Since DDoS attacks often take legitimate data request techniques, coupled with puppet machines, causing DDoS attacks to become one of the most difficult network attacks to defend against today. According to the latest U.S. security loss survey report, the economic losses caused by DDoS attacks have jumped to the first place. Traditional network equipment and perimeter security technologies, such as firewalls and IDSs (Intrusion Detection Systems), rate limiting, access limiting, etc., are unable to provide very effective protection against DDoS attacks, and a new architecture and technology is needed to defend against sophisticated DDoS denial-of-service attacks.

DDDoS Attacks Revealed

DDoS attacks primarily utilize internet protocols and the fundamental strength of the internet - the ability to transmit packets from any source to any destination without deviation.

DDoS attacks fall into two categories: either large data, heavy traffic to overwhelm network devices and servers, or the intentional creation of a large number of incomplete requests that can't be completed to quickly exhaust server resources. The key difficulty in effectively preventing DDoS attacks is the inability to distinguish attack packets from legitimate packets: typical "signature" pattern matching performed by IDSs is ineffective; many attacks use source IP address spoofing to escape source identification, making it difficult to search for a specific attack source.

There are two basic types of DDoS attacks:

● Bandwidth attacks: These are attacks that consume network bandwidth or use large numbers of packets to overwhelm one or more routers, servers, and firewalls; bandwidth attacks commonly take the form of a large number of ostensibly legitimate TCP, UDP, or ICMP packets that are routed to a specific destination; to make detection even more difficult, they also often use source address spoofing and are often used as a means to identify the source. often use source address spoofing that keeps changing.

● Application attacks: Exploit behaviors defined by protocols such as TCP and HTTP to continually tie up computing resources to prevent them from processing normal transactions and requests. HTTP half-open and HTTP errors are two typical examples of application attacks.

DDoS threats are becoming increasingly deadly

One of the fatal trends in DDoS attacks is the use of sophisticated spoofing techniques and basic protocols such as HTTP, Email, etc., rather than employing non-basic protocols or high port protocols that can be blocked, are very difficult to recognize and defend against, and usually employ packet filtering or rate-limiting measures that simply stop the attack by halting the service The DDoS attack is a simple way to stop the attack by stopping the service, but at the same time, the legitimate user's request is also rejected, resulting in the interruption of business or degradation of the quality of service; DDoS events are sudden, often in a very short period of time, a large number of DDoS attacks on the data can be a network resources and service resources are consumed.

The current DDoS defenses are not perfect

No matter what kind of DDoS attack, the current technology is not good enough to defend against it. Popular DDoS defenses-such as black hole technology and router filtering, speed limits, etc.-are not only slow and consuming, but also block effective services at the same time. For example, IDS intrusion monitoring provides some detection performance but does not mitigate DDoS attacks, and the protection provided by firewalls is limited by their technical weaknesses. Other strategies, such as deploying large numbers of servers, redundant devices, and ensuring sufficient response capacity to provide attack protection, are too costly.

Black hole technology

Black hole technology describes the process by which a service provider intercepts as many packets as possible destined for a particular target enterprise upstream, and introduces redirected packets into a "black hole" and discards them to preserve the carrier's infrastructure network and other customer services. However, legitimate packets are discarded along with the malicious attacker's business, so the black hole technique cannot be considered a good solution. The attacked loses all business services and the attacker thus wins.

Routers

Many people use the filtering capabilities of routers to provide defense against DDoS attacks, but they do not provide a perfect defense against the sophisticated DDoS attacks that are now available.

Routers can only stop some simple DDoS attacks, such as ping attacks, by filtering non-basic unwanted protocols. This requires a manual response, and often after the attack has caused the service to fail. In addition, DDoS attacks now use valid protocols necessary for the Internet and are difficult to filter effectively. Routers can also prevent invalid or private IP address spaces, but DDoS attacks can easily spoof them as valid IP addresses.

The router-based DDoS prevention strategy -- using uRPF on the egress side to stop IP address spoofing attacks -- is equally ineffective in defending against today's DDoS attacks, because the basic principle of uRPF is that if the IP address does not belong to the subnet network it is supposed to come from, the egress service is blocked. However, DDoS attacks can easily spoof IP addresses from the same subnet, rendering this solution ineffective.

In essence, router ACLs are ineffective against a wide variety of spoofing attacks that use valid protocols. These include:

● SYN, SYN-ACK, FIN, and other floods.

● Service proxies. Because an ACL cannot discriminate between a legitimate SYN and a malicious SYN from the same source IP or proxy, it will attempt to stop this centralized spoofing attack by blocking all of the victim's users from a particular source IP or proxy.

● DNS or BGP: When launching these types of random spoofing DNS server or BGP router attacks, ACLs - similar to SYN floods - are unable to verify which addresses are legitimate and which are spoofed.

