on the other hand is to increase the waiting queue, there is to reduce the number of retries.

Sync ookies can relieve server resource pressure by not saving state information to wait for client confirmation, but instead of random number based on time seed as syn initial ordinal y When the third handshake is received through the cookie check algorithm to determine whether and outgoing Syn+ack serial number matching, the final three times to complete the handshake;

The Net.ipv4.tcp_max_syn_backlog parameter (/etc/sysctl.conf, kernel parameter) allows the server's memory to be exchanged for a longer waiting queue, making the attack unable to fill the waiting queue easily and generate a denial of service;

Net.ipv4.tcp_synack_retries reduces the number of Syn+ack retries for the second handshake of the server and does not consume resources for a long time;

Raising the Protocol's own resistance of course requires additional resources from the server, so the actual situation is how to deal with, also need to consider server configuration performance and server business compromise.

In addition to improving the protocol's own capabilities, the defensive SYN flood can also be identified from abnormal behavior, such as the first packet discard and black-and-white list of ideas;

The first packet discarded the idea is to discard the client's first message, waiting for the client's SYN retransmission message, has the retransmission behavior of the IP is added to the whitelist, no retransmission behavior of the connection is considered an attack behavior, the process is:

The scheme of packet-drop retry has a significant defensive effect on SYN Flood, however, this scheme is not suitable for processing on server-it negatively affects the business processing, such as the increase of the impact time, and the idea is to separate the process of the first packet discard from the business process, and use the specialized equipment to deal with--almost all of the network cleaning equipment has this function, packet loss retry on this cleaning device has a more optimized scheme, generally put this on other devices to handle the first packet discard scheme is called TCP Proxy.

However, in fact, the first packet discard is only a narrow TCP proxy function, almost all the business itself from the processing, can be placed on the TCP proxy side, such as the above mentioned SYN cookie and the first packet drops in combination, on the cleaning device simulation Server three handshake verification, Maintains its black-and-white list and eventually forwards the server's business data. Sophisticated cleaning devices can identify more anomalies and malformations of TCP packets, and even identify client attacks and malicious behavior through simulated responses, and cleanse and filter these traffic.

DNS Query Flood Attack principle

DNS Query Flood can be seen as an upgraded version of UDP flood. UDP flood is a "traffic-type" Dos attack, the most common case is the use of a large number of UDP packets to the backbone network and network equipment attack. The difficulty in defending against UDP flood is that it has no connection status and a variety of protocols , but the IP that provides UDP service is very few, filtering the forged IP is relatively easy, the pure UDP traffic attack slowly also becomes less, And most network transmissions are not UDP. But streaming services and DNS, these upd-based services, are still the focus of UDP flood attacks.

The biggest difference between query flood and UDP flood is that the query flood is an application layer attack and UDP flood is a protocol layer attack. The higher the protocol level, and the greater the business relevancy, the harder it is to defend. Query flood actually executes the real query, a kind of business behavior, but if more than one broiler at the same time to initiate such a massive domain name query request, to the server can not give the normal query request returned results, also led to a denial of service. Query flood in order to increase the randomness of the attack, not only need the same as UDP flood in the protocol layer to forge IP and port, more need to forge parameters and domain names in the application layer. The purpose of randomness is to bypass the filtering and caching of DNS servers.

Defensive means

The defense of Query flood can be considered from the following three levels:

1. Black and white list

To authorize the domain name, take the principle of least privilege, non-whitelist domain names are discarded in order to improve processing performance;

1. Forcing TCP to re-send

Similar to the first packet discard method, the first DNS message is discarded directly, forcing the client to take the TCP method of domain name query;

1. Cache

Increase the DNS cache and domain name request hit rate to avoid excessive performance consumption;

Slowloris Attack principle

This is an attack that runs counter to most attacks, is known to be slow, is difficult to detect in some time, it exploits some of the features of Web server to attack, and this historic attack now seems to work in some cases.

Slowloris attacks the concurrency limit of the Web server container, regardless of the web container, there is an upper limit on the number of concurrent connections, and after reaching this maximum number of connections, Web server cannot accept new requests, namely:

When the Web server receives a new HTTP request, it opens a new connection processing request, closes the connection after processing is completed, and if the connection is processing the connection status, the new HTTP needs to open a new connection for processing, and if all connections remain connected, the Web Server processes any new requests to the service.

