How to defend against DDoS attacks on data centers?

Arbor NX Company's http://www.aliyun.com/zixun/aggregation/16480.html ">darren anstee details the increasingly serious distributed denial of service (DDoS) threat, It is also recommended how data center managers proceed to build a multi-level defense solution to address DDoS threats.

The firewall is losing its effect. This is the conclusion of a recent survey by NSS Labs, an independent security testing agency. The survey found that six of the firewall products in the acceptance of stability testing, three failed to play the normal effect. These firewalls are tested to include industry giants ' products.

Because firewalls have always been a well-established basis for securing borders, these test results are particularly shocking for managers in data centers: the threat they face in service availability is more severe and pervasive than ever before.

For example, Arbor NX's sixth annual Global Infrastructure Security report shows that 2010, capacity depletion attacks and application layer distributed denial of service (DDoS) attacks originating from botnets remain the most significant threats to network operators in the future.

Increasingly serious DDoS threats

DDoS attacks can be grouped into three categories: capacity depletion attacks (volumetric attack), which attempt to deplete the forwarding or link capacity, and state table exhaustion attacks (state-exhaustion attacks) that attempt to deplete the State table in the infrastructure and servers; and application-level attacks, which attempt to deplete the application-tier resources. In all of these attacks, attackers attempt to prevent real users from accessing a particular network, service, and application.

Although DDoS attacks have been around for more than a decade, DDoS has not caught the attention of mainstream media until December 2010, when they destroyed the WikiLeaks website. Subsequently, people sympathetic to the WikiLeaks website launched a counterattack against a number of targets including Wansdaka (Mastercard), PayPal, Visa and other reputable institutions.

The Global Infrastructure Safety Report, released earlier this year by Arbor NX, showed that DDoS attacks, which depleted resource capacity, first breached the 100Gbps mark in 2010. In short, DDoS attacks consume a lot more resources. The report also disclosed, perhaps more worryingly, the increasing frequency and sophistication of application-level DDoS attacks against data centers, as well as the increasing impact on data center operations.

How does this attack affect the data center?

The report disclosed the findings of Internet Data Center (IDC) operators who claimed that application-level DDoS attacks resulted in prolonged outage, increased operating expenses (OPEX), customer churn, and loss of revenue. Most of the objects surveyed by the Global Infrastructure Safety Report (77%) discovered application-level attacks, while nearly half (49%) experienced a firewall or intrusion prevention system (IPS) failure due to DDoS attacks.

Although IPs, firewalls, and other security products are essential components of a multi-level defense strategy, they do not solve the DDoS problem. Firewalls and IPs are designed to protect network boundaries from infiltration, compromise, and policy execution points in the Enterprise security architecture. They use stateful traffic checking techniques to enforce network policies and ensure integrity.

Unfortunately, the firewall or IPs can maintain a limited state, as the attackers know, so when the resources inside the device are depleted, the result is a loss of traffic, a lock in the device, and a possible crash.

Application-tier DDoS is also a threat to operators of data centers, as data centers are an environment where many goals can be targeted. Firewalls and IPs generally do not detect or block application-level DDoS attacks, and thus require alternative solutions.

How can you reduce risk?

As a best practice, multi-level defense has been accepted and recognized by the security industry, and in response to the increasingly rampant threat of DDoS, the same approach is needed. Internet service providers/management Security Service providers (ISP/MSSP) must prevent capacity depletion attacks and large-scale state-table exhaustion attacks, but find that application-level DDoS attacks typically need to be done at the edge of the ISP or within the data center. That is because it is difficult to discover application-tier DDoS attacks, which are often not discovered by detection solutions deployed to monitor large ISP networks that host dozens of or hundred gigabit traffic.

DDoS detection and mitigation solutions located at the data center boundaries should be able to provide packet-based detection capabilities that provide immediate protection against a wide range of DDoS attacks; however, ISP/MSSP also needs cloud solutions to block high-bandwidth attacks outside of the data center. Capacity exhaustion attacks and state table exhaustion attacks, which may deplete links to upstream ISPs.

In an ideal environment, these two solutions work together through signaling technology, providing a fully automated multi-level defense mechanism to protect against DDoS attacks.

For best results, data center operators must work closely with ISPs to provide this multi-pronged solution and design a solution that protects services from DDoS attacks-whether those customers are companies or manage security service providers, for their customers.

Original address: Http://www.datacenterdynamics.com/focus/archive/2011/09/securing-the-data-center