Research on DDoS protection for overseas business of Chinese Enterprises

In recent years, the domestic market , Especially the Internet industry , The competition is very fierce , And more and more saturated , So many products went to sea . They are issued in a variety of ways , Service deployment methods are correspondingly different ： Have their own deployment in aws/gcp/azure Wait for the public cloud , Some are deployed overseas IDC Server's , These two ways face a variety of security threats , But there is one thing in common , That's it DDoS attack . therefore , At present, research on overseas business of Chinese enterprises DDoS Protection solutions , It seems very necessary .

survey

At present, the overseas business of Chinese enterprises is DDoS situation , There is no relevant report yet , However, there may be a lot of data in the overseas public cloud , Unfortunately, it was not made public , It is hoped that readers with this data analysis can share relevant data . Below, the author only makes a brief introduction to the situation of several enterprises .

company 1： Large mobile tool developers , At present, the main users come from overseas , Business coverage exceeds 100 A country . Due to the rapid development , Their business is deployed in AWS, Also bought Enterprise Support. stay DDoS Attack aspect , They are “ The bestselling ”. In the face of an annual average of more than 100 Time 、 The peak flow is tens of Gbps Of DDoS attack , They are based on AWS Marketplace and AWS Shield Conduct DDoS defense .

company 2： Large game manufacturers , At present, the main users come from China , But the growth rate of foreign business is very fast , There have been nearly 10 This game is released overseas . In the face of an annual average of more than 1000 Time , Peak flow exceeds 100Gbps Of DDoS attack , Their solutions are somewhat different . Because the family is big and the business is big , In addition, we provide public cloud services at home , They choose to let the public cloud nodes follow the enterprise business , For example, where does the game business go , The cleaning service goes everywhere . If the public cloud cannot cover , Will be with the local IDC Or local public cloud cooperation .

These two enterprises are the benchmark enterprises in their industry , What they face DDoS The dilemma and the countermeasures taken are very representative , It also has important reference value for domestic enterprises to go to sea . Now the author tries to sort out the specific countermeasures .

Countermeasures

It mainly includes the internal security of the server 、 There are two ways to provide external security services . among , External service security is mainly public cloud and IDC Two providers .

Server security

On access to external DDoS Before the means of defense , You also need to do a good job in the local security of the server .

Reduce the attack area

This is usually also the case with the public cloud D Best practices .

• Open as few ports as possible
  • Internal traffic goes through the intranet , Avoid going outside the network to be affected by the attack
• Access the load balancing cluster
  • Using public cloud ELB

Business architecture design supports high availability and flexible migration

When the attack scale exceeds the tolerance range of the online system , The business system architecture greatly affects the countermeasures that can be taken . For example, use LB+ How to use domain name , It will be very convenient to access cloud cleaning . If you use RS+IP The way , It should be replaced additionally RS IP, Even modify the server list obtained by the client , As a result, the overall adjustment cost is too high , This will affect the cleaning effect .

Public cloud

Foreign public clouds are mainly Amazon Web Service(AWS)、Google Cloud Platform(GCP) as well as Microsoft Azure(Azure), You can also consider Alibaba cloud 、 Tencent cloud 、 Jin Shan Yun 、Ucloud And other overseas nodes of the domestic public cloud .

Comparative analysis table

AWS Shield

aws Dedicated to DDoS Protective products , for ELB、CloudFront as well as Amazon Route53 Provide extended DDoS Attack protection .aws ddos The overall flow chart of protection is as follows ：

It is divided into standard edition and advanced edition , The comparison chart is as follows ：

• The standard version
  • 3/4 Protective layer
    • Automatic detection and defense
    • Provide common DDoS Attack protection ：SYN/UDP Floods, Reflex attack, etc
    • aws Built in service , free
  • 7 Protective layer
    • AWS WAF by 7 Layer attacks provide protection
    • aws Official services , There is a charge
• premium
  • function
    • Continuous monitoring and detection （ contain 3/4/7 layer ）
    • Provide common DDoS Attack protection and additional means of protection
    • Provide real-time alarm and historical data query （ contain 3/4/7 layer ）： What can I see IP、ASN Or country / Area is the main source of attack traffic .
    • AWS DDoS Emergency response team （DRT） service ： Use DRT It can be customized DDoS and WAF Protection strategy , Or seek DRT help .
    • For the attacked Route 53, CloudFront, and ELB Provide fee relief
    • Apply to ELB/CloudFront
    • contain WAF Including the cost of safety protection , by $3000/ month , Data transmission cost is calculated separately
  • Supported areas ： Northern Virginia 、 Oregon 、 The Irish 、 Tokyo and Northern California
• Other instructions
  • response time ： cloudfront Provide seconds 、elb Provide minute level 、shield Provide minute level 、 Trigger threshold ： Entry direction 5Gbps. You can see aws ec2 The response time is slow , And the trigger cleaning threshold is very high , If you are really beaten like this , The business will be affected for some time , Unable to achieve real-time protection .
  • Free service ceiling ： In principle, the bandwidth is exhausted