Slowloris uses the HTTP feature to do this: because the HTTP request identifies the end of the headers with \r\n\r\n, if the Web server receives only \ r \ n, the HTTP headers part is not ended and the connection is not held. Wait for the next content. In a real attack, the connections in HTTP headers is typically set to keep-alive so that the Web server keeps the TCP connection open, and then intermittently sends some key-value pairs to the Web server, will be able to keep the connection continues to open. Of course, you can also set Content-length to very large, then staged post data to Web server, which is HTTP post DDOS.

Such a connection can easily be created through multithreading or broiler, without the need for large amounts of traffic, and will soon be able to reach the upper limit of Web server connections and no longer process new HTTP requests.

Defensive means

Defensive slowloris also need to be considered from the root cause of the Slowloris: 1. TCP connection Time 2. The transmission time of the HTTP headers is 3. The number of messages per TCP connection, so the Slowloris defense method is as follows:

1. Control and statistics the duration of TCP connections, and pull long-connected TCP requests into the blacklist;
2. Set the maximum transmission time of the HTTP headers, and then disconnect and pull into the black hole list;
3. Statistics of the number of messages per TCP connection time, too few messages are not normal;

HTTP Flood (CC) Attack principle

The HTTP flood attack is the most troubling compared to several typical DDoS attacks, because none of the Anti-ddos products currently have a line and effective defense-this is because the HTTP flood is not a network-layer attack, but an application-level attack. It had another name louder, CC (Challenge Collapsar), a provocative term that challenged a DDoS defense device called Collapsar (black Hole) at the time of the Green Union.

Network layer attacks have significant characteristics, but the application layer of attack, fully simulating user requests, similar to various search engines and crawlers, these attacks and normal business does not have strict boundaries, difficult to discern. CC is similar in principle.

The performance of Web services is affected by related resources, and direct resources include Cpu,mem,disk and net (4 metrics of performance testing), which are affected by the database query, network bandwidth, file size, memory allocation and algorithms and other hardware and software conditions.

Some resources consume a large number of transactions and pages, such as if the Web application involves paging and sub-table, it is obvious that control page parameters too large, frequent paging will occupy more Web server resources, especially in high concurrency frequent calls, such transactions, like such a transaction, the earliest CC attack the earliest target. Since the attacks are mostly mixed and doped in normal business, frequent operations with simulated user behavior can be thought of as CC attacks (which consume serious resources and need to be guessed and judged). In general, however, the application layer of CC is characterized by the blurring of the boundary of the business application. For example, a variety of brush ticket software access to 12306, to some extent, the CC attack, another site or store to do activities and propaganda, resulting in a sudden excessive traffic access to a day of sudden access, if the Web server can not support such a high level of traffic, is also a class of CC behavior.

Because the CC attack is aimed at the backend business of the Web application, in addition to causing the denial of service , it also directly affects the functionality and performance of the Web application , such as affecting the web impact time, affecting the database services, Affects disk reads and writes, which can lead to functional and performance anomalies.

In addition, CC attacks are easier to initiate than the previously mentioned DDoS attacks. Because it originated traffic is normal traffic, it is difficult to identify, so many times do not need a large number of broilers; There are rich HTTP proxies on the Internet that can use these HTTP proxies to launch HTTP attacks directly to the target, or even invade a large traffic site. The traffic to this site is then forwarded to the target location.

Defensive means

Although there is no effective defense against CC, some methods have a certain defensive effect on CC attacks.

Limit Access Frequency : The client can be located by IP and cookie, and determine the frequency of access over a period of time, if too frequent, can be temporarily added to the blacklist, or directly return to the error page, the frequency of access logic can also be placed on the cleaning equipment, Add a blacklist directly to clients that are too frequently accessed. This method is simple, but there are two points below: 1. Unable to determine the attack from the proxy server 2. Manslaughter normal access.

CDN Cache : Cache can be used to mitigate the role of CC, for most requests can be directly returned using the results in the cache, single-server applications, Internet services are also applicable; For large-scale Internet architectures, there are usually CDN nodes to cache content.

Man-Machine recognition : The most commonly used human-machine recognition is the verification code, its fundamental purpose is to intercept the automatic replay request, but the verification code in the interception of automatic requests also affect the user experience, in addition if the verification code is not enough "random", through the rainbow table or can be bypassed , Judge User-agent is also a method, but user-agent can also be modified, encounter this kind of automatic request will be invalidated; Using client parsing JS (or Flash) is also a way of judging: The simulated request cannot parse JS like the client (browser), send a JS To the client, normal jumps are processed and added to the whitelist.

