DDoS prevention services can be divided into two main categories: online services and offline services (on demand). #
All customer traffic is passed through specialized equipment and is subject to cleaning. The feature of this service is usually soaring cost, but the response time is usually instantaneous. This type of service is usually suitable for small but important traffic such as banking, military, etc.
When DDoS attacks are detected, the attack traffic is dynamically rerouted through dedicated devices or dropped. The feature of this service is that the cost is relatively cheaper than the inline service, but the time from detection to effective response takes about 5 minutes (automatic) or longer (manual).
Offline DDoS prevention services can be classified into the following types:
A) DDoS detection service (DDoS detection):
Uses current traffic information (mainly from Netflow data) or other signatures provided by the service provider to detect, diagnose, and notify users of attacks targeting the system. their network.
B) Blackhole service:
Traffic targeting the user’s network is redirected to another address and then discarded. Traffic is considered to be sucked into a black hole and disappears. Because it is easy to implement, does not consume a lot of resources (resources), this type of service is quite popular and usually does not cost money (free of charge).
However, although it is possible to direct attack traffic to the black hole, all traffic is dropped and the DDoS intent against that IP is considered successful. But this is a necessary sacrifice to protect the rest of the network. And another feature of the blackhole method is that it can eliminate and defend from huge attacks.
Blackhole services have been around for a long time since the early days when DDoS started to grow. The service is started by manually changing routing information by the carrier or by combining it with the use of the BGP community so that users can intervene automatically (see also RFC7999, 5635…)
C) DDoS “purification” service (DDoS mitigation):
In order to overcome the disadvantages of blackhole methods, another type of DDoS attack prevention service is deployed called a DDoS “purification” service. Once the attack traffic has been detected, through routing information changes (automatic or manual), traffic with a certain address is directed to the purge device (mitigation device). . Here, by different algorithms (depending on the device vendor), the abnormal traffic is removed, and the rest (normal traffic) will be returned to the address it needs. . The feature of this method is that it does not remove all traffic for a machine, but only what is not needed. However, equipping mitigation devices leads to the high cost of these services (usually proportional to the size and duration of attacks). This method is also not very effective against huge attacks and is often used to deal with attacks below a few tens of Gbps. Methods for DDoS detection and prevention are not universal. The emergence of new types of attacks such as Slow DDoS or the growth of botnets makes it more difficult to detect and distinguish between attack traffic and normal traffic. Or, not harming normal traffic when conducting “purification” is also an arduous technical problem. In addition to the techniques for DDoS detection and prevention that are mainly based on threshold values and heuristics, in recent years, techniques that leverage machine learning have also caused significant problems. a lot of attention and can become new services in a short time.