ACLs are also ineffective in defending against application-layer (client-side) attacks, regardless of spoofing, and ACLs could theoretically block client-side attacks -- such as HTTP errors and HTTP half-open connection attacks -- if the attacks and individual non-spoofing sources could be accurately monitored -- would require users to configure hundreds or even thousands of ACLs per victim, which is not really practical to implement.

Firewalls

First of all firewalls are positioned far downstream in the data path and don't provide enough protection for the access link from the provider to the enterprise edge router, leaving those vulnerable components open to DDoS attacks. In addition, firewalls become potential performance bottlenecks because they are always connected in series, as DDoS attacks can be performed on themselves by consuming their session processing power.

Secondly, there is the limitation of the lack of anomaly detection, where the firewall's primary task is to control access to private networks. One way to accomplish this is by tracking sessions initiated from the inside to the outside service, and then only receiving specific responses from the desired source on the "unclean" side. However, this doesn't work for services that are open to the public to receive requests, such as the Web, DNS, and others, because hackers can use "recognized" protocols (such as HTTP).

The third limitation is that while firewalls can detect anomalous behavior, they have little anti-spoofing capability -- they are still structured so that attackers can achieve their goals. When a DDoS attack is detected, firewalls can stop a particular stream of data linked to the attack, but they can't detect it packet by packet, sorting out the good or legitimate services from the malicious ones, making them de facto ineffective against IP address spoofing attacks.

IDS Intrusion Monitoring

IDS solutions will have to provide leading-edge behavioral or anomalous-transaction-based algorithms to detect DDoS attacks today. But some of the anomalous transaction-based performance requires manual tuning by an expert, and often false positives and fails to recognize specific attack streams. Also IDS itself can easily fall victim to DDoS attacks.

The biggest drawback of IDS as a DDoS defense platform is that it can only detect attacks, but does nothing to mitigate their impact. IDS solutions may be able to consign filters to routers and firewalls, but as recounted earlier, this is inefficient for mitigating DDoS attacks, and even IDSs deployed in tandem with something like static filtering can't do it.

Manual response to DDoS attacks

Manual processing as part of a DDoS defense is too small and too slow. The typical first response of a victim to a DDoS attack is to ask the nearest upstream connectivity provider -- ISP, hosting provider or backbone bearer -- to try to identify the source of the message. In the case of address spoofing, attempting to identify the source of the message is a long and lengthy process that requires the cooperation of many providers and a traceability process. Even if the source can be identified, blocking it means blocking all business -- good and bad -- at the same time.

Other strategies

To tolerate a DDoS attack, one might consider strategies such as overprovisioning, which is the purchase of excess bandwidth or excess network equipment to handle any request. This approach is less cost-effective, not least because it requires additional redundant interfaces and equipment. Disregarding the initial role, attackers can defeat additional hardware simply by adding attack capacity, and the tens of millions of machines on the Internet are an inexhaustible resource of attack capacity for them.

Effectively Defending Against DDoS Attacks

Engaging in DDoS attack defense requires a new approach that not only detects attacks of increasing sophistication and deception, but also effectively defends against their effects.

Complete DDoS protection is built around four key themes:

1. Mitigating attacks, not just detecting them

2. Accurately recognizing good business from malicious business and keeping business going, not just detecting the presence of an attack

3. Embedding the performance and architecture to configure upstream and protect all vulnerable points

4. p>

4. Maintains reliability and cost-effective scalability

Built on these concepts, DDoS defense has the following protective qualities:

Immediately responds to a DDoS attack with a complete detection and blocking mechanism, even if the identity and profile of the attacker does not

continuously change.

Provides more complete authentication performance than existing static route filters or IDS signatures.

Provides behavior-based anomaly event identification to detect valid packets containing malicious intent.

Identifies and blocks individual spoofed packets to protect legitimate business transactions.

Provide mechanisms that can handle large numbers of DDoS attacks without impacting protected resources.

Deploys protection on demand during attacks without introducing points of failure or adding bottlenecks to cascading policies.

Built-in intelligence to handle only infected business flows, ensuring maximum reliability and minimum spend ratio.

Avoid dependency on network devices or configuration transitions.

All communications use standard protocols to ensure interoperability and maximize reliability.

Complete DDoS protection solution technology system

Implement a complete DDoS protection solution based on detection, transfer, authentication, and forwarding to provide complete protection to maintain uninterrupted business operations by:

1. Real-time detection of DDoS denial-of-service attacks.

2. Diverting data services destined for the target device to a specific DDoS attack protection device for processing.

3. Analyze and filter out bad packets from good packets to stop malicious services from affecting performance while allowing legitimate services to be processed.

4. Forward normal services to keep commerce going.