Wondershare EdrawMind
EdrawMindAlibaba Cloud DDoS Protection
MindMap Gallery Alibaba Cloud DDoS Protection
- 21
Alibaba Cloud DDoS Protection
Alibaba Cloud DDoS protection service is based on Alibaba Cloud's global DDoS protection network and combined with Alibaba's self-developed DDoS attack detection and intelligent protection system to provide you with manageable DDoS protection services, automatically and quickly mitigating the impact of network attacks on your business. The resulting delays, restricted access, and business interruptions can reduce business losses and reduce the risk of potential DDoS attacks.
Edited at 2024-01-13 21:13:52- One Hundred Years of Solitude Character Relationship Chart
One Hundred Years of Solitude is the masterpiece of Gabriel Garcia Marquez. Reading this book begins with making sense of the characters' relationships, which are centered on the Buendía family and tells the story of the family's prosperity and decline, internal relationships and political struggles, self-mixing and rebirth over the course of a hundred years.
- One Hundred Years of Solitude Character Relationship Chart
One Hundred Years of Solitude is the masterpiece of Gabriel Garcia Marquez. Reading this book begins with making sense of the characters' relationships, which are centered on the Buendía family and tells the story of the family's prosperity and decline, internal relationships and political struggles, self-mixing and rebirth over the course of a hundred years.
- Project Management Process Template
Project management is the process of applying specialized knowledge, skills, tools, and methods to project activities so that the project can achieve or exceed the set needs and expectations within the constraints of limited resources. This diagram provides a comprehensive overview of the 8 components of the project management process and can be used as a generic template for direct application.
Alibaba Cloud DDoS Protection
- One Hundred Years of Solitude Character Relationship Chart
One Hundred Years of Solitude is the masterpiece of Gabriel Garcia Marquez. Reading this book begins with making sense of the characters' relationships, which are centered on the Buendía family and tells the story of the family's prosperity and decline, internal relationships and political struggles, self-mixing and rebirth over the course of a hundred years.
- One Hundred Years of Solitude Character Relationship Chart
One Hundred Years of Solitude is the masterpiece of Gabriel Garcia Marquez. Reading this book begins with making sense of the characters' relationships, which are centered on the Buendía family and tells the story of the family's prosperity and decline, internal relationships and political struggles, self-mixing and rebirth over the course of a hundred years.
- Project Management Process Template
Project management is the process of applying specialized knowledge, skills, tools, and methods to project activities so that the project can achieve or exceed the set needs and expectations within the constraints of limited resources. This diagram provides a comprehensive overview of the 8 components of the project management process and can be used as a generic template for direct application.
- Recommended to you
- Outline
Alibaba Cloud DDoS Protection
What is a DDoS attack
Attack principle
Usually, attackers use an illegal account to install the DDoS master program on one computer and install agent programs on multiple computers on the network. Within a set time, the main control program communicates with a large number of agent programs. When the agent program receives instructions, it launches attacks on the target. The main control program can even activate hundreds or thousands of agent programs in a few seconds.
The dangers of DDoS attacks
significant economic losses
After suffering a DDoS attack, your origin server may be unable to provide services, causing users to be unable to access your business, resulting in huge economic losses and brand damage.
For example: When an e-commerce platform suffered a DDoS attack, the website could not be accessed normally or even temporarily shut down, preventing legitimate users from placing orders to purchase goods.
data breach
When hackers launch a DDoS attack on your server, they may take the opportunity to steal the core data of your business.
Malicious competition
Vicious competition exists in some industries, and competitors may maliciously attack your services through DDoS attacks to gain an advantage in industry competition.
For example: a certain game business suffered a DDoS attack, and the number of game players dropped sharply, causing the game business to quickly and completely go offline within a few days.
