Keywords: DDoS, two-way abnormal traffic cleaning, near source, collaboration
Abstract : With the growth of Internet bandwidth, DDoS attack traffic is increasing, and traffic-based attacks exceeding 300G have become popular. For such a large amount of attack traffic, the attacked customer often cannot deal with it alone. Telecom operators can improve the ability to resist DDoS large-flow attacks by deploying high-performance anti-DDoS equipment on the backbone network, but this is not a good strategy. The use of mainstream anti-DDoS equipment, a unified near-source and near-business host cleaning method, a two-way abnormal traffic cleaning solution that is coordinated across the entire network can effectively resist T (or higher) level DDoS attacks, increase ROI, and bring protection A qualitative change in effectiveness.
Introduction
With the proliferation of DDoS attack tools and the development of the underground black industry market, there are more and more profit-driven DDoS attacks, especially with the “Broadband China“The promotion of the strategy, The network access bandwidth of home users and mobile phone users has been exhausted, and there are more and more high-traffic DDoS attacks, and the attack traffic is increasing. A few years ago, the DDoS attack traffic received by enterprise users was generally about 1G, but now some DDoS attack traffic has begun to rise to 300G, 500G, or even T (1T=1000G) level. In the face of such an attack, companies that generally only have 10G access link bandwidth have no way of parrying them. They can only turn to telecom operators for help, but they are also difficult to respond effectively. For example, DDoS attacks against Spamhous in foreign countries caused Spamhous and CloudFlare to be a complete failure. In the face of such a large-traffic DDoS attack, how to deal with it economically and effectively? How can we protect against future T-level DDoS attacks? In comparison, this article first analyzes the current solution and its shortcomings, and then proposes a two-way abnormal traffic cleaning solution, discusses the design and implementation of the solution, and briefly explains the feasible deployment solution and protection process through examples.
1. Current status of DDoS attack threats
For DDoS attacks, there are multiple classification methods, such as traffic-based DDoS attacks (Such as SYN Flood, UDP Flood, ICMP Flood, ACK Flood, etc.), application layer DDoS attacks (such as Http Get Flood, connection exhaustion, CC, etc.), slow DDoS attacks, and vulnerability-based DDoS attacks. Among them, the most difficult to deal with is the distributed amplified DDoS attack. For this type of attack, from the point of view of the attacked, all data packets are normal, but the number is massive, generally up to 300G-2T, and can vary. With the advent of the broadband network era, the probability of occurrence is getting higher and higher. For the server of enterprise users, it is usually deployed in the IDC center of the telecom operator, and leased for telecom operations The 100/1000M and 10G links of the merchants are connected to the Internet. Similarly, for telecommunication operators’ own systems, 100/1000Mbps links are generally used to access the Internet. In short, compared to DDoS attacks with traffic exceeding 300G, user network access bandwidth is very small. Once a large-traffic DDoS attack occurs, it will bring huge threats and losses to customers/operators, including:
(1) The line bandwidth is fully occupied, and the service Interruption (even if you buy a larger bandwidth, it’s useless)
(2) The attack traffic exceeds the processing capacity of the network device, and there is service interruption or delay.
(3) The available bandwidth of the network has been drastically reduced, and the service level has dropped. Telecom operators are forced to invest heavily in network expansion
(4) Service capacity declines or interruptions, causing loss of users and bringing Direct economic loss
(5)Causing loss of corporate reputation and brand damage
2. Existing abnormal traffic cleaning plan and its shortcomings
2.1 Traditional abnormal traffic cleaning solutions and their shortcomings
The target of DDoS attacks is the customer’s business servers. These business servers are usually located in the IDC center of the operator, or the company’s own Under construction. The traditional abnormal traffic cleaning equipment is deployed near the business host. Due to the different construction subjects, there are usually the following two solutions, as shown in the following figure:
Figure 1 Traditional Abnormal traffic cleaning plan
Realization principle: This scheme is generally composed of abnormal flow monitoring equipment and abnormal flow cleaning equipment.
(1) After the abnormal traffic detection device detects a DDoS attack, it will automatically notify the abnormal traffic cleaning device;
(2) The abnormal traffic cleaning device uses routing protocols such as BGP or OSPF to pull all communications sent to the attacked target host to the abnormal traffic cleaning device, which will be cleaned by the abnormal traffic cleaning device;
(3) The clean traffic after cleaning is injected back into the original network, and then injected back to the correct next-level network exit through strategy routing or MPLS LSP, etc., and reaches the access target server normally;
(4) After the abnormal traffic detection device detects that the DDoS attack has stopped, it informs the abnormal traffic cleaning device. The abnormal traffic cleaning device stops traffic pulling, and the network returns to a normal state.
Program features:
(1) Ability to automate abnormal traffic detection and cleaning;
(2) Adopt a cleaning method close to the business host, with a protective effect Good;
(3) High return on investment.