Web containers : The Web container itself also provides some defensive capabilities that can be compromised by configuration parameters, such as parameters such as Timeout,maxclients,alivetimtout.

DDoS attack characteristics and defensive measures of Internet cloud ecology

The development of the Internet, so that more and more people enjoy the convenience of network technology, and because of this, the Internet is facing increasingly serious security problems, however persuasive outsmart, defense methods need to constantly research and improve to deal with the pattern of attack means.

The rapidly rising cloud ecosystem of recent years, of course, also needs to address a variety of security attacks. Like the complexity of cloud ecology, DDoS attacks are no longer purely a single DDoS attack.

Features move and move all over the body

The supplier network, backbone, IDC portal, cluster, CDN, load balancer, host, service and many other points are deployed together to support a huge cloud ecosystem.

In this multi-layered and complex network environment, any problem can have an impact on the business, and even some attacks are no longer based on a single level, but are based on vulnerabilities or flaws in multiple levels of composition. So long-link systems broaden the target range of DDoS attacks, and as more and more components and services migrate to the cloud, any component can lead to business line failure.

In addition, because the business of different users is located on the same physical machine, any user's business is attacked, may affect other users ' business.

Hybrid attack

Just so-called no new elements, only new combinations . Advanced attacks will be based on the target's attack range and environment, the multi-level multi-method combination. This mix of attacks includes deception, specificity, and obfuscation, among others.

spoofing : such as SYN flood attacks can be added to the verification of the Syn+ack message, in order to confuse the cleaning device SYN cookie detection, enhance the attack effect and cleaning equipment pressure. Such a deceptive mix, often need to set up a network of other cleaning and judgment strategies have a certain understanding of the fight is offensive and defensive warfare, any strategy leaked or guessed, will bring serious consequences.

targeted : The Internet's hybrid attacks are relatively strong, such as the CC attack no longer simulates the user browser operation request, and directly simulate the call of the Web API, this invocation of the normal business is also automatic, add this business in CC, so that the attack and normal business boundaries more ambiguous, Cleaning equipment is more difficult to filter.

obfuscation : The simplest hybrid attack is a direct mix of several DDoS attacks, such as Syn Flood, where Slowloris and CC are mixed together to attack, which increases the pressure on the cleaning device and, if the service is compromised, Workers need to spend time judging what kind of attack is causing it.

Application Layer Attack

As more and more component Services and applications migrate to the cloud in a complex and large network environment, the top-level applications are the targets of various DDoS attacks, and the challenge of dealing with DDoS in a cloud environment is to use most of the devices and environments below the application layer to defend against the application-focused attacks. The relationship between infrastructure and applications is support and protection and cannot be directly controlled by applications. How to defend the application layer DDoS attack is the biggest problem of DDoS defense under the current cloud ecosystem.

Selection of Broiler

Cloud environment not only provides flexible computing, CDN, storage and other services, but also provides a virtual host, VIP and unobstructed bandwidth, this environment for small and medium-sized companies to provide a better entrepreneurial environment, but also for hackers to provide resources.

For example, in the domestic special occupation-ox, the annual Spring Festival ticket purchase peak, their demand will follow. They are one of the customers of cloud services-buy a large number of hosts on time and broadband, deploy their own mirrors directly, and then start using these hosts to swipe tickets, with hundreds of hosts almost seconds in a cloud environment. The length of the host purchase (such as 1 hours) is enough for the ox to brush the train ticket, the cost is very low for the ox.

However, for 12306来 said this is undoubtedly a nightmare, although it is normal business access, in a sense is an attack, and directly hit the core business-not only normal users can not login and operation, and even tickets are sold out, ticket purchase site also mixed what?

The same reason, if the ox is really a hacker it? What if these hosts were not purchased but invaded? These hosts have also become a good puppet machine, providing the convenience of hackers.

Non-technical strategy

Entrepreneurial companies in the cloud are painful, on the one hand, attacked by hackers and peers, while also paying to buy a variety of cloud services and security services. At the same time, it is also necessary to justify the efforts of colleagues in the Security defense product line, and the security system often needs to devote more manpower to maintain than other applications.

