DDoS attacks have led to a decline in the overall service quality of the IP network, which has seriously threatened the high-quality brand image of the IP network, therefore, it is necessary to prevent DoS/DDoS attacks at the man and IDC level of telecom operators, and provide users with stable and reliable network services through security measures.
Threats and Challenges for carrier networks
At present, the operator's backbone network and city-wide man networks have a large number of broadband users. The network structure is complex, the business volume is large, and the network security problems caused by DDoS attacks occur from time to time, leading to a reduction in the overall service quality of the IP network, it has seriously threatened the high-quality brand image of China Netcom's IP network. Therefore, it is necessary to prevent DoS/DDoS attacks at the man and IDC levels of telecom operators, provides stable and reliable network services through security measures.
Distributed Denial of Service (DDoS) attacks are one of the most common attacks on telecom carriers in the man layer. These attacks are carried out by some attackers by sending a large number of malicious illegal requests to the target, resulting in reduced performance of computer servers and network devices and network service interruptions, or saturated bandwidth of network connections; at the IDC level of operators, enterprise website hosting services are also growing, and distributed HTTP Page Flood attacks are one of the most common attacks, the attack method is that some attackers send a large number of normal HTTP requests to the target at the same time, resulting in reduced WEB server performance and eventually WEB service interruption, this type of attack is also the most difficult to prevent in the current WEB site security threats.
498) this. style. width = 498; "border = 0> |
Figure 1 |
Damage caused by DDOS attacks to operators
Many types of attacks often occur on the operator's network, and the attack traffic is huge, resulting in serious damage:
Server resource depletion: massive DDOS attacks such as SynFlood may exhaust the resources of key servers of operators and important customers, and interrupt key business applications, such as DNS and WEB. As a result, large-scale Internet access failures and application shutdown occur. It brings huge damage to the operator's business and reputation, as well as immeasurable economic losses to the operator and its users.
Bandwidth resource depletion: the carrier's backbone bandwidth resources are abundant, but the bandwidth resources accessed by lower-level customers are limited. Large-scale DDOS attacks can easily occupy the bandwidth of the customer's access, resulting in the access failure of a large area of applications or the customer's access to the Internet.
How can we solve security threats?
Some security vendors have released their own DoS/DDoS Defense Security Solutions to defend against unavoidable and increasingly serious network threats by operators. By deploying this security defense solution in the IP address man or IDC of the carrier, the telecom operator can ensure network security for enterprise customers with little expenditure.
Currently, many vendors provide DoS/DDoS Defense Security Solutions. Each vendor provides different DoS/DDoS Defense Mechanisms. Most vendors only defend against known DOS attacks, there is a lack of defense measures against the popular "zero-day attack" and application-layer attacks. Currently, the industry's best-performing vendors are introducing Radware's DoS/DDoS Defense solutions, radware is the first manufacturer in the industry to provide a single throughput of 6 Gbits/s. There are many advanced technologies in the DoS/DDoS attack defense field, especially in the defense of unknown DOS/DDOS attacks (that is, "zero-day attack") the behavior-based DoS/DDoS Defense Technology can automatically learn and develop policies and reports.
My company's IDC also hosts many enterprise WEB sites. Since its business was launched, it has often suffered DOS/DDOS, HTTP Flood and other malicious traffic attacks, leading to the failure of normal operation of customers, our daily operations and user satisfaction have also been severely affected.
Now, our company has introduced the DOS/DDOS Defense security solution provided by Radware. After a Radware DefensePro6000 DOS/DDOS Defense device is deployed in the IDC of Tangshan branch, the protection effect is very good, all the subsequent UDP Flood, TCP Flood, and HTTP Page Flood attacks are intercepted by the DefensePro Device of Radware.
The DOS/DDOS security solution is also called the DoS/DDoS traffic cleaning solution. It constructs a comprehensive DoS/DDoS traffic cleaning center in the carrier's man or IDC, it can effectively intercept malicious traffic before it enters the customer's system. This prevents the value-added services of operators from being affected by DDoS attacks and maximizes availability.
The DoS/DDoS Defense Security Solution achieves the following goals::
It helps carrier customers effectively defend against DDoS attacks to maximize the continuity of online services and services. The solution helps you clear attack traffic and only allow valid traffic to use connections with limited bandwidth from the carrier network to the customer network. The carrier will provide such protection to enterprise customers in the form of security service hosting. At the same time, the same defense system can also be used for carrier IDCs to prevent their hosted customers from DDoS attacks on Web and other e-commerce applications.
Ensure that the network resources (such as routers, DNS, SMTP, email, and WWW) in the carrier's network are secure and not affected by DDoS attacks.
It provides a new security service concept for the value-added Service Department of the operator, which can implement corresponding security protection policies based on the customer's security level requirements to provide value-added service space.
DOS/DDOS Defense deployment Design
498) this. style. width = 498; "border = 0> |
Figure 2 |
Deploy two DoS/DDoS Defense device bypass on two man core routers. Each DOS defense device can use a 10g link to connect to the core router, the two DoS/DDoS Defense devices constitute the "Man security protection/DDoS cleaning center". By routing policies on the core router, direct the data streams of protected network segments to the cleaning center (for example) to filter out DDOS attack traffic and allow normal access traffic. This deployment solution comprehensively solves different security problems of man. In general, the solution is to "clean attack traffic and allow normal traffic ", security factors in man and IDC are filtered by comprehensive technical means to ensure the security of man. Carrier DDoS Security Defense mode
498) this. style. width = 498; "border = 0> |
Figure 3 |
The goal of the DoS/DDoS security defense solution is to help telecom operators completely eliminate hidden dangers in the security layer of man and IDC, and bring a new security service revenue-generating model to operators. Telecom operators can use this deployment mode as a service to provide it to their enterprise customers. Next, we will discuss the service modes through which the solution can defend against DOS/DDOS attacks.
1. Network Service hosting mode:In this service mode, the solution enables telecom operators to prevent enterprise customers' networks from being attacked by DDoS attacks from the Internet. These attacks will not only affect the internal application systems of enterprises, but also cause the connection bandwidth between telecom operators and customer networks to be fully occupied by DDoS attack traffic. Especially for financial and E-Commerce customers, such attacks may lead to loss of customers, loss of reputation and loss of property.
If you can detect DDoS attacks as early as possible and block them upstream as much as possible, you can effectively eliminate the impact of DDoS attacks. In general, telecom operators can use the solution to provide enterprise customers with anti-DDoS functions at two service levels. (As shown in)
Exclusive service-we define such customers as gold customers. This advanced service is suitable for customers who are critical to the continuous development of their businesses, such as e-commerce websites and online bookstores. The solution can activate a separate cleaning channel for these customers-that is, cleaning is performed with all the upstream traffic generated by the enterprise through an exclusive Channel, in this way, the customer's terminal devices can be provided with the promised traffic cleaning capacity, automatic policy learning and customization, and optional DDoS detection and cleaning enabling functions.
No service (No SLA)-customers who have not purchased the Security Service cannot enjoy the exceptional traffic cleaning service. The Upstream data streams that communicate with such customers will arrive at the client network according to the normal route of the carrier.