Shulou(Shulou.com)05/31 Report--

This article shows you how to solve DDoS attacks. The content is concise and easy to understand. It will definitely make your eyes shine. I hope you can gain something through the detailed introduction of this article.

Network security is always a hot topic discussed by people. For Internet enterprises, there is no security and no survival.

Nowadays, how to ensure the security of enterprises has become a hot topic of research.

Network security status quo

Current security threat issues are categorized into three areas: service stability security, data security, and operational security.

First, service stability and reliability: on the one hand, it depends on the stability and reliability of the information system itself, especially after the information system is clouded, the influencing factors increase. For example: virtual machine performance, virtual machine migration mechanism, network link redundancy, information system disaster recovery mechanism, etc.; on the other hand, the impact from external attacks, such as DDoS attacks, DNS domain name hijacking, etc., determine the stability and reliability of system services.

The second is data security: data security problems mainly focus on data leakage and data tampering. The recent Facebook user data leakage problem reflects the harm and seriousness of data leakage. The main cause of the incident was cooperation with other companies, and the data destruction link was not verified, which led to the consequences of the partner leaking data, which brought unprecedented enterprise survival problems to Facebook and caused more Internet enterprises to pay attention to data protection. This matter also fully reflects the principle of "three points of technology and seven points of management" of enterprise security. In addition to the data leakage caused by internal management mechanism or personnel problems, the harm caused by external network attacks cannot be ignored. Common WEB application attacks, system-level exploits, and increasingly complex targeted APT attacks have brought serious harm to the survival, operation, and even national security of enterprises.

Third, operation security: phishing websites, copycat applications, and junk content seriously affect the user experience, endanger the interests of users, and cause reputation damage and profit damage to enterprises.

DDoS Attacks Today

Several characteristics of DDoS attacks can be seen from the statistical data:

1. The south suffered more DDoS attacks, among which Zhejiang Province suffered the most attacks.

2. DDoS attacks on telecommunication lines are large in scale, often reaching TB level;

3. Two-thirds of DDoS attacks lasted less than 10 minutes, while about 30.5% of attacks lasted between 10 minutes and one hour, and less than 0.1% of attacks lasted more than one hour.

Why are DDoS attacks so rampant?

First, the attack profit chain is mature, and the attack cost is getting lower and lower. The DDoS attack underground industry chain can provide a complete set of services, including various packages, of which dozens of yuan a month can be purchased to DDoS attack services.

Second, the scale of attack traffic is increasing year by year. On the one hand, the bandwidth of individuals and enterprises is increasing. On the other hand, the large use of smart homes and Internet of Things devices, weak security protection gives attackers more opportunities to take advantage of, and it is easy to form large-scale attack device clusters.

Third, it is difficult to trace. Because from the attack command issuing end to the actual attack server, there may be several jumps in the middle, plus IP forgery and other technologies, it is very difficult to find the source of the attack. For attackers, they basically had nothing to fear. To achieve "traceability," it requires extremely high cost and experienced attack and defense experts or teams to complete. For the victim, he could only passively defend himself.

Story analysis: Memcache reflective attack

The main character of the story-Memcache server. The server itself is a cache of some content accessed by the enterprise application system for data to speed up response.

From a management perspective, Memcache servers, as servers for intranet applications, should not be exposed to the public network. However, there are still many companies whose operation and maintenance managers manage through public networks for the convenience of operation and maintenance, which is the basic premise for using Memcache to carry out DDoS attacks.

Another key factor is the Memcache server, which has no authentication link and can be accessed by anyone scanning the IP and port. The core factor to complete the attack is the memcache access protocol. After requesting the memcache server, the size of the reply data is much higher than the requested data size, forming an amplification effect. The attacker uses the memcache server to forge the source IP, and finally forms a reflection amplification DDoS attack. The attack volume reaches 5W times. In this way, a large-scale DDoS attack method is formed. The typical event is: GitHub suffered a reflection amplification DDoS attack of more than T memcache servers.

It is worth noting that Memcache attacks, which are so large in scale, are just an emerging attack method. Looking at the total DDoS data, it accounts for less than one percent. More are still some existing attack methods, such as DNS reflective attack, SSDP attack (is to use the Internet of Things device port 1900 for reflective attack).

How to solve Memcache reflective attacks?

