Green League Black Cave: X86 Architecture, Linux Kernel and Autonomous SYN-FLOOD Algorithm. Focus on a single type of SYN, UDP, ICMP DOS effect is good, but the effect is slightly poor when multiple mixing. The advantage is that the update is fast, the technical support is better, and SYN-flood has an absolute advantage in the 100M environment. The disadvantage is that the lack of documents and information, and works at the same time (both soft and hardware) are not very stable.
A self-adaptation: Alternate as an emergency response.
Radware FireProof: ASIC / NP architecture, SYNAPPS technology, mainly based on signature 4-7 layer filtering algorithm and complementary SYN-Cache technology. The advantage is that the single type of denial of service attack is better, the efficiency is also very high. The disadvantage is that due to the current design, the system lacks flexibility and may be powerless when a special type of variant attack occurs.
A self-satisfaction: When the company originally planned to purchase Radware equipment as a routine application, you can consider simultaneous purchase of the FireProof module as a standby.
F5 BIG-IP: X86 architecture, FreeBSD-based core, SYN-CACHE technology with valve random discard algorithm and flow limit function for ICMP (possibly UDP?), So you can mitigate and resist SYN at a certain level The reject service attack of the class can be in the actual effect.
A self-sufficiency: Not suitable for procurement as a professional resistance service product, can be used as an additional function of load balancing equipment as a value-added consideration.
Tiannun firewall: earliest based on the OpenBSD kernel, X86 architecture, should now be Linux kernel. Anti-Syn-flood function has been added very early, and it should be an improvement or enhancement version of SYN-Cache / Syn-cookie. The actual test SYN traffic 64b package is about 25m or so. It can still be seen when less than 20m is still. At the same time, a good firewall strategy should also be limited to the type of UDP / ICMP.
One self, the firewall generally makes it better as its own professional use (access control), of course, the network business is not very important production enterprise, buy a firewall and simple anti-SYN function is not bad. .
Tianyuan Longma: Anti-DOS products have not been used, but the impression of his firewall products is not good, the function is too simple.
Others: Firewall products, many of them have also have anti-DOS function, the most famous is NetScreen and Nokia / Checkpoint. results of testing:
NetScreen 500 (ASIC Architecture) 64B Bag SYN, when the SYN protection switch is turned on, the attack traffic is about 18 m, and the system resource consumes 99%, and the network cannot communicate. It is initially determined that the NetScreen 500 SYN resistance limit is 20 m. (Multiple places test results)
NOKIA I740 (NP architecture, low-end and early products - 340 below the X86 architecture, IPSO / BSD core) 64B package SYN, automatic SYN protection, attack traffic ... is terrible ...> 10m It's ok, the system resource consumes 99%, the network can not connect, and the management interface will lose response. However, continuous attacks have been stopped after a long time to stop responding, indicating that the system's work stability is still good (NetScreen, the two stability performances in normal reproduction work time are also very good, worthy of appreciation).
A self-contained: Nokia and NetScreen resistance performance, don't mention it before getting a significant improvement.
The products of Arbor and Riverhead have not been exposed, please talk about familiar friends.
Other solutions, as well as the system-level Linux / BSD syncookie / syn-cache feature, AIX / NT network buffer queue and network parameter adjustment, and network-level 4 - 7-layer exchange processing, such as using CSS11000, etc. Load balancing or deep filtration, etc., as well as traffic rate limits on network equipment and gateways. These can mitigate or reduce the harm of rejecting service attacks at a certain level, but not fundamental solutions can be considered. Maybe wait for the more extensive technologies such as IP Traceback and NetFlow, the situation is better, it is a black night dream. The last point of view, the refusal service is a trouble and difficult problem - because it is too complex, the link layer, network layer, and application layer of the network may not appear in the network. As a product in the network ethics or cultural field, it is difficult to cure on the technical level. In the choice of response, everyone should keep in mind three 80/20 rules:
1,80% normal time and 20% attacked time. Time will certainly affect loss, in your loss and circumventions of the cost of the expenses they need;
2,80% of routine attacks and 20% special attacks. Any device is not possible to handle all attacks, then it is an important issue when the failure of the exquisite part has responded, and from this combination of the first rule. It is also an important issue.
3,80% of normal working hours and 20% equipment failure time. When the equipment has it possible, it may be software, hardware, logic or rp issues. For example, I have purchased the professional resistance of the two vendors, and the test and acceptance of the performance are normal, but when I was attacked, I found out when I took it online, I found out that a hardware fails could not start! And another There is no protection effect on this kind of attack! What should this happen to the leader to admit me dereliction of duty, or wait for the manufacturer to slowly study the plan? I am afraid it is difficult to solve.
It is the three principles that may have the chance to appear is not 80/20 of the sum number, but even if only 1% of the chance, we have to enlarge it from 100 times. For a 1% incident considering asset investment, then we must worry that it will not cause our investment in the chance of 1% of the 1% measures in this 1% time.
Advanced technology does not necessarily solve problems, reasonable technologies are what we have actually needed.