Google Cloud Platform

On the whole ,gcp The product line provided is more than aws Simple , The advantage is gcp There are nodes in Taiwan , and aws No, , Therefore, for overseas business issued in Taiwan, we can consider taking gcp. Let's introduce gcp stay ddos Protection services .

• gcp official ddos Protective service call Armor,2018 It was just launched in , But at present only for web service .
• ddos Protection belongs to gcp Infrastructure security , Yes cloudflare、reblaze and Imperva Three partners , You need to register for access to the corresponding official website , The access principle is also based on anti substitution or dns analysis

Azure

Azure Official supply DDoS Protection services , Including basic version and standard version . Compare the ：

Alibaba cloud

Alibaba cloud has a very rich product line , light DDoS Alibaba cloud shield provides protection -BGP Advanced anti DDoS and Alibaba cloud shield - Game shield has two products , Four floors are provided /7 layer CC Protection policy 、 Attack traffic graph 、 original / Attack logs 、 Business availability monitoring and other services .

• BGP High prevention
  • 20G The quality of the inner line is good , However, large traffic attacks need to be combined with static advanced anti DDoS , The line quality is reduced . Attack traffic exceeds 600G Ali BGP Advanced anti DDoS will force black holes .
• Game shield
  • resist D The user experience of the four layer protection is very good , At the same time, it can save the bandwidth investment of cloud manufacturers , Dynamic scheduling node .

IDC Advanced prevention or cleaning

You can choose from the... Provided by the partner IDC Advanced prevention or cleaning services , It can also be connected to China CDN Overseas nodes of manufacturers , such as UCloud.IDC Advanced prevention or cleaning , It is mostly oriented to its own users , The implementation principle is different from domain name resolution or anti substitution , Instead, the user traffic is pulled to the cleaning equipment or directly to the advanced anti DDoS equipment （ It's usually the same IDC exit ） To protect . therefore ：

• choice IDC It is necessary to consider whether the machine room has DDoS Defensive capabilities and corresponding services

Processing flow

Access

According to the business deployment 、 Cost options include access to the public cloud or local IDC Advanced prevention or cleaning

• Connect your own as much as possible ISP Advanced prevention or cleaning services , Because the intranet is interconnected , Avoid exposing the truth when using anti substitution or domain name resolution ip
• You can use the public virtual machine first , At the same time, professional advanced anti DDoS or cleaning services shall be purchased nearby according to the geographical location , Remove traffic when the virtual machine cannot handle it . Or buy standby before the new service goes online or before the business peak such as activities .

About the specific access mode , You need to confirm according to the selected scheme

Such as using cloud cleaning , You can use DNS The way of parsing or inversion . If you choose IDC The way of cleaning , It's usually IDC After the network configuration and cleaning equipment are online at the layer , Operate at the cleaning equipment end , Users have no perception .

Protection strategy

Detection and alarm

Access monitoring , Set the flow bps/pps Alarm threshold

Purge trigger threshold

The cleaning trigger threshold is generally set at the peak value of the normal flow 2-3 Times , Because some cleaning algorithms will lose packets randomly , So in order to avoid being purged without attack , The trigger threshold needs to be increased .

Cleaning algorithm selection

At present, the cleaning algorithms in the industry are similar , Common cleaning algorithms mainly include ： The abnormal bag is discarded ; Message feature matching ; First establish with the cleaning equipment tcp Connect , Add to the white list after being recognized as a normal connection ; The blacklist ; Current limit, etc. . The selection of specific algorithm needs to be based on the business agreement 、 Flow change trend and other characteristics .

The article first takes two Chinese enterprises overseas to resist D The practice is the template , Public cloud and IDC Two providers' anti - D service , I hope it can be a reference for enterprises in need . Besides , It is hereby declared that , The author has nothing to do with the interests of the enterprises involved in this article , Only from the perspective of objective research , If something is wrong , Please point out , Be sure to listen carefully .

Reference material

2018 The game industry in the first half of the year DDoS Situation report

Azure Overseas resistance DDoS service

GCP Overseas resistance DDoS service

Alibaba cloud overseas anti - DDoS service

AWS Overseas resistance DDoS service

UCloud Overseas resistance DDoS service