|
[China]
Trade Verify
Address: 2F, G4 of TianFu Software Park, Chengdu, China.
Contact name:Jerry
Chengdu Shuwei Communication Technology Co., Ltd. |
|
Verified Suppliers
|
|
|
Network TAP in Bank Data Center Anti-DDos Attack for Financial Network Security
1. Overviews
DDOS is an acronym for Distributed Denial of Service, which means "denial of service". What is Denial of Service? In other words, any behavior that may prevent legitimate users from accessing normal network services is a denial of service attack. That is to say, the purpose of the denial of service attack is very clear, that is, to prevent legitimate users from accessing normal network resources, so as to achieve the purpose of the attacker's concealment. Although it is also a denial of service attack, DOS and DDOS are different. Many "robots" (through the attacker's intrusion or indirect use of the host) focus on the DDOS attack strategy to send a large number of seemingly legitimate network packets to the victim host, causing network congestion or server resources. Exhaustion and lead to denial of service, once the distributed denial of service attack is implemented, the attack network data packets will swarm like a flood, hosted to the legitimate users of the network data packets, and the network resources cannot be accessed by normal legitimate users. Therefore, the denial of Service attacks are also known as "flood attacks". Common DDOS attacks include SYN Flood, ACK Flood, UDP Flood, ICMP Flood, TCP Flood, Connections Flood, Script Flood, and Proxy Flood. On the other hand, DDOS is mainly aimed at network stack failures, system crashes, host crashes, and host-specific vulnerabilities that cannot provide normal network service functions, resulting in denial of service. Common DOS attacks include TearDrop, Land, Jolt, IGMP Nuker, Boink, Smurf, Bonk, OOB, etc. As far as these two denial-of-service attacks are concerned, the main hazard is DDOS attacks because it is difficult to prevent. As for DOS attacks, they can be well prevented by patching the host server or installing firewall software. This article will explain how to deal with DDOS attacks.
Defense Anti-DDoS attacks
1. Filter unnecessary services and ports
Inexpress, Express, Forwarding and other tools can be used to
filter out unnecessary services and ports, that is to say, filter
out fake ip on the router.
2. Cleaning and filtering of abnormal flow
Clean and filter abnormal traffic through the DDoS hardware
firewall, and use top-level technologies such as data packet rule
filtering, data flow fingerprint detection filtering, and data
packet content customization filtering to accurately determine
whether external access traffic is normal, and further prohibit
filtering of abnormal traffic.
3. Distributed cluster defense
This is currently the most effective way to protect the
cybersecurity community from massive DDoS attacks. If a node is
attacked and cannot provide services, the system will automatically
switch to another node according to the priority setting, and
return all the attacker's data packets to the sending point,
paralyzing the source of the attack and affecting the enterprise
from a deeper security protection perspective security
implementation decisions.
4. High security intelligent DNS analysis
The perfect combination of intelligent DNS resolution system and
DDoS defense system provides enterprises with super detection
capabilities for emerging security threats. At the same time, there
is also a shutdown detection function, which can disable the server
IP intelligence at any time to replace the normal server IP, so
that the enterprise network can maintain a never-stop service
state.
2. Intelligent Traffic Processing Abilities(Part)
ASIC Chip Plus Multicore CPU
480Gbps intelligent traffic processing capabilities
Data Filtering
Supported L2-L7 packet filtering matching, such as SMAC, DMAC, SIP, DIP, Sport, Dport, TTL, SYN, ACK, FIN, Ethernet type field and value, IP protocol number, TOS, etc. also supported flexible combination of up to 2000 filtering rules.
Real-time Traffic Trend Monitoring
Supported real-time monitoring and statistics on port-level and policy-level data traffic, to show the RX / TX rate, receive / send bytes, No., RX / TX the number of errors, the maximum income / hair rate and other key indicators.
NetTAP® Visibility Platform
Supported NetTAP® Matrix-SDN Visual Control Platform Access
1+1 Redundant Power System(RPS)
Supported 1+1 Dual Redundant Power System
NT-FTAP-48XE Network TAP NPB.pdf
4. Typical Application Structures
NetTAP® eliminates the problem of a DDoS attack on XXX bank's data center through three layers of the solution: management, detection, and cleaning.
1) Nanosecond response, fast and accurate.Business model traffic self-learning and packet by packet depth detection technology are adopted. Once abnormal traffic and message are found, the immediate protection strategy is launched to ensure that the delay between attack and defense is less than 2 seconds.At the same time, the abnormal flow cleaning solution based on layers of filter cleaning train of thought, through the seven layers of flow analysis processing, from IP reputation, the transport layer and application layer, feature recognition, session in seven aspects, the network behavior, the traffic shaping to prevent identification filtering step by step, improve the overall performance of the defense, effective guarantee of the XXX bank data center network security.
2) separation of inspection and control, efficient and reliable.The separate deployment scheme of the test center and the cleaning center can ensure that the test center can continue to work after the failure of the cleaning center, and generate the test report and alarm notification in real time, which can show the attack of XXX bank to a large extent.
3) flexible management, expansion worry-free.Anti-ddos solution can choose three management modes: detection without cleaning, automatic detection and cleaning protection, and manual interactive protection.The flexible use of the three management methods can meet the business requirements of XXX bank to reduce the implementation risk and improve the availability when the new business is launched.
Customer Value
1) make effective use of network bandwidth to improve enterprise benefits
Through the overall security solution, the network security accident caused by DDoS attack on the online business of its data center was 0, and the waste of network outlet bandwidth caused by invalid traffic and the consumption of server resources were reduced, which created conditions for XXX bank to improve its benefits.
2) Reduce Risks, ensure network stability and business sustainability
The bypass deployment of anti-ddos equipment does not change the existing network architecture, no risk of network cutover, no single point of failure, no impact on the normal operation of the business, and reduces the implementation cost and operating cost.
3) Improve user satisfaction, consolidate existing users and develop new users
Provide users with a real network environment, online banking, online business inquiries and other online business user satisfaction has been greatly improved, consolidate user loyalty, to provide customers with real services.
