How to use load balancing equipment to defend against attacks
As the entrance of key applications, load balancing equipment has naturally become the target of various attacks. How to ensure that the load balancing device protects the back-end server without paralyzing itself is a problem that the load balancer must solve. In fact, since the birth of load balancing equipment, its high concurrent sessions and new connection rate have dwarfed firewall products. In addition, most of the attack target IPs happen to fall on the virtual IP (VIP) of the load balancing device. Compared with the way the firewall handles the traffic, the load balancing device understands how these applications should be protected. It is naturally suitable to apply the virtual IP and The strategy of the back-end server. Setting up the firewall outside the load balancing device is caused by the existing management reasons of some users. For Internet applications with really large traffic, few firewalls are deployed outside the load balancing equipment. The following introduces the various attack defense methods that the AX products of the A10 network have.
1. First of all, for The most common SYN Flooding attack, load balancing equipment uses the widely used SYN Cookie mechanism for defense. What users are concerned about is its SYN Cookie performance. A10's high-end equipment uses hardware to process SYN-Cookie, which can defend against DDoS attacks up to 50M SYN/Sec (about 3 Gigabit + 3 Gigabit ports full attack traffic), and the impact on the CPU is 0.
2. ICMP rate limit. In response to a large number of PING-based attacks like Smurf, the load balancing device can limit the number of ICMP packets processed per second.
3. Based on source IP The connection rate limit is applicable to TCP and UDP. More and more distributed DoS attacks are valid TCP connections or UDP attacks. For the connection rate from a single IP exceeding the set value, the load balancing device can take multiple operations such as discarding the IP address, sending log alarms, and locking for a certain period of time.
4. IP abnormal attack defense. For common types of attacks such as Land-attack and Ping-of-Death, A10's load balancing equipment can detect and discard them.
5. Access control list (ACL), filtering based on the IP quintuple, so I won’t go into details here.
6. Policy-based Server Load Balancing (PBSLB), A10's load balancing device can support a black and white list of up to 8 million host records. The list can be automatically updated through the TFTP server on a regular basis, and there is no transition vulnerability during the update. Compared with routers, the number of ACL or firewall policies is dozens of times higher. The number of connections can be limited for the addresses in the list, can be divided into different groups, and choose to discard or forward to different groups of servers. This feature can be combined with other anti-attack features of A10 to dynamically generate black and white lists.
7. Virtual server/ The number of server connections is limited. According to the capacity of the server, limit the number of connections allocated to a single server or the entire virtual server. Avoid server paralysis due to too many connections. This restriction can be applied to the server or one of its service ports.
8. Virtual server/ Server connection rate limit. The previous item limits the number of static connections that can be maintained at the same time, and this item limits the rate of new connections. For a large number of short connection attacks or burst traffic, the number of concurrent connections is not large, but a large number of new connections can also paralyze the server.
9. HTTP concurrent requests Limit and request rate limit. In view of the current large number of CC attacks, the above-mentioned restrictions based on the number of connections and connection rate are powerless, because CC attacks often send a large number of HTTP requests on a single TCP connection. A10's load balancing equipment combines attack defense based on layer 7 requests with a powerful black and white list function, which can limit the total number of concurrent connections from a single IP source, the rate of new connections, the number of concurrent requests, and the request rate. Different user IP can be divided into different groups and set different parameters.
10. DNS compliance Sex check. For DNS, the top application, attack defense cannot be ignored. In addition to the above-mentioned general features, A10's load balancing equipment can check the compliance of DNS data packets, filter data packets whose format does not conform to the DNS protocol standard, or forward them to special security equipment.
11. Dynamic DNS cache Function. Due to the limited capacity of the DNS server, how to protect the DNS server and allow the DNS service to operate normally when there is abnormal traffic is a problem that users are eager to solve. A10's dynamic DNS caching function can set thresholds based on the capabilities of the back-end DNS server. When the number of requests for a certain domain name reaches a certain number, the caching function of the domain name can be dynamically enabled, and a load balancing device responds to DNS requests. The premise of this function is that the DNS processing capacity of the load balancing device is sufficiently high. The DNS processing capacity of A10's entry-level 64-bit products can reach 1.5 million DNS QPS (DNS requests per second).
12. Custom script . The custom script based on the tcl language allows users to define more flexible security policies according to their needs. In particular, the custom script of A10 can call the above-mentioned black and white list of up to 8 million entries.
The above are just for each safety A simple description of features, each security feature has some detailed functions, which can solve many security problems that users have headaches. Some functions will be selected later in detail.
This article is published by www.internetweblist.com and does not represent the position of www.internetweblist.com/：http://www.internetweblist.com/Web_defense/28676.html