The security defense is not so much a technical system as a man-made operation system. Because the security defense itself is a semi-automatic system, seemingly tall security products, in fact, all the back end of the accumulation of various attack and defense warfare. DDoS defense also can not be separated from the various departments of emergency and processing, such as operation, operations, development, testing, customer service, network workers, and so on, normal operation and network workers also need to keep the phone unblocked and network available, and even when the roadside walk suddenly need to open the computer to manually handle an attack event.

So choosing the timing of the attack is also a factor in the success or failure of the attack. Personnel working hours are morning and evening, the application of business processing day and night are different, the network congestion is also different. Prior to working in an Internet company, when the group was built, it was forbidden to post activities related to Weibo, because competitors would make their own arrangements when the group was built, such as releasing new versions and attacking.

Safe attack and defense, is a continuous process, but also an absolute result-oriented; For an attacker, it is not important to use which technology and vulnerability, the outcome of the attack is important, and any elements that affect the results need to be considered.

Defense strategy

DDoS protection for the internet and the cloud is still a challenge, because the goal of defense is no longer an application or service, but an ecosystem.

Defense in Depth

Defense-in-depth is a principle of white hat, and the cloud-ecological DDoS defense also applies. Each level must have its own security protection, independent of other levels of protection, and has its own alarm and tracking.

According to the planning of different levels of security defense, we can build the whole defense system from the whole. Different levels have different levels of characteristics, the implementation of security measures are different, mutual cooperation to ensure the overall safety; In addition, some attacks require targeted defenses at certain levels, such as SYN Flood and slowloris, which can be placed in a cleaning device, and firewalls can be used as a defense against the network's underlying defenses. , host security is responsible for the application security of the cloud host, the internal firewall in the host is controlled as a puppet machine to cut off and controller connection, and the SLB and CDN layer also need a certain cleaning and filtering.

Minimize deployment

As the cloud ecosystem matures, the demand for cloud services is increasing, including horizontal and vertical scaling, such as scaling up and minimizing environmental deployments.

Here, the expansion refers to the server to reach the ceiling or new features special needs to expand the new service cluster, minimized deployment refers to the cloud ecosystem all or part of the scale of the deployment of a local area network, such as the current cloud manufacturers are pushing the private cloud.

Cloud product Security Defense, belongs to the cloud Ecosystem default attribute, the cloud environment to expand or minimize the deployment, but also requires the security defense to have this "minimal Deployment" portability: On the one hand, virtual & physical security devices can be deployed anywhere on the network, on the other hand, The entire security defense system can move with the cloud and replicate to any deployment cloud.

Size of engine

The engine mentioned here refers to WAF,IPS,IDS,DLP. The Internet cloud ecosystem requires these engines to be more powerful and provides engine services for nodes at all levels.

On the one hand, the engine to ensure the minimum granularity of visibility, can be easily deployed on other levels or directly to provide services, on the other hand, the internal cloud ecosystem to defend the level of security and attack issues.

Ensuring minimal visibility of engine granularity is a must for an excellent cloud environment.

Business Integration Security

As mentioned earlier, the application layer DDoS attacks directly bring the business layer impact, and the cloud ecosystem is facing the business security is not only a DDoS attack brought, also contains other technical attacks (injection, fishing, brute force, etc.) and business attacks (fraud, etc.), so in the framework of security defense system, Business security itself has to be integrated into the system.

Business security encompasses a wide range of areas, more network structure, different business to their own security requirements are different, so the integration of business security, more in the form of services to provide external.

Service of

Similar to the business integration security, the security defense system of the cloud system needs to be gradually serviced and exported externally.

First of all, different users of the business, the security of the business needs are also different-the game industry to the protection of DDoS attacks more than ordinary Web site business, so in the defense of the strength of users need to choose;

On the other hand, some users are not satisfied with the default security engine and device provided by the cloud service and want to be able to select other engines and devices.

Based on these considerations, the cloud ecosystem provides a variety of services, but also the security services, and provide external services, such as interface or related page operation.

Architecture

In addition to the overall strategy of the defense system needs to be considered, some of the security technology outside the framework of processing can also be combined with defense, the cloud ecosystem is a whole, by the various layers of cooperation; cloud security is also a whole, requiring the coordination of each layer. While enjoying the protection of security defense system, to cooperate with the construction of security system, it is the architecture need of every layer in cloud system.

