Shulou(Shulou.com)06/02 Report--

This article mainly introduces what ddos defense technology has, which has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, let the editor take you to understand it.

Ddos*** simple Defense Summary:

NUM.1 takes advantage of the classic feature of ios: ip tcp intercept

This feature can be turned on on the network border router, and its principle is to complete the three-way handshake instead of server. If the * * user does not complete the three-way handshake, router will not enable him to communicate with the server. After the normal user completes the three-way handshake with router, router will also disguise the user to make a three-way handshake with server, and then send the normal reply to the server.

Ip tcp intercept has both active and passive modes, the default active mode, passive mode requires the establishment of a complete link within XX seconds, otherwise T drop!

NUM.2 intercepts RFC1918

Generally speaking, the addresses of ddos*** are forged private network addresses. We can enable ACL on the router to block addresses whose source is RFC1918.

NUM.3 unicast RFC

When multiple interfaces of a router link multiple network segments, unicast RFC can be configured so that each interface can only receive packets whose source address is the linked network segment of this interface, and discard packets that cannot be detected by the ip source address.

NUM.4 configure IOS status Monitoring packet filtering Firewall (1.CBAC Technology 2.zoned-based Technology)

A very old ios firewall technology. Cbac technology is based on the interface, first deny ip any any, prohibit Internet access to the intranet, write the monitoring policy under the global, for example, ip inspect name CBAC telnet is to monitor the traffic of the telnet, and then apply the policy to the exit or direction of the interface. After that, telnet can be connected, and you can view the state information table on the router with the command: "show ip inspect session". The status information table includes the source destination address and port number. Future packet communications give priority to check the state table entries. If there are entries in the status table entries, you can communicate directly without asking ACL.

Cbac technology also has drawbacks, because it is interface-based, so it will affect the traffic of DMZ. Explain that you cannot distinguish between the dmz and the traffic to the private network when entering the cbac. For example, it is impossible to configure the public network to DMZ to monitor the http and the public network to the private network to monitor the telnet.

Zoned-based technology zone is a collection of a series of interfaces.

Feature 1: policies apply to specific inter-zone traffic, not interfaces.

Feature 2: policies based on specific hosts and subnets can be configured.

Feature 3: the default policy deny traffic between all zone.

Feature 4: provides very, very powerful DPI (Deep packet Monitoring) function. For example, limit the length of the message, url field, etc., can be limited very fine, more abnormal than ASA!

Feature 5: provides better performance than cbac.

The disadvantage is that it is very difficult to configure, the more zone, the more troublesome, because each zone has to have a strategy with other zone, which is very painful.

All of the above are lower than ios through ios features, which are somewhat unreliable, especially ip tcp intercept technology. One or two thousand packets can still be busy. Under the traffic from G to G, router has long been out of its wits.

After consulting, it is found that large IT enterprises and banks generally use guard + dectecor to deploy their own cleaning centers.

The following is the deployment method of the network-wide ddos cleaning center:

Here I briefly summarize the downflow traction technology:

The traffic cleaning center uses IBGP or EBGP protocol

First of all, BGP Peer can be established with multiple core devices directly connected or not directly connected to the user traffic path in the man.

1. When ddos*** occurs, the ids of the mirror port of the router will find * *, and then notify the cleaning center (many guard).

two。 The traffic cleaning center issues BGP update route advertisements to core routes through the BGP protocol.

Update the routing table on the core route

Dynamically tow the flow through all core equipment to the flow cleaning center for cleaning

3. The no-advertise attribute is added to the BGP route issued by the traffic cleaning center (when a router receives a bgp route with the no-export attribute, the router will no longer send the route to the EBGP peer and the IBGP peer)

Ensure that the routes issued by the cleaning center will not be spread to the metropolitan area network

At the same time, the routing policy does not receive routing updates issued by the core router on the traffic cleaning center.

So as to strictly control the impact on other networks

Of course, after cleaning, the normal flow flows into the target server through the cleaning center.

Thank you for reading this article carefully. I hope the article "what are the ddos Defense Technologies" shared by the editor will be helpful to you? at the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.