Anti DDoS with Clean Pipe
Clean Pipe is one of the most popular anti-DDoS methods out of the other three. All traffic before reaching the server must pass through a cleaning center called a “filter center”. Here malicious traffic will be detected and isolated. From there, only legitimate traffic is allowed to access the server.
With the proliferation of DDoS attacks today, many Internet Service Providers (ISPs) and Managed Security Service Providers (MSSPs) have started to provide anti-DDoS services with the method of “Clean Pipe”.
To implement Clean Pipe is quite complicated because you need to have:
-
BGP router
-
A network device with GRE. tunnel termination capability
-
Internet routable prefix and ASN
Weaknesses of Clean Pipe
1. Long detection and re-routing time : Whenever attack traffic is detected, rerouting techniques send this traffic to the cleaning center. This involves a redirection due to DDoS detection and takes at least a few minutes to reroute until the final removal step begins. At this time, the online services of businesses have also been affected more or less due to DDoS attacks.
2. Incomplete DDoS protection and high fake DDoS : Clean Pipe method does not provide complete protection against DDoS attacks. They lack the ability to handle medium-sized attacks, especially packet/application attacks. The second thing is that the server’s IP is not hidden. Conversely, hackers can also easily identify infrastructure providers and exploit vulnerabilities and weaknesses.
Besides, Clean Pipe rerouting involves the entire prefix, usually at least /24. Below /24, computers with /24 can send traffic out as clients (e.g. DNS queries) and outbound traffic as servers (e.g. serving web content). The mixed profile of client-side and server-side traffic makes the data file about illegal access very complex. From there the system will give many false positives and as a result, you will find that Clean Pipe often requires a lot of human intervention.
3. Malicious Request Filtering But Can’t Stop a Real DDoS Attack : Clean Pipes help reduce malicious traffic, but they can’t stop a real DDoS attack. In addition, the security support of ISPs is not always as expected, they often do not have high expertise in dedicated anti-DDoS solutions. They are good at dealing with volume-based DDoS attacks, but not signature-based security and other forms of DDoS attacks. As a result, the enterprise is potentially vulnerable to application-layer attacks.
The main benefit of the Clean Pipe
Clean Pipe is its high flexibility, as it supports most applications in the IP stack. However, it lacks advanced protection for a specific application, resulting in high-cost loss and false-positive prevention that is so important for a business.
Clean Pipe has not really solved the problem of network attacks. For example, when TCP RESET is enabled to combat DDoS TCP SYN Flood, some applications automatically reconnect without problems, but web browsers do not.
Anti DDoS with CDN Dilution
CDN (Content Delivery Network) is a system of distributed servers, it helps deliver website/application content to users fastest. CDNs are also known for their ability to network and deliver massive amounts of traffic. CDN Dilution uses high bandwidth technology to mitigate Layer 3/4 DDoS attacks.
CDN can offload DDoS attacks with huge bandwidth. The CDN network acts as a reverse proxy for the web application, all requests will be handled by these CDNs and malicious requests will be filtered out before sending to the origin server. CDN Dilution is effective against DDoS because:
-
Network CDN has application context-aware capabilities
-
Well Defined Protocol (HTTP)
-
It always works in real-time
However, CDN Dilution only applies to web applications. If you’re using a proprietary TCP or UDP client, CDN Dilution won’t be able to help.
Stop DDoS with Anti-DDoS Proxy
If you run TCP or UDP services on the origin server, such as a web server, gaming service, remote server access (SSH), or email (SMTP), they will be exposed over open ports. This means that hackers can send DDoS traffic in large volumes or try to steal sensitive unencrypted data.
Some vendors like MSSP (Managed Security Service Provider) and CDN have built a reverse TCP/UDP proxy into their existing DDoS infrastructure to provide a layer of protection for TCP/UDP applications.
Anti-DDoS Proxy works similar to CDN. Packets are sent to reverse proxy and filter out malicious packets with the Anti-DDoS configuration defined. Anti-DDoS Proxy provides comprehensive DDoS protection with the following outstanding features:
-
Always on real-time security mode
-
Active security model (allowing only defined ports to be accessed instead of opening them all)
-
Resistant to prolonged DDoS attack
One disadvantage of this anti-DDoS solution is that the source IP is changed. This can be a serious problem for some applications as there is no way to get the real visitor’s IP.
How to comprehensively Anti DDoS with multiple layers of security?
There are many ways to implement DDoS Protection strategies, but sometimes it is difficult to get started. When businesses have to pay a sum for security, they have to think a lot about this cost. But the damage caused by cyber-attacks is even more unfortunate. It exposes businesses to even greater risks and losses due to loss of system recovery time and reduces customer trust.
Today, most businesses large and small have to pay a fee for anti-DDoS services. But the important thing that we need to do is optimize the cost of these investments and make sure no attacks happen. Most anti-DDoS services charge businesses regardless of whether an attack occurs or not, with the exception of a DDoS prevention service using CDN Dilution.
Since the CDN Dilution method is built on CDN technology, it can be used to deliver web content in the absence of an attack. In the event of an attack, a CDN can be used to reduce the DDoS load. Multi CDN can prevent major DDoS attacks and increase dark website performance.
VNIS provides anti-DDoS (with Multi CDN network in 32 countries) protection for the network layer (Layer 3/4) and anti-DDoS for the application layer (Layer 7) with Cloud WAF firewall (in 8 countries). Find out more about the cost of deploying VNIS anti-DDoS packages here or register for a trial experience of anti-DDoS services at hotline: (028) 7306 8789 or contact@vnetwork.vn or email to sales@vnetwork.vn for expert support and consultation.