Current location - Quotes Website - Personality signature - What is a traffic attack? What to do if you encounter an attack?
What is a traffic attack? What to do if you encounter an attack?

Traffic attacks

Because DDoS attacks often use legal data request technology, coupled with puppet machines, DDoS attacks have become one of the most difficult network attacks to defend against. According to the latest security loss survey report in the United States, the economic losses caused by DDoS attacks have ranked first. Traditional network equipment and perimeter security technologies, such as firewalls and IDSs (Intrusion Detection Systems), rate limits, access restrictions, etc., cannot provide very effective protection against DDoS attacks. A new architecture and technology are needed to resist complex attacks. DDoS denial of service attack. DDoS attacks mainly take advantage of the Internet protocol and the basic advantages of the Internet - transmitting data packets from any source to any destination without deviation. Defense methods

The currently popular black hole technology, router filtering, speed limiting and other methods are not only slow and expensive, but also block valid services. For example, IDS intrusion detection can provide some detection performance but cannot mitigate DDoS attacks, and the protection provided by firewalls is also limited by its technical weaknesses. Other strategies, such as deploying a large number of servers and redundant equipment to ensure sufficient response capabilities to provide attack protection, are too costly.

1. Black hole technology describes a process in which a service provider blocks packets directed to a certain target enterprise as far upstream as possible, and introduces the redirected packets into the "black hole" and discards them to preserve the operator's foundation. Internet and other customer services. However, legitimate data packets and malicious attack traffic are discarded together, so black hole technology cannot be regarded as a good solution. The victim loses all business services, and the attacker wins.

2. Routers Many people use the filtering function of routers to provide defense against DDoS attacks, but they cannot provide complete defense against complex DDoS attacks. Routers can only stop some simple DDoS attacks, such as ping attacks, by filtering non-basic unwanted protocols. This requires a manual response, often after an attack has caused a service failure. In addition, DDoS attacks use the necessary effective protocols of the Internet, which is difficult to effectively filter out. Routers also protect against invalid or private IP address spaces, but DDoS attacks can easily be spoofed into valid IP addresses. Router-based DDoS prevention strategies - using uRPF on the egress side to stop IP address spoofing attacks - are also not effective against today's DDoS attacks because the basic principle of uRPF is that if the IP address does not belong to the subnet it is supposed to come from, the network is blocked Export business. However, DDoS attacks can easily forge IP addresses from the same subnet, rendering this solution ineffective. Essentially, router ACLs are ineffective against a wide variety of spoofing attacks using valid protocols. Including: ● SYN, SYN-ACK, FIN and other torrents. ● Service agent. Because an ACL cannot distinguish legitimate SYNs from malicious SYNs coming from the same source IP or proxy, it attempts to stop this concentrated spoofing attack by blocking all users from a certain source IP or proxy. ● DNS or BGP. When launching these types of attacks to randomly spoof DNS servers or BGP routers, ACLs - similar to SYN floods - cannot verify which addresses are legitimate and which are spoofed. ACLs are also ineffective against application layer (client) attacks. Regardless of spoofing or not, ACLs can theoretically block client-side attacks - such as HTTP errors and HTTP half-open connection attacks, if the attack and a separate non-spoofing source can Accurate monitoring would require users to configure hundreds or even thousands of ACLs per victim, which is not practical. First of all, the firewall is located far downstream of the data path and cannot provide sufficient protection for the access link from the provider to the enterprise edge router, leaving those vulnerable components open to DDoS attacks.

Additionally, because firewalls are always in series they become a potential performance bottleneck, as they can be used to launch DDoS attacks on themselves by consuming their session processing power. Secondly, there are limitations in the lack of abnormal event detection. The primary task of the firewall is to control access to private networks. One way to do this is by tracking the sessions initiated from the inside to the outside service, and then only receiving specific responses from the source that the "dirty" side expects. However, this will not work for services that are open to the public to receive requests, such as the Web, DNS, and other services, because hackers can use "recognized" protocols (such as HTTP). The third limitation is that while firewalls can detect anomalous behavior, they have little anti-spoofing capabilities—their structure still allows attackers to achieve their goals. When a DDoS attack is detected, firewalls can stop a specific flow of data associated with the attack, but they cannot perform packet-by-packet inspection to separate good or legitimate traffic from malicious traffic, making them a de facto target of IP addresses. Spoofing attacks are ineffective. IDS Intrusion Detection IDS solutions will have to provide leading behavioral or abnormal transaction-based algorithms to detect today's DDoS attacks. However, some performance based on abnormal transactions require manual adjustments by experts, often false positives, and cannot identify specific attack flows. At the same time, IDS itself can easily become a victim of DDoS attacks. The biggest drawback of IDS as a DDoS defense platform is that it can only detect attacks but does nothing to mitigate their impact. IDS solutions may be able to entrust filters to routers and firewalls, but as stated earlier, this is inefficient at mitigating DDoS attacks, even with an IDS deployed in-line such as static filtering. Manual response to DDoS attacks Manual processing as part of DDoS defense is too trivial and too slow. A victim's typical first reaction to a DDoS attack is to ask the nearest upstream connection provider - an ISP, hosting provider or backbone carrier - to try to identify the source of the message. In the case of address spoofing, trying to identify the source of a message is a long and lengthy process that requires cooperation and tracking by many providers. Even if the source can be identified, blocking it means blocking all traffic—good and bad—at the same time.

3. Other Strategies In order to endure DDoS attacks, you may consider strategies such as over-provisioning, which is to purchase excess bandwidth or excess network equipment to handle any request. This approach is less cost-effective, especially since it requires additional redundant interfaces and equipment. Regardless of the initial role, attackers can defeat additional hardware simply by increasing their attack capacity. The tens of millions of machines on the Internet are their untapped attack capacity resources. Effectively Defend DDoS Attacks Defending against DDoS attacks requires a new approach that can not only detect increasingly sophisticated and deceptive attacks, but also effectively defend against their impact.

Key themes of protection

Complete DDoS protection is built around four key themes:

1. Mitigate attacks, not just detect

2. Accurately identify good businesses from malicious businesses and keep the business going, rather than just detecting the presence of attacks

3. Built-in performance and architecture enable upstream configuration to protect all vulnerable points

4. Maintain reliability and cost-effective scalability

Defensive Protective Nature

Respond immediately to DDoS attacks with complete detection and blocking mechanisms, even as the identity and profile of the attackers continue to change situation.

Compared with existing static route filters or IDS signatures, it can provide more complete verification performance.

Provides behavior-based abnormal event identification to detect valid packets with malicious intent.

Identify and block individual fraudulent packages to protect legitimate business transactions.

Provides a mechanism that can handle a large number of DDoS attacks without affecting the protected resources.

During the attack, protection can be deployed as needed, without introducing failure points or increasing bottlenecks in the series strategy.

Built-in intelligence only processes infected business flows to ensure maximum reliability and minimize cost ratio.

Avoid relying on network devices or configuration transformations.

All communications use standard protocols to ensure maximum interoperability and reliability.

Protect technology system

1. Real-time detection of DDoS out-of-service attacks.

2. Transfer data services directed to the target device to a specific DDoS attack protection device for processing.

3. Analyze and filter out bad data packets from good data packets to prevent malicious services from affecting performance while allowing legitimate services to be processed.

4. Forward normal business to keep business going.