Common DDoS attack types
DDoS attack classification Attack subclass describe Malformed message Malformed messages mainly include Frag Flood, Smurf, Stream Flood, Land Flood, IP malformed messages, TCP malformed messages, UDP malformed messages, etc. Malformed packet attacks refer to sending defective IP packets to the target system, causing the target system to crash when processing such packets, thereby achieving the purpose of a denial of service attack. Transport layer DDoS attack Transport layer DDoS attacks mainly include Syn Flood, Ack Flood, UDP Flood, ICMP Flood, RstFlood, etc. Take the Syn Flood attack as an example. It uses the three-way handshake mechanism of the TCP protocol. When the server receives a Syn request, the server must use a listening queue to save the connection for a certain period of time. Therefore, by continuously sending Syn requests to the server but not responding to Syn Ack messages, the resources of the server are consumed. When the listening queue is full, the server will be unable to respond to normal user requests, thereby achieving the purpose of a denial of service attack. DNS DDoS attack DNS DDoS attacks mainly include DNS Request Flood, DNS Response Flood, fake source and real source DNS Query Flood, authoritative server attack and Local server attack. Take the DNS Query Flood attack as an example. It essentially executes a real Query request, which is a normal business behavior. However, if multiple puppet machines initiate massive domain name query requests at the same time, the server cannot respond to normal Query requests, resulting in a denial of service. Connected DDoS attack Connection-type DDoS attacks mainly refer to TCP slow connection attacks, connection exhaustion attacks, Loic, Hoic, Slowloris, Pyloris, Xoic and other slow attacks. Take the Slowloris attack as an example. Its attack target is the concurrency upper limit of the web server. When the number of concurrent connections of the web server reaches the upper limit, the web service cannot receive new requests. When the web service receives a new HTTP request, it establishes a new connection to process the request and closes the connection after the processing is completed. If the connection is always connected, a new connection needs to be established for processing when a new HTTP request is received. And when all connections are connected, the web will not be able to handle any new requests. The Slowloris attack uses the characteristics of the HTTP protocol to achieve the purpose of attack. The HTTP request ends with \r \r identifying the headers. If the web server only receives \r , it is considered that the HTTP Headers part has not ended, and the connection will be retained and wait for subsequent request content. Web application layer DDoS attack Web application layer attacks mainly refer to HTTP Get Flood, HTTP Post Flood, CC and other attacks. Usually application layer attacks completely simulate user requests, similar to various search engines and crawlers. These attack behaviors do not have strict boundaries with normal business and are difficult to distinguish. Some transactions and pages in web services consume large resources. For example, for paging and table splitting in web applications, if the parameters controlling the page are too large, frequent page turning will occupy more web service resources. Especially in the case of high concurrency and frequent calls, transactions like this have become the target of early CC attacks. Since most current attacks are hybrid, frequent operations that simulate user behavior can be considered CC attacks. For example, access to websites by various vote-brushing software is, to some extent, a CC attack. CC attacks target the back-end business of web applications. In addition to causing denial of service, they will also directly affect the functions and performance of web applications, including web response time, database services, disk reading and writing, etc.
How to determine whether your business has suffered a DDoS attack?
Your business may have suffered a DDoS attack when:
When the network and equipment are normal, the server suddenly experiences disconnection, access lag, and user disconnection.
The server CPU or memory usage increases significantly.
There is a significant increase in network outbound or inbound traffic.
Your business website or application suddenly experiences a large number of unknown visits.
Login to the server failed or the login was too slow.
Best practices for mitigating DDoS attacks
DDoS attack mitigation solution
Reduce the exposure surface, isolate resources and irrelevant businesses, and reduce the risk of being attacked.
Configure security group
Try to avoid exposing non-business-essential service ports to the public network to avoid requests and access unrelated to business. Configuring security groups can effectively prevent the system from being scanned or accidentally exposed.
Use private network VPC (Virtual Private Cloud)
The private network VPC is used to achieve logical isolation within the network to prevent attacks from intranet puppet machines.
Optimize the business architecture and use the characteristics of the public cloud to design a system for elastic scaling and disaster recovery switching.
Scientifically evaluate business architecture performance
In the early stage of business deployment or during operation, the technical team should conduct stress testing on the business architecture to evaluate the business throughput processing capabilities of the existing architecture and provide detailed technical parameter guidance information for DDoS defense.
Resilient and redundant architecture
Avoid single points of failure affecting the overall business through load balancing or remote multi-center architecture. If your business is on Alibaba Cloud, you can flexibly use the load balancing service SLB (Server Load Balancer) to realize multi-point concurrent processing of business access on multiple servers, evenly distribute user access traffic to each server, and reduce the load on a single server. pressure and improve business throughput processing capabilities, which can effectively mitigate connection layer DDoS attacks within a certain traffic range.
Deploy elastic scaling
Auto Scaling is a management service that automatically and economically adjusts elastic computing resources according to users' business needs and strategies. By deploying elastic scaling, the system can effectively mitigate session layer and application layer attacks, automatically add servers when attacked, improve processing performance, and avoid serious impact on business.
Optimize DNS resolution
Optimizing DNS resolution through intelligent resolution can effectively avoid the risk of DNS traffic attacks. At the same time, it is recommended that you host your business with multiple DNS service providers and consider optimizing DNS resolution from the following aspects.
Block unsolicited DNS responses
Drop fast retransmit packets
Enable TTL
Discard DNS query request and response data from unknown sources
Drop unsolicited or bursty DNS requests
Start DNS client verification
Caching response information
Permissions to use ACLs
Leverage ACL, BCP38 and IP reputation features
Provide margin bandwidth
Through server performance testing, evaluate the bandwidth and number of requests that can be tolerated under normal business environments. Make sure there is a certain amount of spare bandwidth when purchasing bandwidth to avoid the situation where the bandwidth is greater than the normal usage and affects normal users when attacked.
