What is a DDoS attack?
Distributed Denial of Service
Distributed Denial-of-service allows many computers to be attacked at the same time, making the target of the attack unable to use it normally. Distributed Denial-of-service has appeared many times, causing many large websites to malfunction
AppearedunableIn the case of operation, this will not only affect the normal use of users, but also cause tremendous economic losses. The Distributed Denial-of-Service method can attack the source IP address.
Address is pseudoMake, like thisThis makes the concealment of this attack very good when it occurs, and it is also very difficult to detect the attack becauseThis type of attack has also become a very difficult one to prevent.
Second, the principle of attack
Distributed Denial-of-Service (DDoS) refers to multiple attackers in different locations simultaneously launching attacks on one or more targets, or an attacker taking control of a target located in a different location
Multiple machines in the same location and use these machines to attack the victim simultaneously. Since the points of origin of the attack are distributed in different places, this type of attack is called Distributed Denial-of-Service, in which there can be multiple attackers.
Third, threats in the cloud environment have skyrocketed, making it difficult for traditional security capabilities to respond
In recent years, with the rise and development of cloud-native concepts, more and more cloud-native services have been exposed on the Internet. A large number of enterprises, institutions, and individual users have gradually deployed their pigeon services to the cloud in the form of cloud-native deployments. On the one hand, this also shows that cloud-native is being widely adopted and popularized. On the other hand, the increasing number of cloud-native services also provides more attack surfaces for attackers. The asymmetry of attack and defense in network attack and defense is further expanded in the cloud environment:
The iteration of various new technologies in cloud computing has further led to the emergence of various new vulnerabilities and more attack methods. The traditional rule protection model is difficult to support in a cloud environment with high-speed threat iteration.
The elastic and scalable nature of cloud computing environments makes network boundaries and infrastructure boundaries blurred and dynamic, while traditional security is usually based on fixed network boundaries and the protection of physical devices.
Fourth, attackers are more camouflaged and deceptive, making them difficult to identify
At the same time, when the attack is business-oriented, the attacker is more disguised and confused, making it difficult to identify.
When an attacker's goal is to gain privileges, they may use a variety of strategies and techniques to obfuscate the essence of the attack in order to hide their malicious behavior and bypass defense mechanisms.
• When the attacker's purpose is to obtain data or business critical information, attacks against business flaws, such as unauthorized operations, swiping orders, and simulated login attacks using logical vulnerabilities such as overreach, business disorder, authentication flaws, and data leakage, such behaviors are difficult to detect and defend in the traditional mode.
When the attacker's goal is to interfere with the normal operation of the target business, such as the C & C attack example, the current C & C attack disguises itself as a normal browser request through the headless browser, because it does not contain attack characteristics, and then passes through the IP pool and a large number of broilers, which can bypass common authentication defense mechanisms.
• Traditional WAF can block some low-level crawlers by limiting the API access rate to deal with some high-frequency CC attacks, Distributed Denial-of-service, and restricting the User-Agent of HTTP requests. In the face of slow Distributed Denial-of-service and advanced crawlers, traditional WAF can only turn a blind eye and sit back
• In the face of critical data leakage, traditional WAF can prevent part of the information leakage by restricting the keywords in the HTTP response content, but it will affect the normal business, and it is only a temporary mitigation solution to treat the symptoms but not the root cause. When faced with complex API interface vulnerabilities and API interface business logical vulnerabilities, traditional WAF is directly at a loss and has nothing to do
Fifth, build a deep defense system at the core of Speed Shield CDN
Because traditional security defense methods are mainly used to defend against external attacks, and these are basically analyzed and detected by rule matching with known characteristics. As threats become more and more complex and hidden, traditional rule-based security monitoring methods become inflexible and accurate, and there are blind spots in security visibility. There are serious lag effects, inability to detect unknown attacks, easy to be bypassed, and difficulty adapting to network reality and rapidly changing internal and external security environments of enterprises.
In response to the above problems, the Speed Shield CDN system has developed a variety of protection modules, such as browser fingerprint protection and non-sensory CC protection, to analyze the behavior of user entities, without distinguishing between internal and external, but to analyze all user browser visits and other abnormal behaviors. What is normal behavior and what is abnormal behavior is to use big data, algorithms and machine learning to continuously model the baseline behavior of users and entities, analyze and identify abnormal behavior that is inconsistent with the baseline, and conduct real-time alerts.