NSFOCUS Lua-based Anti-DDoS Solution

NSFOCUS Lua-based Anti-DDoS Solution

junho 6, 2023 | NSFOCUS

Limitations of Pre-configured DDoS Protection Policies

Lots of organizations have realized that DDoS defense is critical to the availability of network infrastructure. But most Anti-DDoS solutions in the market still rely on pre-configured protection policies with multiple threshold options to offer multi-layered protection at different levels. However, this approach has some limitations:

  1. The pre-configured protection policy may sometimes not effectively prevent certain DDoS attacks, such as unconventional TCP/UDP protocol or multi-layered attacks.
  2. The threshold-based policy is not possible to perform arithmetic or logical operations on any data in the packets, such as payload [16] = (payload [14] &0xf0) | (payload [15] & 0xf).
  3. For unknown threats, developing protective algorithms or upgrading packages always requires a long time.
  4. Users can obtain a suitable protection policy by performing auto-learning, but it would take hours or even days. That will increase the mitigation time and render the protection policy ineffective.

Considering these limitations, we integrated Lua scripting language into NSFOCUS Anti-DDoS solution.

NSFOCUS Lua-based Anti-DDoS Solution

What is Lua?

Lua is a dynamically typed language that is intended for use as an extension or scripting language. It is compact enough to fit on various host platforms and supports only a small number of atomic data structures, such as boolean values, numbers (double-precision floating point by default), and strings. However, typical data structures like arrays, sets, lists, and records can be represented using Lua’s single native data structure, the table, which is a heterogeneous associative array. In addition, Lua uses JIT (just-in-time) compilation which gives it performance comparable to compiled languages like C while retaining its status as a scripting language.

Because of these advantages, we can redesign the protective algorithm and generate customized rules immediately when emerging DDoS attacks and unknown threats occur. First, we can use the traffic auto-leaning function to gain the current traffic trends and characteristics of the emerging DDoS attack or unknown threat. After performing analysis and verification, the expert team can generate a Lua script according to the extracted signature and characteristics. Lua script generation will only take few minutes, and users can perform it on the Anti-DDoS solution to obtain the latest protection capability immediately.

Undoubtedly, Lua scripting language-based Anti-DDoS solution facilitates the development of rapid countermeasures to new threats.

Read more about NSFOCUS Anti-DDoS Solution.