Insufficient plan:
(1) The cleaning capability of abnormal traffic cleaning equipment is generally below 20G or 40G (implemented by clustering of abnormal traffic cleaning equipment). DDoS attacks with higher cleaning capabilities will still interrupt the service Or service level drops;
(2) Even if the attack traffic is below 20G, because the attack traffic occupies a lot of bandwidth, the service level will still drop and the user experience will be reduced;< br style="padding:0px;margin:0px;">(3) It cannot defend against DDoS attacks from the inside (from bottom to top traffic, outside the protection range of abnormal traffic cleaning equipment).
2.2 High-performance abnormal traffic cleaning solution and its shortcomings< br style="padding:0px;margin:0px;">For traditional abnormal traffic cleaning solutions, the biggest shortcoming is the lack of equipment cleaning capabilities, so the first thing that comes to mind is to improve attack traffic cleaning capabilities. In addition, due to the limited network access link bandwidth of the business server and the limited processing capacity of the access router, the deployment position of the abnormal traffic cleaning system needs to be moved upwards. The traffic cleaning equipment is usually deployed on the provincial egress router (of course, abnormal Traffic cleaning equipment is deployed on the metropolitan area network router, but this solution will use more equipment and higher investment under the same protection capability.)
The composition and deployment of the program are shown in the figure below Shown:
The implementation principle of this scheme is the same as that of the traditional abnormal traffic cleaning scheme, and its characteristics and The inadequacies are as follows.
Scheme features:
(1) The near-business host cleaning method is still used;
(2) High-performance abnormal traffic cleaning equipment or cluster equipment is used, which can effectively resist DDoS attacks between 40G and 200G;
(3) A unified security management platform is adopted to realize unified management of equipment and security strategies.
Insufficient plan:
(1) Cannot handle DDoS attacks of traffic above 200G;
(2) Cannot protect from metropolitan area network (bottom-up) , Outside the protection range of abnormal traffic cleaning equipment) DDoS attacks;
(3) There is a large amount of useless DDoS attack traffic on the backbone network of telecom operators, which is wasteful The valuable backbone network bandwidth and equipment processing capabilities have resulted in a decline in the level of network services;
(4) The price of protective equipment is high, and the cost-effective solution is low.
3. Large-traffic DDoS attack cleaning solution< /span>
3.1 Design ideas
From the trend of DDoS attacks, the future The traffic of DoS attacks is getting larger and larger. If only the abnormal traffic cleaning scheme of the near-business host is adopted, even if the protection equipment has high capability, it will not be able to catch up with the growth of DDoS attack traffic and cannot meet the protection requirements. Using the approach of near-source cleaning, the abnormal traffic cleaning equipment is scattered and deployed in locations close to the attack source. Each cleaning equipment only cleans a part of it. In combination, it has a huge amount of abnormal traffic cleaning capability, and its protection capability is very good. The flexibility not only meets current needs, but also meets the need to resist higher-volume DDoS attacks.
To achieve abnormal traffic cleaning requires detection and cleaning capabilities If only the near-source flow cleaning method is used, because the attack flow is small and the alarm threshold is low, it is easy to cause misjudgment and missed judgment. Therefore, our overall design ideas are as follows:
(1) The method of separating detection and cleaning capabilities is considered from the perspective of improving detection sensitivity and economy, and the detection equipment should be used as much as possible Deploy close to the business host, or perform detection on the core network. For cleaning equipment, deploy as close to the attack source as possible.
(2) Combination of near-source and near-business host cleaning methods. By deploying cleaning equipment near the source, you can obtain very large abnormal traffic cleaning capabilities and flexibility, and at the same time It can also reduce costs. However, if each abnormal traffic cleaning point misses a part of the attack traffic, for example, the traffic under the threshold of the traffic cleaning action is turned on, and the traffic converges to the business host, which forms a DDoS attack. Therefore, it is necessary to deploy a cleaning device near the business host. To handle this situation.
(3) Two-way abnormal traffic cleaning For some network access points or business hosts in the network area, it may be subject to external DDoS attacks, and it also DDoS attack data will be sent out, and these two situations may occur at the same time, so two-way abnormal traffic cleaning is required.
(4) Unified management and coordination For a specific high-traffic DDoS attack, once the detection equipment detects the attack, it is necessary to mobilize the corresponding cleaning equipment as needed. A unified strategy is used to clean abnormal traffic. Therefore, it is necessary to conduct unified management of all cleaning equipment and coordinate actions. In addition, in order to reduce the occurrence of misjudgments and missed judgments, it is necessary to aggregate the detection data of abnormal traffic detection equipment for screening, comparison and analysis to improve detection accuracy, reduce the rate of false negatives, and be able to clarify the needs based on the source of the attack. Transfer of cleaning equipment.