The server security is reinforced and the server's own performance such as the number of connections is improved.
Strengthen the security of the operating system and software services on the server to reduce the points that can be attacked and increase the attack cost of the attacker:
Make sure the server's system files are the latest version and update system patches in a timely manner.
Check all server hosts to know the source of visitors.
Filter unnecessary services and ports. For example, for the WWW server, only open port 80, close all other ports, or set a blocking policy on the firewall.
Limit the number of SYN half-connections opened at the same time, shorten the timeout of SYN half-connections, and limit SYN and ICMP traffic.
Carefully check the logs of network devices and server systems. Once a vulnerability occurs or the time changes, the server may be under attack.
Restrict network file sharing outside the firewall. Reduce the chance of hackers intercepting system files. If hackers replace it with a Trojan horse, the file transfer function will be paralyzed.
Make full use of network equipment to protect network resources. When configuring the router, policy configurations for flow control, packet filtering, semi-connection timeout, garbage packet discarding, packet discarding from forged sources, SYN thresholds, and disabling ICMP and UDP broadcasts should be considered.
Use software firewalls such as iptable to limit new TCP connections from suspected malicious IPs and limit the connections and transmission rates of suspected malicious IPs.
Carry out business monitoring and emergency response.
Pay attention to basic DDoS protection monitoring
When your business suffers a DDoS attack, basic DDoS will send out alarm information via SMS and email by default.
Cloud monitoring
The cloud monitoring service can be used to collect and obtain monitoring indicators of Alibaba Cloud resources or user-defined monitoring indicators, detect service availability, and support setting alarms for indicators.
Establish emergency response plan
Based on the current technical business structure and personnel, prepare emergency technical plans in advance. If necessary, conduct technical drills in advance to test the rationality of the emergency response plan.
Choose the right business security solution. Alibaba Cloud provides both free basic DDoS protection and commercial security solutions.
Web Application Firewall (WAF)
For website applications, such as common HTTP Flood attacks, WAF can be used to effectively defend against connection layer attacks, session layer attacks, and application layer attacks.
DDoS native protection
DDoS native protection provides cloud product IP with shared full protection capabilities against DDoS attacks, which takes effect immediately.
Advanced DDoS protection
For large-traffic DDoS attacks, it is recommended to use Alibaba Cloud DDoS Advanced Defense Service.
Things to avoid
The computer network is a shared environment that requires multiple parties to work together to maintain stability. Some behaviors may have an impact on the overall network and the networks of other tenants. You need to pay attention to:
Avoid using or utilizing cloud product mechanisms (products include but are not limited to OSS, DNS, ECS, SLB, EIP, etc.) to build and provide DDoS defense services on the cloud.
Avoid releasing instances that are in a black hole state.
Avoid continuously replacing, unbundling, and adding IP products such as SLB IP, elastic public IP, and NAT gateway for servers in a black hole state.
Avoid building IP pools for defense, and avoid spreading attack traffic to a large number of IPs for defense.
Avoid using Alibaba Cloud's non-network security defense products (including but not limited to CDN and OSS) to front-end businesses that are vulnerable to attacks.
Avoid using multiple accounts to bypass the above rules.
DDoS protection solution
The DDoS protection solutions provided by Alibaba Cloud include free DDoS basic protection and the following paid services: DDoS native protection, DDoS advanced defense (new BGP & international). The following table describes the specific instructions of different solutions.