According to the size distribution of Memcache servers, there are more than 2W Memcache servers available in China and more than 10W Memcache servers worldwide. From the impact scale, it is urgent to solve the Memcache server reflective attack problem.

Gao Hongliang, product architect of NetEase Cloud Shield, suggested that from the prevention stage, the operation and maintenance manager of Memcache server should close the utilized port 11211 and place memcache server in the intranet to avoid being utilized. However, it is impossible to completely eliminate such incidents. After all, there are human factors, and there will still be devices that can be used on the Internet. Then for the attack that has been formed, the victim can use cloud cleaning services to protect against it.

DDoS attack classification and protection

Attack classification:

The types of DDoS attacks can be divided into two types from the perspective of effectiveness. The first one consumes bandwidth resources. Typical is a reflective traffic attack.

The second is to exhaust the resources of the server: the number of connections to the server, the CPU of the server, and the DNS server that provides domain name resolution. All of them belong to resources. By occupying server resources, the server cannot provide services to the outside world, thus achieving the attack effect. Typically, CC attacks, or indirect attacks on DNS servers, involve large-scale queries for non-existent URLs to consume DNS server resources.

Protection:

For DDoS attacks, at present, there are only three kinds of protection methods in China: localized deployment of security devices, cloud traffic cleaning, mobile operators 'cleaning systems and routing black hole strategies.

The three protection methods are different from the input cost and applicable scenarios. Therefore, users also need to choose the appropriate protection scheme according to their own situation.

How does Netease Cloud Shield solve this problem?

Netease Cloud Anti-D Trilogy:

1. Netease deployed high-prevention cleaning clusters at the entrances of Telecom, China Unicom and Mobile regions;

2. The business traffic of high-defense customers shall be first drained to Netease Cloud High-defense Room for cleaning and protection;

3. After the cleaning is completed, the user's business traffic can be forwarded back to the client origin server through the high-defense IP.

Before accessing Cloud Anti-D, users are accessing the service system directly. After connecting to Cloud Anti-D, the access data is first sent to the high-defense room of cloud cleaning of Yidun. After the traffic is cleaned, the high-defense room returns the normal business traffic to the actual server.

There are two prerequisites here. First, the protected service is accessed through the domain name. Second, after the high-defense service is installed, the actual IP of the user system should be hidden from the outside to prevent the attacker from bypassing the cloud cleaning system and attacking the IP directly.

In the actual protection process, the flow has to go through several cleanings. In terms of detection methods, it is mainly detected by threshold and data characteristics and behavior analysis algorithm models, such as client authenticity verification, blacklist, ACL control, traffic speed limit.

Netease Cloud Yi Shield Cloud Anti-D service, for four-layer attacks, seven-layer attacks, can carry out comprehensive detection and protection. In policy configuration, multiple templates are preset, which can be configured according to specific business conditions, and guided configuration is supported. On the business traffic status display, support multi-dimensional graphical interface display.

In terms of overall protection capability, Netease Cloud Shield currently supports the business protection of third-tier operators. Provides 1 terabyte of ultra-bandwidth protection with SLA availability of 99.9%.

After the service accesses the anti-D, the delay time is within 100 MS.

In terms of business access, we support Netease cloud customers and non-Netease cloud customers, and it takes only 5 minutes to complete the access. There are generally four steps:

1. Buy high defense IP in E-Shield console, select Unicom/Telecom/Mobile line;

2. Configure forwarding rules for the high-defense IP, and forward the cleaned traffic to the source IP;

3. Configure protection policies;

4. Switch service DNS to high-defense IP.

Where is Netease Cloud Shield leading?

Anti-DDoS: It can effectively intercept abnormal packets and resist 4-layer attacks such as SYNFlood, ACK Flood, ICMPFlood, UDP Flood, NTP Flood, SSDPFlood and DNS Flood.

CC protection: Effectively resist CC attacks, HTTPFlood and other 7-layer attacks through JS authentication, browser fingerprint, ACL and other technologies.

Container isolation: Separate cleaning containers are allocated for different high IP, and different containers are isolated from each other to ensure that different high IP do not affect each other.

Elastic protection: After elastic protection is selected, when the attacks received exceed the peak of basic protection, the business will continue to receive protection from Netease Cloud Shield.

The above is how to solve DDoS attacks. Have you learned knowledge or skills? If you want to learn more skills or enrich your knowledge reserves, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.