Backup | cache | Cdn

Large Internet services, with backup and caching services that support the business, play an important role in security defense: Backups can speed up post-alarm processing and reduce losses, and caching is a mitigating factor for DDoS attacks. Because of this, the number of CDN nodes in some way can measure the DDoS defense capability of a system.

In addition to the number of CDN nodes, the VIP allocation of each node needs to be handled according to the actual attack situation, such as a certain number of VIPs, can be based on the severity of the attack on the CDN node and the frequency of VIP attack to do the VIP redistribution, Priority is given to which CDN nodes to assign which VIP, the resulting DDoS defense capability is different.

In addition, the results of dynamic polling and hash will not be the same for distributed CDN, when it is diverted to different nodes by a large traffic attack.

Load Balancing

Load Balancing Service, in addition to providing load balancing and VIP, can also provide load balance level monitoring data, such as traffic correlation : bps, pps, QPS, etc. connection : VIP, TCP and other connected Newconns, Concurconns; Business related : Business processing volume, failure handling, etc.

Although the large-scale Internet service system will have a special system to do the traffic analysis after the light, but these analysis is universal, and can not do a certain layer of exclusive analysis, in addition, business-related analysis can only be done by each layer of its own specific processing.

Means

In addition to the strategic and architectural considerations, some common security principles and techniques are often used in the cloud security defense system, and this is only a brief introduction.

Minimum permissions

The principle of least privilege is one of the basic principles of security, which requires that only the necessary permissions be granted, and that unnecessary permissions cannot be authorized. In a cloud environment, each tier needs to comb the business requirements and permissions of the layer, ensuring that other levels are invoked with minimal permissions, and that other permissions operate with an untrusted attitude.

Black and white list

The black and white list is also one of the basic principles of security, relative to the "least privilege" in a variety of permissions on the trust, black-and-white list of trust based on the absolute mutual exclusion, non-white is black or black or white. Many times the security of the defense process, is the process of conditional judgment , the process of black and white list plays an absolutely important role.

But in this multi-layered defense environment of cloud ecology, the use of black and white lists also requires some attention:

1. If the black and white list is dynamic, then try to ensure that the black and white list is a single logical maintenance;
2. Black and white lists do not share use, each layer uses its own black and white list;

Because different business and hierarchical relationships focus on their different policies and rules, layered use of black-and-white lists not only benefits maintenance, but also reduces the generation of failures.

Frequency of Access

Previously mentioned in CC's defense using a cleaning device to locate clients using IP and cookies to calculate access frequency, but for the application layer access frequency is not absolute, so it is prone to manslaughter situation.

One approach is to determine the frequency of access to the various layers of processing, the results of such judgments are more targeted, and the respective judgment algorithm is not the same, the effect will be better.

At present, a mature practice is to monitor the frequency of access in the bypass, when the access connection exceeds the predetermined threshold, the switching cleaning equipment to the main road flow to do cleaning operations, and ultimately through the results of the cleaning decision next operation.

Human machine recognition

In CC, it is mentioned that human-machine recognition and typical human-machine recognition, that is, the verification code, the fundamental purpose of human-machine recognition is to determine whether the request is re-sent by the machine, but the process of identification is also facing problems.

The shortcomings of the verification code mentioned before, affecting the user experience, and not enough random cases of the verification code can also be bypassed, in the user experience and identification process, it is difficult to achieve a compromise.

Previously participated in a brush ticket software development, experienced a variety of 12306 verification code changes, the final 12306 or not a good solution through the verification code to filter out all the ticket submission operation-sometimes automated image recognition ability than the human eye, then obviously the verification code in this case did not achieve the original design.

The blurred boundaries faced by human-machine recognition are clearly more than these, such as those mentioned previously in the WEBAPI call. The invocation of these interfaces, which is originally initiated by the program, is an attack if the program keeps looping calls.

Whether the verification code, or more complex access frequency calculation, or other human-computer recognition method, want to improve the accuracy of recognition needs more complex calculation; however, no matter how good the algorithm, do flow analysis, can not guarantee the speed and accuracy of the win. With the development of machine learning and off-line data processing, it is believed that there will be better solutions for human-machine recognition.

Communication and collaboration

Previously mentioned, DDoS defense is always a defensive battle, in the semi-automatic accumulation process, want to have better defense effect, need good monitoring, organization and process to support. Seemingly simple attack processing, are in the process of the accumulation and cooperation of colleagues.

Some considerations and testing methods of DDoS security products under Internet cloud Ecology (i)