product architecture DDoS basic protection DDoS native protection DDoS High Defense (New BGP&International) Standard type Enhanced Solution introduction Based on Alibaba Cloud's native protection network, the IP address of the origin server is not changed to resist DDoS attacks at the network layer and transport layer. Traffic is directed to Alibaba Cloud's global DDoS cleaning center through DNS resolution to resist DDoS attacks at the network layer, transport layer, and application layer, and hide the protected origin server. Protective ability Low, based on the defense capabilities of Alibaba Cloud, 500 Mbps~5 Gbps. For details, see Basic DDoS Protection Black Hole Threshold. High, based on Alibaba Cloud’s defense capabilities, it can reach up to several hundred Gbps. For details, please see What is native DDoS protection. High, based on the capabilities of Alibaba Cloud's global DDoS cleaning center, it can reach up to Tbps or above. High, based on the capabilities of Alibaba Cloud's global DDoS cleaning center, it can reach up to Tbps or above. Protection object Some Alibaba Cloud products. Including ECS, SLB, EIP (including EIP bound to NAT gateway), IPv6 gateway, lightweight server, WAF, and GA. Some Alibaba Cloud products. Including ECS, SLB, EIP (including EIP bound to NAT gateway), IPv6 gateway, lightweight server, WAF, and GA. Some Alibaba Cloud products. Currently, only DDoS protection enhanced EIP is supported. Any public IP. Applicable scene After purchasing the corresponding cloud product, it is enabled by default. Large number of IPs/ports. The business bandwidth is large and the external IP cannot be changed. For example, the service bandwidth is greater than 1 Gbps, and the HTTP and HTTPS service QPS is greater than 5,000. Extremely low latency is required to ensure business continuity during large traffic attacks. Occasionally suffer DDoS attacks. Large number of IPs/ports. The business bandwidth is large and the external IP cannot be changed. For example, the service bandwidth is greater than 1 Gbps, and the HTTP and HTTPS service QPS is greater than 5,000. Lower latency is required to ensure business continuity during large traffic attacks. Assets require Tbps-level DDoS protection capabilities. Occasionally suffer DDoS attacks. Suffered more attacks and fierce offensive and defensive confrontations. It is necessary to defend against refined application layer CC attacks. The external IP of the business needs to be changed. illustrate free. The annual and monthly purchase model is divided into inclusive version for small and medium-sized enterprises and enterprise version. For details, see Native Protection 2.0 Annual and Monthly Subscription. Postpaid purchase model, for details, see Native Protection 2.0 Postpaid. Postpaid purchase model, for details, see Native Protection 2.0 Postpaid. Version selection guide: When the access source and origin site are both in mainland China, please use DDoS Anti-DDoS Advanced (new BGP). When the access source and origin site are outside mainland China, please use the insurance or worry-free version in Anti-DDoS Premium (International). For cross-border scenarios (the access source is in mainland China and the origin station is outside mainland China), please use the accelerated line insurance version/worry-free version in DDoS Advanced Defense (International), or the safe acceleration line.
DDoS attack types suitable for defense
Attack type Attack subclass DDoS native protection DDoS High Defense (New BGP&International) Standard type Enhanced Network Layer DDoS Attack Mainly include Frag Flood, Smurf, Stream Flood, Land Flood, IP malformed messages, TCP malformed messages, UDP malformed messages, etc. √ √ √ Transport layer DDoS attack Mainly include Syn Flood, Ack Flood, UDP Flood, ICMP Flood, RstFlood/NTP/SSDP/DNS reflection, etc. √ √ √ Application layer DDoS attack (HTTP/HTTPS) Also known as Web application layer CC attacks, they mainly include HTTP/HTTPS CC, HTTP slow attacks (Loic/Hoic/Slowloris/Pyloris/Xoic) and other CC attacks targeting HTTP services, such as websites, API interfaces, WebSocket and other services. × × √ Application layer DDoS attack (TCP application layer protocol other than HTTP/HTTPS) Also known as non-Web application layer CC attacks, they mainly include TCP CC, TCP null connection, TCP connection resource consumption attacks and other TCP application layer-based CC attacks targeting non-HTTP services, such as private protocols, MySQL, MQTT, RTMP and other services. × √ In public beta, it currently only supports the Hangzhou region. Please contact the business manager through pre-sales online consultation to apply. √ Application layer DDoS attack (application layer protocol based on UDP) UDP-CC, NS service's DNS-Floood and other CC attacks target UDP services, such as NS service, UDP game service, UDP voice call and other services. illustrate UDP business CC protection requires additional purchase of Security Manager, otherwise it is not supported. √ Supports cleaning of DNS attacks on non-NS services. If you need to protect NS services, please use DNS security. √ Supports cleaning of DNS attacks on non-NS services. If you need to protect NS services, please use DNS security. √ Supports cleaning of DNS attacks on non-NS services. If you need to protect NS services, please use DNS security.
Description of protective effect
For normal business traffic after access, the intelligent AI protection of the DDoS protection solution will have learning time for the characteristics of normal business traffic. If you suffer a DDoS attack or CC attack just after accessing the business, there may be instantaneous attack transparent transmission for the first attack. , it is recommended that you improve the load capacity of the origin site as much as possible, and configure it according to the following recommendations:
DDoS native protection
After the business is connected, the default rules will be used to protect you. During the protection process, the protection capabilities will be automatically supplemented according to the real-time changing attack characteristics. At the same time, intelligent AI protection policies will be issued in a targeted manner. There may be instantaneous attack transparent transmission before the policy takes effect. It is recommended You can customize various protection strategies such as serial protection, port protection, and trigger protection in advance to improve the protection effect.
If the attack traffic does not exceed the default cleaning threshold, the attack will be transparently transmitted. Especially when the EIP is bound to a bandwidth package, the default cleaning threshold may be too large. It is recommended that you adjust the appropriate cleaning threshold based on the size of normal business traffic.
DDoS High Defense (New BGP&International)
It is recommended that you configure appropriate business scenario policies (customized scenario policies), or customize frequency protection policies based on business characteristics (set CC security protection) to improve the protection effect.