Network layer DDoS attacks involve attackers launching a large number of data packets to the target server by forging a large number of Internet Protocol Addresses, exhausting internet bandwidth resources and causing the target server to fail to respond to normal requests. Common network layer DDoS attacks include SYN Flood, ACK Flood, ICMPFlood, UDP Flood, various reflection attacks (such as NTP reflection, Memcache reflection, SSDP reflection), etc. Nethost DMS realizes real-time detection and analysis of data packets by deploying intelligent firewalls, and efficiently blocks attack packets in real time without affecting normal data packet access. The single-node protection capacity of the Speed Shield CDN system reaches 800Gbps, and the overall protection capacity of the platform reaches 10Tbps +. At present, it can effectively defend against various network layer DDoS attacks such as SYN Flood, UDP Flood, ICMP Flood, NTP reflection attack, SSDP reflection attack, Memcache reflection attack, etc. The introduction and protection methods of each attack type are as follows:
SYN Flood
- Attack Introduction
Attackers use tools or manipulate zombie hosts to send a large number of TCP SYN packets to the target server. When the server responds to SYN-ACK packets, the attacker no longer responds to ACK packets, resulting in a large number of TCP half connections on the server. The server's resources will be exhausted by these half connections and cannot respond to normal requests.
- Protection principle
The heterogeneous protection architecture is adopted, and the original patented technology in China is used to detect and filter malformed packets (such as abnormal length values, etc.) and packets that do not meet the rules in real time. At the same time, the protocol behavior verification of the client is completed through SYN cookie verification and retransmission verification, so as to block the attack without affecting the normal client side connection.
ACK Flood
- Attack Introduction
Attackers use tools or manipulate zombie hosts to send a large number of ACK messages to the target server, and the server is busy replying to these third handshake messages that appear out of thin air, causing resources to be exhausted and unable to respond to normal requests.
- Protection principle
网宿智能防火墙实时存储连接表信息,通过对接收到的ACK报文进行智能校验,判断其是否为合法报文,如不合法,则直接丢弃,进而高效阻断攻击报文,不会对正常访问造成影响。
ICMP Flood
- Attack Introduction
The attacker sends a large number of very large data packets to the target (for example, more than 65535 bytes of data packets), which brings a large load to the server, affects the normal service of the server, and then paralyzes the target host
- Protection principle
The intelligent firewall counts the traffic arriving at the destination IP in real time, and directly loses packets if it exceeds the set threshold.
UDP Flood
- Attack Introduction
Since UDP protocols are connectionless protocols, they do not provide reliability and integrity checks, so the data transmission rate is fast, making it an ideal target for attackers. The common situation of UDPFlood is that attackers send a large number of UDP packets falsifying the source Internet Protocol Address to the target address, consuming internet bandwidth resources, causing link congestion, and then the website server denies service.
- Protection principle
For customers without UDP service, the network host intelligent firewall discards all UDP packets. For customers with UDP service, the network host intelligent firewall defends against UDP Flood by means of rate limiting and UDP packet matching.
Reflective DDoS attack
- Attack Introduction
Reflection attack is a form of DDoS attack based on UDP packets. The attacker does not directly launch an attack on the target, but uses some servers open to Internet services (such as NTP servers) to forge the address of the attacked person and send a special request message based on UDP services to the server. Several times the data of the reply of the request message is sent to the attacked IP, thereby indirectly forming a DDoS attack on the latter.
- Protection principle
The network host intelligent firewall directly filters packets from commonly used reflective ports (such as NTP, Memcache, SSDP, etc.) to defend against reflective DDoS attacks.