抗拒绝服务攻击(DDoS):是疏还是堵
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;mso-char-indent-count:2.0"><span lang="EN-US" style="font-family: 微软雅黑, sans-serif; "><span class="Apple-style-span" style="font-size: 9pt;"> </span><font class="Apple-style-span" color="#808000" size="3">DoS</font></span><span style="font-family: 微软雅黑, sans-serif; "><font class="Apple-style-span" color="#808000" size="3">攻击方式有很多种,最基本的<span lang="EN-US">DoS</span>攻击就是利用合理的服务请求来占用过多的服务资源,从而使服务器无法处理合法用户的指令。<span lang="EN-US"></span></font></span></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><font class="Apple-style-span" color="#808000" size="3"><span style="font-family: 微软雅黑, sans-serif; "> 而抗<span lang="EN-US">DDoS</span>攻击系统</span><span style="font-family: 微软雅黑, sans-serif; ">是针对业务</span></font><span class="Apple-style-span" style="color: rgb(128, 128, 0); font-family: 微软雅黑, sans-serif; font-size: medium; ">系统</span><span class="Apple-style-span" style="color: rgb(128, 128, 0); font-size: medium; "><span style="font-family: 微软雅黑, sans-serif; ">的稳定、持续运行以及网络</span><span style="font-family: 微软雅黑, sans-serif; ">带宽的高可用率提供防护能力进行维护。然而,自<span lang="EN-US">1999</span>年<span lang="EN-US">Yahoo</span>、<span lang="EN-US">eBay</span>等电子商务网站遭到拒绝服务攻击之后,<span lang="EN-US">DDoS</span>就成为<span lang="EN-US">Internet</span>上一种新兴的安全威胁,其危害巨大且防护极为困难。</span></span></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><font class="Apple-style-span" color="#808000" size="3"><span style="font-family: 微软雅黑, sans-serif; "> 尤其是随着黑客技术</span><span style="font-family: 微软雅黑, sans-serif; ">的不断发展,<span lang="EN-US">DDoS</span>攻击更是出现了一些新的动向和趋势:<span lang="EN-US"></span></span></font></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><font class="Apple-style-span" color="#808000" size="3"><span style="font-family: 微软雅黑, sans-serif; "> 高负载<span lang="EN-US">—DDoS</span>攻击通过和蠕虫、<span lang="EN-US">Botnet</span>相结合,具有了一定的自动传播、集中受控、分布式攻击的特征,由于感染主机数量众多,所以<span lang="EN-US">DDoS</span>攻击可以制造出高达<span lang="EN-US">1G</span>的攻击流量,对于目前的网络</span><span style="font-family: 微软雅黑, sans-serif; ">设备或应用服务都会造成巨大的负载。<span lang="EN-US"></span></span></font></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><font class="Apple-style-span" color="#808000" size="3"><span style="font-family: 微软雅黑, sans-serif; "> 复杂度<span lang="EN-US">—DDoS</span>攻击的本身也从原来利用三层<span lang="EN-US">/</span>四层协议</span><span style="font-family: 微软雅黑, sans-serif; ">,转变为利用应用层</span></font><span class="Apple-style-span" style="color: rgb(128, 128, 0); font-family: 微软雅黑, sans-serif; font-size: medium; ">协议</span><span class="Apple-style-span" style="color: rgb(128, 128, 0); font-size: medium; "><span style="font-family: 微软雅黑, sans-serif; ">进行攻击,如<span lang="EN-US">DNS
UDP Flood</span>、<span lang="EN-US">CC</span>攻击等。某些攻击可能流量很小,但是由于</span></span><span class="Apple-style-span" style="color: rgb(128, 128, 0); font-family: 微软雅黑, sans-serif; font-size: medium; ">协议</span><span class="Apple-style-span" style="color: rgb(128, 128, 0); font-size: medium; "><span style="font-family: 微软雅黑, sans-serif; ">相对复杂,所以效果非常明显,而防护难度也很高,如针对网游服务器的<span lang="EN-US">CC</span>攻击,就是利用了网游本身的一些应用协议漏洞</span><span style="font-family: 微软雅黑, sans-serif; ">。</span></span></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><span style="font-family: 微软雅黑, sans-serif; "><font class="Apple-style-span" color="#808000" size="3"> 损失大<span lang="EN-US">—DDoS</span>攻击的危害也发生了一些变化,以往<span lang="EN-US">DDoS</span>主要针对门户网站进行攻击,如今攻击对象已经发生了变化。如<span lang="EN-US">DNS</span>服务器、<span lang="EN-US">VoIP</span>的验证服务器或网游服务器,互联网或业务网的关键应用都已经成为攻击的对象,针对这些服务的攻击,相对于以往会给客户带来更大的损失。