Three steps to prevent and control DDOS attacks

For Firewall Products, resources are very valuable. When the system is attacked by external DDOS attacks, all resources in the system are occupied by the attack stream. At this time, normal data packets will certainly be affected. SmartHammer's status-based resource control automatically monitors all the connection statuses in the network. If a connection fails to receive a response for a long time, it will be in a semi-connection status, wasting system resources, when the semi-connection in the system exceeds the normal range, it may be the attack. SmartHammer firewall's status-based resource control can effectively control such situations.

Control the timeout time of connections and semi-connections. If necessary, the timeout time of semi-connections can be shortened to accelerate the aging of semi-connections;

Limit the maximum connection value of each protocol of the system to ensure that the total number of connections of the Protocol does not exceed the system limit. After the connection limit is reached, delete the new connection;

Limit the number of source/Target Host connections that meet the system requirements;

Stream restrictions are imposed on the source or target IP addresses. Inspect can limit the resources of each IP address. When the user is within the resource control range, the usage will not be affected, however, when a user is infected with a worm or sends attack packets, resource control for the stream can limit the number of connections sent by each IP address. connections that exceed the limit will be discarded, this method can effectively suppress the effect of virus attacks and prevent other normal users from being affected.

? If the "same type" data stream that passes through the firewall exceeds the threshold within the unit time, you can block this type of data stream, it is effective in preventing non-connection flood attacks such as IP, ICMP, and UDP.

2. Intelligent TCP proxy effectively prevents SYN Flood

SYN Flood is the most harmful and difficult to defend against DDOS attacks. This attack uses TCP protocol defects to send a large number of forged TCP connection requests, so that the attacked party's resources are exhausted (the CPU is full or the memory is insufficient ). SmartHammer firewalls can use intelligent TCP proxy technology to determine the connection validity and protect network resources, as shown in.

When the firewall is working, TCP proxy is not enabled immediately (to avoid affecting the speed). Normal TCP Intercept is automatically started only when the TCP semi-connection in the network reaches the TCP proxy startup threshold set by the system, when the system's TCP semi-connection exceeds the system's TCP Intercept high threshold, the system enters the intrusion mode. At this time, the new connection will overwrite the old TCP connection. After that, the total number of connections of the system increases, the number of semi-connections decreases. When the number of semi-connections drops to a low threshold in the intrusion mode, the system introduces the intrusion mode. If the attack stops at this time, the number of semi-connections in the system gradually drops below the threshold for starting the TCP proxy, and the intelligent TCP proxy module stops working. Intelligent TCP proxy can effectively prevent SYN Flood attacks and ensure the security of network resources.

3. Use NETFLOW to monitor DOS attacks and viruses

Network Monitoring plays an important role in defending against DDOS attacks. SmartHammer firewall supports the NetFlow function. It identifies data packages in the network exchange as streams and encapsulates them as UDP data packages and sends them to the analyzer, this provides a wide range of data sources for network management, traffic analysis and monitoring, and intrusion detection. You can record and send NetFlow information without affecting the forwarding performance, and use the network security management platform to analyze and process the received data.

　
Use NetFlow to monitor network traffic. The firewall can effectively defend against DDOS attacks. However, when the number of attack streams exceeds a certain level and the bandwidth is fully occupied, although the firewall has discarded attack packets through security policies, however, because the attack data packets occupy all the network bandwidth, normal user access still cannot be completed. In this case, the network traffic is very large. The SmartHammer firewall can use the built-in NetFlow statistical analysis function to find the data source of the attack stream and report it to the upper-level ISP to distribute the data stream or import the black hole route. Enable the NetFlow Collection function under the firewall interface and set the address of the NETFLOW output server. In this way, you can use the harbor security management platform to analyze and process the received data. We can use this method to calculate the top ten daily traffic or the top ten of the business traffic. This is used as a standard. When we find that the network traffic is abnormal, you can use NetFlow to effectively find and locate the source of DDOS attacks.

 

Use NetFlow to monitor worms. It is important to prevent the spread of the worm. Only when it is detected as soon as possible can we quickly take measures to effectively prevent the virus. After a worm virus is infected with the system, it actively sends specific data packets and scans the relevant ports to spread itself. With this feature, the port network establishes a worm query template on the security management platform and regularly queries the template. When matching information is found, you can analyze whether the address is infected with viruses, then take appropriate measures.

It is worth noting that the firewall's position in the network topology also has a great impact on the defense against attacks. Usually, the box firewall is designed to be placed at the egress of the network. In this case, although the firewall can defend against external attacks, once a PC inside the network is infected with worms or malicious attacks initiated from the inside by Browsing webpages, sending and receiving emails, or downloading, the firewall has no protection capability.

SmartHammer ESP-FW firewall module can solve this problem, ESP-FW is a security module of BigHammer6800 series switches, It inherits the security characteristics of SmartHammer box firewall built-in in the switch, effectively defend against attacks from internal networks. After the firewall module is inserted, the switch can add the relevant VLAN to the firewall and be protected by the firewall. Another major advantage of using VLAN as the protection object is that it facilitates network expansion. When a new Department appears, we can protect new departments without increasing investment, flexible and abnormal network deployment. In this way, when abnormal data streams occur in the internal network, the firewall can effectively restrict the data forwarding and protect other VLANs from being affected.