Basic Concepts
DDoS Attack
Denial of Service (DoS) attacks intend to exhaust the network or system resources on the target computer, causing service interruption or suspension. Consequently, legitimate users fail to access network services. A Distributed Denial of Service (DDoS) attack involves multiple compromised computers controlled by an attacker flooding the targeted server with superfluous requests.
Black Hole
A black hole refers to a situation where access to a cloud server is blocked by Huawei Cloud because attack traffic targeting a cloud server exceeds a certain threshold.
Traffic Scrubbing
Anti-DDoS Service monitors workload traffic in real time and scrubs attack traffic through the DDoS traffic scrubbing center without affecting normal services.
Traffic Cleaning Threshold
Anti-DDoS scrubs traffic when detecting that the incoming traffic of an IP address exceeds the traffic cleaning threshold. It will discard attack traffic and permit normal service traffic.
SYN flood attack
A SYN flood attack is a typical denial of service (DoS) attack. Utilizing the loop hole in the Transmission Control Protocol (TCP), the attacker sends a huge number of forged TCP connection requests to the target to exhaust its resources (fully loaded CPU or insufficient memory). Consequently, the target fails to respond to normal connection requests.
ACK Flood
In an ACK flood attack, an attacker sends a large volume of TCP ACK packets to overwhelm a server. Similar to other types of Distributed Denial-of-Service (DDoS) attacks, ACK flood attacks utilize malicious traffic to saturate the target system, thereby slowing it down or causing it to become unresponsive. As a consequence, the targeted server becomes unavailable to serve legitimate users. Specifically, the server is forced to dedicate excessive computational resources to processing each incoming ACK packet, leading to a significant degradation in performance and ultimately rendering it incapable of providing services to legitimate users.
UDP Attack
In UDP attacks, attackers exploit the characteristics of UDP protocol interactions to launch a massive influx of malformed or spoofed UDP packets against servers via botnets. This results in the depletion of network bandwidth resources on the affected servers, significantly reducing their processing capacity and causing them to malfunction.
TCP Attack
In TCP attacks, attackers exploit the characteristics of TCP protocol interactions to launch a massive influx of malformed or spoofed TCP connections against servers via botnets. This results in the depletion of network bandwidth resources on the affected servers, significantly reducing their processing capacity and causing them to malfunction.
CC Attack
A Challenge Collapsar (CC) attack is a type of DDoS attack targeting web applications. In this attack, an attacker sends a massive volume of forged HTTP requests to the target network server, designed to exhaust its resources and render it unavailable. As a result, legitimate users are unable to access the services.
Slow Connection Attack
Slow HTTP attacks are a variation of CC attacks. Here is how slow HTTP attacks work:
An attacker establishes a connection with a large content length from the client to the server, then sends packets to the server at a slow rate (e.g., one byte every one to ten seconds), maintaining the connection.
If the attacker continues to create such connections, the server's available connections are gradually consumed, causing the server to reject normal user requests.
Transparent Access
Transparent access refers to a deployment model for the Anti-DDoS Service, where the service directly assigns an elastic IP address (EIP) to the protected resources on the cloud. This allows users to access the protected resources directly through the assigned EIP.
SDK Access
To connect to Anti-DDoS Service, you can also use the Software Development Kit (SDK). For details about the SDKs supported by the Anti-DDoS Service, see the SDK List.
Anti-DDoS Service Dedicated EIPs
An Anti-DDoS Service dedicated EIP is a dedicated EIP for CNAD. Compared with common EIPs that defend against attacks in the local equipment room of Huawei Cloud, the dedicated EIP of Anti-DDoS Service defends against attacks in the DDoS scrubbing center and provides Terabit-level bandwidth and strong protection capabilities.
Basic Protection Bandwidth
The basic protection bandwidth is purchased by customers. If the peak attack traffic is less than or equal to the basic protection bandwidth, customers do not need to pay extra fees.
Elastic Protection Bandwidth
Elastic protection bandwidth is the maximum available defense bandwidth. The elastic protection bandwidth is not a part that is added on top of the basic protection bandwidth. If the elastic protection bandwidth is the same as the basic protection bandwidth, the elastic bandwidth will not work.
BGP
Border Gateway Protocol (BGP) is a routing protocol used between autonomous systems (ASs). BGP is the only protocol that can process many connections between unrelated routing domains.
Anycast
Anycast is a networking technique that enables a single IP address to be shared among multiple devices, typically servers, located in different geographic locations. When a packet is sent to the shared IP address, a router uses its standard routing algorithms, such as Border Gateway Protocol (BGP), to determine the best path to forward the packet to the nearest device. It is usually used to provide high reliability and load balancing.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
