DDoS attacks are constantly changing and evolving. In the face of this situation, how can companies actively and effectively protect against DDoS deployments? DDoS (distributed denial of service) attacks have been around for a long time, but when will such a simple and rude attack method remain effective today and become the "number one enemy" that plagues the stable operation of major websites?
A DDoS attack is a highly destructive and highly efficient network attack method that uses a large amount of attack traffic to flood the target network and make the victim website unable to process normal access requests. Because of its low cost and high efficiency, it is favored by cybercriminals and has become an important weapon for them to attack and blackmail commercial websites. The current DDoS attacks present three major trends:
The first is the M-type (polarization) trend of attacks. Current DDoS attacks include not only flooding attacks based on large attack traffic, but also state exhaustion attacks and application layer attacks that can perform precise attacks. Regardless of the attack method, it can exert powerful lethality and cause serious damage to the corporate website.
Secondly, the scale of new forms of DDoS attacks continues to increase. In the early years, hackers used dozens of Mbps or even 1Gbps of attack traffic to achieve results. However, as the current user defense strength has been upgraded, attackers have also increased their weight. Since the first 300G-scale attack traffic appeared in 2013, 400Gbps appeared in 2014. In 2015, it reached 500Gbps, and the chance of breaking records in the future is not low.
Then there is the change in attack speed. In addition to the traditional DDoS attacks launched in a concentrated period of time, attacks that use slow or even a small amount of malicious access traffic to bring down enterprise application servers have also become popular around the world. Moreover, using a single event to mix and match DDoS attacks with multiple attack types, such as launching a state exhaustion attack first, followed by a traffic attack, also became popular, and brought unexpected threats to websites.
So in the face of the above DDoS attack trend, are the current mainstream protection mechanisms inadequate? At present, mainstream breeding attack mechanisms can be roughly divided into vendors based on firewalls, intrusion detection systems, web application protection systems, load balancing equipment plus DDoS protection solutions; local operators or traffic cleaning centers, and CDN vendors.
However, for the above-mentioned various protection schemes, there are more or less "doors" with weak ribs. For example, the traditional security devices introduced by the first-class manufacturers were not originally designed to protect against DDoS. Therefore, these stateful devices can easily be attacked by attackers using state exhaustion attacks before they can perform DDoS protection functions, and they cannot protect themselves. And some non-professional DDoS protection devices are prone to misjudgment.
For operators or ISP traffic cleaning centers, although they can provide limited traffic cleaning capabilities, they often still cannot perform effective cleaning when faced with violent traffic attacks, or they cannot be cleaned, and they cannot actively detect L7 attacks. Behaviors and the inability to control budget expenditures are lacking in the depth of protection against DDoS.
For CDN vendors, they often lack defense breadth. For example, they cannot block non-web-type attacks; attacks against actual IP cannot be blocked; dynamic web-based customers cannot block state exhaustion attacks; restricted financial regulations Standardization, cannot support encryption and decryption required for financial transactions, etc.
Since the current DDoS protection schemes are all unsatisfactory in one way or another, how to deal with DDoS attacks? A complete and reliable DDoS protection must adopt a multi-level omni-directional blocking strategy, and such a protection system needs to have the following six characteristics:
(1) On-site protection equipment must actively detect various types of DDoS attacks, including traffic attacks, state exhaustion attacks, and application-layer attacks, 24 hours a day; (2) On-site protection equipment can be implemented as long as it detects attack traffic Block. (3) Using Arbor Pravail Availability Protection System (APS) equipment, it can automatically block the attacker’s tentative traffic, delay the frequency of subsequent attacks, and actively defend; (4) In order to avoid the drawbacks of the above firewall and other equipment, users should Choose Stateless Architecture (Stateless Architecture) protection equipment; (5) Use cloud platform and big data analysis to accumulate and quickly detect attack signatures and establish a fingerprint database (Signature Database) to assist companies in detecting and blocking malicious Traffic attacks; (6) Combine APS equipment with Arbor Cloud cloud cleaning center to carry out linkage protection.
Obviously, through the above comprehensive DDoS protection strategy, enterprises can not only build a set of efficient multi-level DDoS protection system, but also be invincible in the increasingly difficult DDoS attacks.
This article is from: https://www.zhuanqq.com/News/Industry/307.html