For online enterprises, especially telecom operator data center networks, the emergence of distributed denial of service attacks (DDoS) is undoubtedly a disaster, and effective protection has always been a problem in network applications.
DDoS has always been a headache for people. It is an attack method that is difficult to protect with traditional methods. In addition to servers, bandwidth is also its target of attack. Like traffic jams, DDoS has become a kind of cyber pollution.
Traditional protection: powerless
Prevent DDoS attacks, the most commonly used ones include black hole method, setting up routing access control list filtering, and connecting firewall security devices.
Black hole method: The specific method is to set up access control in the network after the server is attacked and put all traffic into the black hole and throw it away. This practice can keep all attacks out when attack traffic comes, ensuring that it does not affect the entire backbone network. However, it also blocks normal traffic, causing the server to be unable to provide services to the outside world and interrupts contact with users.
Set up routing access control list filtering: This method is not deployed by enterprise users themselves, but service providers such as telecommunications configure the backbone network and deploy it on the router. There are two ways to deploy on routers now, one is ACL - as an access control list, and the other is to limit data. Both methods can be attributed to ACL. Its biggest problem is that if the attack comes from the Internet, it will be difficult to create a source address-oriented access list, because the source address is very arbitrary and cannot be accurately positioned. The only thing that can be done is ACL for the destination address, list the access control amount for this server, throw away all the data packets requesting connections, and the user's service will be greatly affected. Another drawback is that setting up such an access control list on the telecom backbone will bring great difficulties to the management of access control volume. Moreover, adopting this method also has great limitations, it cannot identify fake and attacks against the application layer.
Firewall security equipment connected in series: There is another method of firewall connection when dealing with DDoS attacks. For operator backbone networks with traffic reaching dozens of G, due to the limited firewall capabilities and technical level, firewall devices of several G are easily overloaded and the network cannot operate normally. Moreover, the throughput of firewalls with DDoS protection functions will be lower. Even the "top experts" in the firewall are powerless and cannot take on this heavy responsibility. In addition, using such a method cannot protect upstream devices, lacks scalability, and cannot effectively protect user-oriented resources.
The solution is "intelligence"
From the above analysis, it is not difficult to see that traditional methods of dealing with DDoS are not efficient, and there are still some problems that cannot be overcome and solved. The intelligent DDoS protection system consists of two parts: detector and protector. It has the advantages of easy use, simple deployment, no need to change the original network architecture, and implement dynamic protection, which fundamentally solves the protection problem of DDoS.
The guard is connected in parallel to the backbone network, which has no impact on the network structure. When bad traffic in the network attacks the network, the detector will alarm the guard so that the DDoS guard can know the attack on the server in the network, the purpose of the attack, and which addresses it comes from. At this time, the guard immediately starts working, notifies the router, send all traffic to these addresses to the guard, temporarily take over these data traffic in the network, analyze and verify them, all illegal malicious traffic will be intercepted and discarded here, and normal traffic and data will continue to be transmitted to the destination.