DDoS (Distributed Denial of Service) uses a large number of valid requests to consume lots of network resources and make services unresponsive and unavailable to legitimate users. Currently, DDoS attack is one of the most powerful cyber-attacks that are hard to defend against.
DDoS has been around the cybersecurity world for a long time and is an old attack method. DDoS prevention has also undergone different stages.
Professional anti-DDoS hardware firewalls optimize power dissipation, forwarding chips, operating systems, and many other parts and can meet the requirement of DDoS traffic scrubbing. Generally, IDC service providers buy anti-DDoS hardware firewalls and deploy them at the entry of data centers to provide scrubbing services for the entire data centers. The performance of these scrubbing services gradually evolves from the original 100 MB per machine to 1 Gbit/s, 10 Gbit/s, 20 Gbit/s, 100 Gbit/s or higher. These scrubbing services basically cover various attacks from layer 3 to layer 7 (such as SYN-FLOOD, UDP-FLOOD, ICMP-FLOOD, ACK-FLOOD, TCP connection flood, CC attacks, DNS-FLOOD, and reflection attacks).
However, this DDoS prevention method is very costly for IDC service providers. Scrubbing devices are required at the entry of each data center and special maintenance officers are needed to maintain devices and services. In addition, not all IDCs have equal scrubbing and protection capabilities. Uplinks of some small data centers may only have 20 GB bandwidth and cannot reuse these scrubbing devices.
In the cloud era, services are deployed on various clouds or in traditional IDCs. The DDoS scrubbing services provided do not have a consistent standard. In the case of super-large amounts of DDoS attack traffic, data centers where services are hosted cannot provide matching protection capabilities. To protect services from being affected, we have to create the "black hole" concept. After the black hole mechanism is adopted, when a server has attack traffic that is more than the black hole triggering threshold in the IDC, the IDC will block Internet access for that server to avoid persistent attacks and ensure the overall stability of the IDC.
In this case, advanced anti-DDoS systems with secure IP addresses provide a complete set of anti-DDoS solutions by enabling high bandwidth for the whole data centers, converts traffic to these IP addresses and then forwards scrubbed traffic to users' source stations. This protection method supports the reuse of data center resources and allows data centers to focus more on their intended role. Additionally, this protection method simplifies DDoS prevention by providing DDoS scrubbing services in a SaaS-based manner.
Advanced anti-DDoS systems with secure IP addresses in the era of cloud can meet the requirement of high bandwidth. It also allows users to hide their source stations and flexibly change scrubbing service providers.
This article discusses the evolution of anti-DDoS technology and describes how each element can affect the overall protection robustness and efficiency.
The preceding content reflects the Wooden Bucket Theory on DDoS attack protection: Each aspect of attack prevention will affect the overall protection effectiveness and efficiency. Future advanced anti-DDoS systems with secure IP addresses should feature elastic bandwidth, high redundancy, high availability, high access quality, and simple business integration. At the same time, the combination of OPENAPI-based DDoS protection and users' automatic maintenance systems can bring higher security to business and facilitate the business growth.
One of the most common methods of securing your Apache web server hosted on Alibaba Cloud is installing ModEvasive. This is a highly intelligent Apache module that provides evasive actions against Distributed Denial of Service(DDoS) and Brute Force attacks.
If a DDoS attack targets your web server, it can be very stressful. The attack simply overwhelms your server with a lot of traffic from multiple sources. During the DDoS session, regular users cannot access your website or web application and this can mean loss of sales or even lead to a complete shutdown of your business.
Anti-DDoS Basic currently supports BGP and DNS redirection technologies. Its dominant protection mode is passive cleansing, supplemented by active suppression. The service comprehensively manages DDoS attacks.
On the basis of conventional technologies, such as proxy, detection, rebound, authentication, black/white lists, and message compliance, Alibaba Cloud Anti-DDoS Basic also integrates web security and filtering, reputation analysis, Layer-7 application analysis, user behavior analysis, feature learning, defense and counter-work, and other technologies. This service can block and filter threats, and guarantees that the protected users are secured even during the attack.
This tutorial explains a simple setup and verification process for Anti-DDoS Pro website protection through the Alibaba Cloud console. It does not cover all possible options.
Alibaba Cloud Anti-DDoS Basic is a cloud-based security service that integrates with Alibaba Cloud ECS instances to safeguard your data and applications from DDoS attacks, and provides increased visibility and control over your security measures.
As an Alibaba Cloud global service, Anti-DDoS Basic enables you to meet stringent security requirements for your cloud hosting architecture without any investment. This service is available to all Alibaba Cloud users free of charge.
Anti-DDoS Pro is a value-added service used to protect servers, including external servers hosted in Mainland China, against volumetric DDoS attacks. You can redirect attack traffic to Anti-DDoS Pro to ensure the stability and availability of origin sites.
Alibaba Clouder - May 27, 2019
Alibaba Clouder - June 12, 2019
Alibaba Cloud Security - December 5, 2019
Alibaba Clouder - April 3, 2020
Alibaba Clouder - March 5, 2019
Alibaba Clouder - November 8, 2018
More Posts by Alibaba Clouder