developments began to discount corsets moderate in the past two years, until a month ago, Europe suddenly subjected to anti-spam organization Spamhaus 300Gbps of large traffic DDos attack. This is considered to be the largest-ever round of DDos attacks, reminding people, DDos attacks have never been ignored by the attackers.
DDos attacks today are not new, developments began to moderate in the past two years, until a month ago, European anti-spam organization Spamhaus suddenly subjected to up to 300Gbps of large traffic DDos attack. This is considered to be the largest-ever round of DDos attacks, reminding people, DDos attacks have never been ignored by the attackers.
T = the "largest-ever nature of DDoS attacks and defense" src= "http://i.ssimg.CN/sscms/2013/04/30/5c635bface4e45debe51b65b22fcd56c.jpg"/>
what is the essence of this large traffic DDos attacks? why will appear today? and how to protect against discount corsets this type of attack? Hard work in the field of anti-DDos attack for many years security firm Arbor recently gave answers to related questions.
q: so far, this is the largest DDoS attack?
a: Yes, and the scale is much larger than in the past. previously reported (and validated) maximum attack is about 100Gb/second.
q: this is a new type of DDoS attack?
A: it''s not. the attacks are DNS reflection/amplification attacks, DNS
Reflection/amplification attacks have existed for many years. this type of attack have been found to generate sees more of the largest attack on the Internet in recent years./enlarge DNS reflection attack exploits the Internet DNS infrastructure to enlarge attack to generate traffic. DNS is used to resolve host names to IP addresses of important components of the Internet infrastructure. Meat/enlarge DNS reflection attack by using multiple client machines (bots zombie meat) will discount corsets send queries to multiple open DNS resolver, so that a large number of attack traffic generated from widely distributed sources (Spamhaus during attacks using 30K open the parser).
q/enlarge DNS reflection attack how?
a: the two things that make these types of attacks may: network service providers lack of ingress filtering (allow forward flow from spoofed source addresses); on the Internet open d
Number of NS resolver (query response from any of the IP address).
an attacker must be able to impersonate the target victim of DNS query source address. all organizations in their network at all border BCP38/84 anti-spoofing. is, unfortunately, in this year''s global network infrastructure security report Arbor (included in 2012), 56.9% per cent of respondents said they were currently only their implementation of BGP network edge 38/84.
this attack is the second key component of large open DNS resolvers are available discount corsets on the Internet. currently on the Internet about 27 million open DNS resolvers.
q: DNSSec (domain name system security development) can help to address these attack?
answer: no, DNSSec is intended to ensure that the DNS query answer true and not be tampered with. fully
/Zoom help DNS reflection attack, compared to the absence of DNSSec, DNSSec queries generate more significant mass of any type of reply packets to implement DNSSec really means more zoomed into the attack.
q: Internet infrastructure has been almost to the maximum of 100Gbps. If that is the case, how Spamhaus sees 300 Gbps of traffic?
a: Although 100Gb/second deployment in production networks within the maximum speed of a single physical link, but the multiple physical links to be combined with 100Gb/seconds, could create big volume logical link.
q: how to mitigate such attacks?
a: If most of your network service provider BCP of thirty eight-eighty fourths on the border, while also significantly reduce the number of open DNS resolvers in the Internet, you can reduce the