3.2 Key technology realization analysis
This program mainly includes three parts: attack traffic detection part, abnormal traffic cleaning part and management platform. For the attack traffic detection part, compared with the previous introduction, there is little difference, here is the focus on the other two parts.
1. Management platform section
After the management platform receives the traffic detection data, it needs to summarize, filter and Analysis, once the abnormal traffic attack is judged, the generation and scheduling of the abnormal traffic cleaning strategy can be initiated. At this time, it is necessary to be clear:
(1) Attack source area to determine The cleaning equipment that needs to be mobilized can be achieved by using the corresponding attack source tracing system, or by analyzing the IP address of the attack data source based on the IP address library;
(2) Specific From an implementation perspective, equipment cleaning strategies are mainly divided into near-source cleaning strategies and near-business host cleaning strategies. Different cleaning strategies need to be allocated according to the deployment location of specific cleaning equipment.
2. Abnormal traffic cleaning part
Different from the previous abnormal flow cleaning equipment, the cleaning equipment in this solution needs to have the capability of two-way flow cleaning. In terms of implementation principle, once the traffic cleaning device receives the corresponding cleaning request, it can pull the traffic according to the strategy. After cleaning, the near-source cleaning device can inject the clean traffic upward (to the core network), and the near source The business host cleaning device can back-inject clean traffic down (to the business host).
3.3 deployment plan
For telecom operators, the main sources of DDoS attacks include:
(1) Local metropolitan area network home terminal
(2) Local mobile internet smart phone terminal
(3) Business host in IDC center
(4) Own business host in local network
(5) Domestic Internet portal
(6) International Internet portal
< p style="padding:0px;margin-top:0px;margin-bottom:0px;clear:both;height:auto;color:rgb(80,80,80);font-family:'宋体','Arial Narrow ', arial, serif;font-size:14px;white-space:normal;background-color:rgb(255,255,255);">
For abnormal traffic detection equipment, it can be deployed in provincial trunk egress routers and IDC center egress routers , The location of the egress router of its own business host in the local network, to realize the detection of the attack traffic of the whole network. The abnormal traffic cleaning equipment can be hung on routers close to the attack source, such as IDC egress routers, metropolitan area network egress routers, packet core network egress routers, self-owned business network egress routers, domestic or international interconnection interface routers, and so on. The specific deployment location can be adjusted according to different network conditions. In addition, a security management platform is deployed in the network to realize the interconnection with all attack traffic detection equipment and attack traffic cleaning equipment, and the deployment location is not limited.
3.4 Description of attack protection process
For simplicity, we use Beijing, Shanghai and Guangzhou The IDC center’s collaborative protection will be explained as an example.
The brief schematic diagram of the system protection scheme is as follows:
Now, suppose the server of Shanghai IDC center receives a lot of traffic The protection process for DDoS attacks is as follows.
1. Attack detection
When a DDoS attack occurs, it is deployed inside the core network and at the exit of the IDC center. The attack traffic monitoring device sends the Netflow data collected in real time to the security management platform. After the security management platform determines that a DDoS attack has occurred through aggregation analysis, it will identify the province and access point of the attack source based on the attack source IP address information. Here is an assumption. Including IDC centers from Beijing and Guangzhou. After clarifying the attack source province and access point information, the security management platform will issue the near-source traffic cleaning strategy to the traffic cleaning equipment of the Beijing and Guangzhou IDC centers, and at the same time issue the near-business host traffic to the traffic cleaning equipment of the Shanghai IDC center Cleaning strategy.
2, attack protection
北京、广州IDC中心部署的流量清洗设备收到启动清洗策略的命令后,将基于被攻击的上海IDC中心业务主机IP地址进行流量牵引,将所有目的地址为受攻击IP的流量牵引到流量清洗设备上,进行清洗后,回注到IDC中心出口路由器上,并向上进行转发。
当包含剩余部分攻击流量的数据包到达上海IDC时,此处的异常流量清洗设备将根据收到的流量清洗策略,将所有目的地址为攻击IP的流量牵引到流量清洗设备上,进行清洗后,把干净的流量回注到IDC中心的接入路由器上,向下转发给业务主机,从而实现对攻击流量的彻底清洗。
4.小结
采用本文讨论的大流量DDoS攻击防护方案,将使电信运营商获得弹性的、大流量DDoS攻击防护的能力,且可以充分利用已采购的安全防护设备,节省投资。另外,还大幅减少了骨干网上的异常流量,降低无谓的带宽损耗。
随着大流量DDoS攻击的流行,IDC中心租户自建的DDoS防护设备已不能满足防护要求,电信运营商可以依赖这一弹性的、大流量DDoS攻击防护能力为IDC中心租户提供抗DDoS攻击防护增值服务,从而获得额外的经济收益。