What is bypass deployment? How does it solve the problem of DDOS protection in large data centers?

As DDoS attacks become more and more frequent threats to basic business systems and data security, it is now a common protection method to delegate DDoS protection requirements to professional service providers. Usually large data centers will use bypass deployment technology to deal with: anti-DDoS products do not need to be connected in series in the original network, in addition to reducing the point of failure, and because most bandwidth does not have to pass through the anti-DDoS products in real time, a smaller anti-DDoS The cleaning capacity can be applied to a large bandwidth network, effectively reducing input costs. The working principle of the bypass is as follows:
• Attack detection: Perceive the attack traffic by configuring the mirror interface or Netflow, and judge whether there is a denial of service attack.
• Traffic pulling: After confirming that a denial of service attack occurs, use routing and switching technology to pull the traffic originally going to the victim IP to the bypass ADS device. The towed traffic is a mixture of normal traffic and attack traffic;
• Attack protection/flow purification: ADS equipment separates and filters the denial of service attack traffic from the mixed traffic through multi-level spam flow identification and purification functions;
• Traffic Injection: The normal traffic after ADS purification is re-injected back into the network to reach the destination IP.
Bypass deployment has the following advantages: only when IPS and other security devices are linked with alarms, they start to automatically inject mixed traffic, usually under normal conditions Doesn't work; device bypass deployment will not affect network connectivity even if ADS fails; multiple machines are used to double the cleaning capacity; manual/automatic flow traction is supported, allowing safety engineers to complement safety equipment.
Tier 1 operators manage and operate rich backbone network bandwidth resources. They have inherent advantages in suppressing DDoS attacks with large and super-large flows. Operators are the supporters of the entire network. All attack traffic must pass through the operators. A comprehensive crackdown on DDOS attacks at the business level will be effective once and for all. Therefore, operators should create a DDOS protection fortress for users.
For operators, ensuring their network availability is a decisive factor affecting ROI. If the basic network of the operator is attacked, all the services carried by it will be paralyzed, which will inevitably lead to a decline in service quality or even failure. At the same time, in the current fiercely competitive operator market, the decline in service quality means the loss of customer resources, especially those large customers with high ARPU, who will switch to other operators, which is a fatal blow to operators. Therefore, effective DDoS protection measures are of great significance for ensuring the quality of network services. On the other hand, for operators or IDCs, DDoS protection can not only avoid business losses, but can also be provided to end users as a value-added service, which brings new profit growth points to operators and enhances Its industry competitiveness.
At present, most DDOS attacks use forged IP addresses, especially reflective DDOS attacks. If the forged IP is not used, the attack will not be possible. If the operator turns on the source IP verification on the entire network, it is impossible for the non-forged IP address. Access to the Internet can stop DDOS attacks from the source. In addition, use traceability technology: because it may be very difficult to carry out source address verification on the entire network, but the key to preventing DDOS is the source address, so various traceability technologies should be used to quickly find the source of the attack when an attack occurs, collect evidence, and Cut off the attack source's network so that the attack stops at the source.
For network access of ordinary users, you should try to give private IP addresses, and then multiple users share the same IP through NAT. This saves IP addresses first, and second, the source addresses of various messages sent by ordinary users will be It is replaced by a real address by NAT to prevent forgery of the source address. Third, it is also conducive to the safety of ordinary users. This is equivalent to adding a firewall, which can block most of the active connections from the public network, such as scanning. Or add the unused parts of the ip message header, such as the eight-bit QOS flag and IP option field, to the source identification function. Each routing switching device at the access layer has a different logo, which can be carried in the message Find its general source of transmission.
Operators must attach great importance to the security of their own network equipment, and do not allow network equipment to become a reflection amplifier or even be controlled by hackers, because operators play a vital role in the network. If a hacker remotely shuts down a core switch, it will be better than any DDOS attacks are more harmful and more effective. Establish traffic cleaning stations in various regions to clean DDOS traffic, and provide cleaning services for enterprises, and transfer DDOS traffic to cleaning stations for cleaning. In the event of a large-scale DDOS attack, the cleaning tasks can be shared. In short, cloud computing companies have a lot of computing power, and operators have a lot of bandwidth resources. The combination of strong forces can greatly improve the ability to resist DDOS.
In an attack, the DDOS defending party and the attacking party are like two chess players on a chess board. They change their attack/defense methods according to the opponent's changes. It is very difficult to defeat a target in just one way. What is difficult to achieve is that it is unrealistic to rely on ADS equipment to automatically defend against all attacks. Whether in actual attacks or in defense, people should be in a dominant position. Through the professional knowledge and experience of security personnel, reasonable use and configuration of defense equipment In order to better defend against various DDOS attacks from all parties.
This article is reproduced from: http://www.heikesz.com/ddos1/2783.html