How does ddos traffic come from and how to get ddos traffic?

1, source IP address filtering

Filtering source IP addresses at all ISP network access or aggregation nodes can effectively reduce or eliminate source IP address fraud, and make various DDoS attacks such as SMURF and TCP-SYNflood impossible to implement.

2. Flow restriction

Controlling certain types of traffic, such as ICMP, UDP and TCP-SYN, at network nodes and limiting their sizes to a reasonable level can reduce the impact of denial of DDoS attacks on the host network and the target network.

3.ACL filtering

Filter the traffic of worm attack port and DDoS tool control port without affecting the business.

4.TCP interception

In view of TCP-SYNflood attack, the user can consider enabling the TCP interception function of the gateway device to resist. Because turning on TCP interception function may have a certain impact on router performance, it should be considered comprehensively when using this function.

What is the principle of ddos traffic cleaning?

When the traffic is sent to the DDoS protection and cleaning center, the normal traffic and malicious traffic are separated by traffic cleaning technology, and the normal traffic is re-injected into the customer website. Ensure the normal operation of high-security customer network.

Then, for a typical DDoS attack response, the traffic first enters the traffic cleaning center, and then it is classified as infrastructure attack traffic or application layer attack traffic.

After that, it will be further distinguished, mainly determined by vector and expectation characteristics, and realized by DDoS center-specific technology.

What does ddos mean?

There are three main ways to attack ddos.

High traffic attack

Large-traffic attacks saturate the bandwidth and infrastructure of the network through massive traffic and completely consume them, thus achieving the purpose of network flooding. Once the traffic exceeds the capacity of the network or the connection ability between the network and other parts of the Internet, the network will be inaccessible. Examples of high-traffic attacks include ICMP, fragmentation and UDP flooding.

TCP state exhaustion attack

TCP state exhaustion attacks attempt to consume connection state tables that exist in many infrastructure components, such as load balancers, firewalls and application servers themselves. For example, a firewall must analyze each packet to determine whether the packet is a discrete connection, the existence of an existing connection, or the end of an existing connection. Similarly, the intrusion prevention system must track the state to realize signature-based packet detection and state protocol analysis. These devices and other stateful devices, including those responsible for equalizers, are often harmed by session flooding or connection attacks. For example, the Sockstress attack can fill the connection table by opening a socket, thus quickly flooding the state table of the firewall.

Application layer attack

Application layer attacks use more complex mechanisms to achieve hackers' goals. Application layer attacks do not flood the network with traffic or sessions, but slowly exhaust the application layer resources of specific applications/services. Application layer attack is very effective at low traffic rate, and the traffic involved in the attack may be legal from the protocol point of view. This makes application layer attacks more difficult to detect than other types of DDoS attacks. HTTP flooding, DNS dictionary, Slowloris, etc. Are examples of application layer attacks.