<span lang="EN-US"></span></font></span></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><span style="font-family: 微软雅黑, sans-serif; "><font class="Apple-style-span" color="#808000" size="3"> 疏与堵的博弈<span lang="EN-US"></span></font></span></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><font class="Apple-style-span" color="#808000" size="3"><span style="font-family: 微软雅黑, sans-serif; "> 近几年来,蠕虫病毒</span><span style="font-family: 微软雅黑, sans-serif; ">是<span lang="EN-US">Internet</span>上最大的安全问题,某些蠕虫</span></font><span class="Apple-style-span" style="color: rgb(128, 128, 0); font-family: 微软雅黑, sans-serif; font-size: medium; ">病毒</span><span class="Apple-style-span" style="color: rgb(128, 128, 0); font-size: medium; "><span style="font-family: 微软雅黑, sans-serif; ">除了具有传统的特征之外,还嵌入了<span lang="EN-US">DDoS</span>攻击代码,加之<span lang="EN-US">Botnet</span>的出现,黑客可以掌握大量的傀儡主机发动<span lang="EN-US">DDoS</span>攻击,从而导致其流量巨大。在<span lang="EN-US">2004</span>年唐山黑客针对北京某知名音乐网站发动的<span lang="EN-US">DoS</span>攻击中,其攻击流量竟然高达<span lang="EN-US">700M</span>,对整个业务系统</span><span style="font-family: 微软雅黑, sans-serif; ">造成了极大的损失。</span></span></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><span style="font-family: 微软雅黑, sans-serif; "><font class="Apple-style-span" color="#808000" size="3"> 目前绝大部分的抗拒绝服务攻击系统虽然都号称是硬件产品,但实际上都是架构在<span lang="EN-US">X86</span>平台的服务器或是工控机之上,其关键部件都是采用<span lang="EN-US">Intel</span>或<span lang="EN-US">AMD</span>的通用<span lang="EN-US">CPU</span>,运行在经过裁剪的操作系统<span lang="EN-US">(</span>通常是<span lang="EN-US">Linux</span>或<span lang="EN-US">BSD)</span>上,所有数据包解析和防护工作都由软件完成。由于<span lang="EN-US">CPU</span>处理能力以及<span lang="EN-US">PCI</span>总线速度的制约,这类产品的处理能力受到了很大的限制,通常这类抗拒绝服务攻击产品的处理能力最高不会超过<span lang="EN-US">80</span>万<span lang="EN-US">pps</span>。<span lang="EN-US"></span></font></span></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><font class="Apple-style-span" color="#808000" size="3"><span style="font-family: 微软雅黑, sans-serif; "> 然而,面对<span lang="EN-US">DDoS</span>攻击,传统<span lang="EN-US">X86</span>架构下的<span lang="EN-US">DDoS</span>防护设备在性能及稳定性上都很难满足防护要求,更何况在传统抗<span lang="EN-US">DDoS</span>攻击方案中,基本上都采用了串联部署<span lang="EN-US">(</span>即:接在防火墙</span><span style="font-family: 微软雅黑, sans-serif; ">、路由器或交换机与被保护网络</span><span style="font-family: 微软雅黑, sans-serif; ">之间<span lang="EN-US">)</span>的模式,这种模式存在较多的缺陷:<span lang="EN-US"></span></span></font></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><font class="Apple-style-span" color="#808000" size="3"><span style="font-family: 微软雅黑, sans-serif; "> 一方面增加了网络</span><span style="font-family: 微软雅黑, sans-serif; ">中的单点故障,同时可能造成性能方面的瓶颈,尤其在攻击流量和背景流量同时存在的情况下,可能导致设备负载过高,从而影响正常业务的运行<span lang="EN-US">;</span></span></font></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><font class="Apple-style-span" color="#808000" size="3"><span style="font-family: 微软雅黑, sans-serif; "> 另一方面,以往的<span lang="EN-US">DDoS</span>防护设备和</span><span lang="EN-US"><span lang="EN-US" style="font-family: 微软雅黑, sans-serif; "><span lang="EN-US">防火墙</span></span></span><span style="font-family: 微软雅黑, sans-serif; ">系统都有着千丝万缕的联系,所以其防护功能主要在协议栈的三层<span lang="EN-US">/</span>四层实现,这类设备针对目前承载在应用层协议之上的<span lang="EN-US">DDoS</span>攻击防护乏力。<span lang="EN-US"></span></span></font></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><span style="font-family: 微软雅黑, sans-serif; "><font class="Apple-style-span" color="#808000" size="3"> 正是因为如此,我们应该从架构上对整个抗拒绝服务攻击设备进行重新设计,以达到从性能、功能以及稳定性上满足目前<span lang="EN-US">DDoS</span>防护的进一步需要。抗海量拒绝服务攻击,可谓疏与堵的一场博弈。<span lang="EN-US"></span></font></span></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><font class="Apple-style-span" color="#808000" size="3"><span style="font-family: 微软雅黑, sans-serif; "> <span lang="EN-US">DDoS</span>攻击深深的危害着我们的网络</span></font><span style="font-family: 微软雅黑, sans-serif; "><font class="Apple-style-span" color="#808000" size="3">生活,我们也在尝试采用各种防护措施。</font><span lang="EN-US" style="font-size: 9pt; "></span></span></p>
页:
[1]