In the Internet age, network attacks have always troubled everyone. What is the ddos ​​defense cleaning process like? Many people are very curious. After the DDoS attack traffic triggers the defense, all website traffic will pass through the cleaning center. Traffic cleaning is also one of the means to defend against ddos ​​attacks.

　　Ddos defense cleaning process

　　1. Blacklist filtering

　　Blacklist filtering is a relatively basic traffic cleaning method, which is to blacklist the known attack source IP address to block its traffic. Many DDoS attackers use fixed IP addresses to attack, and this method is more effective at this time. However, blacklist filtering cannot deal with new DDoS attacks, nor can it solve problems such as IP spoofing.

　　2. Whitelist filtering

　　In contrast to blacklist filtering, whitelist filtering will only pass the IP addresses on the list, and all other traffic will be blocked. This method can prevent new DDoS attacks to a certain extent, but it takes a certain amount of time, manpower and cost to maintain the list, and it is easy to block legitimate traffic.

　　3. Behavior-based detection

　　Behavior-based detection refers to detecting the behavior pattern of traffic to determine whether it is an attack behavior. This method adopts corresponding defense strategies according to the attack mode and minimizes the possibility of false alarms.

　　DDoS defense cleaning process

　　4. Protocol traffic analysis

　　Protocol traffic analysis refers to the analysis of information such as protocols, source addresses and destination addresses in network traffic to determine whether it is attack traffic and make corresponding defense measures. This method can detect various ways of DDoS attacks, but it is still difficult to deal with very complex attacks.

　　5. Cloud defense

　　Compared with traditional protection methods, cloud defense has a higher cost-effectiveness. Cloud service providers can route attack traffic to the cloud for filtering and provide services such as firewalls, traffic shaping and network monitoring. Because cloud defense service providers can collect global traffic data, it is possible to take the most effective defense when the attacker's attack traffic is mastered.

　　How to achieve traffic cleaning?

　　1. Local deployment: Deployed at the exit of the protected network, generally bypassed on the exit router, to clean the attack traffic to the intranet.

　　2. Distributed deployment at the carrier level: Deploy DDoS cleaning devices at different nodes of the carrier backbone network. When a protected destination IP is attacked, the attack traffic is pulled to multiple cleaning nodes nearby for processing after entering the carrier network through BGP Anycast. After the cleaning is completed, each cleaning node injects the cleaned traffic back to the protected destination IP through MPLS (Multi-Protocol Label Switching) or GRE (Generic Routing Encapsulation).

　　3. Distributed deployment at the IDC (Internet Data Center) level: Deploy DDoS cleaning devices at multiple IDC exits. When a user is attacked, the traffic is directed to the cleaning node for cleaning by changing the user's DNS (Domain Name System) pointing.

　　The above is an introduction to the ddos ​​defense cleaning process. When the DDoS attack traffic stops, the abnormal traffic analysis system notifies the traffic cleaning system to stop the attack defense. After a website is attacked by ddos, a large amount of malicious traffic will cause the server to be paralyzed. Timely defense measures can reduce losses.