DoS/DDoS attacks protection

Present day global network is a dynamically developing commercial environment. Unfortunately, the underlying principles of decentralization and lack of control behind it pave the way for misusing the Internet, particularly for conducting DDoS attacks. It is generally accepted that a DDoS attack is a distributed flood of requests from the devices (bots) controlled by cyber criminal groups. DDoS attack tools and methods are constantly changing making them look like as if they came from legitimate users. Those malicious traffic detecting and blocking mechanisms that worked six months ago may become useless tomorrow. On one hand, the inevitable development of the Internet of things (IoT) leads to an avalanche-like increase in the number of networked devices, and thus the potential number of bots participating in the attack. On the other hand, ever-increasing channel capacity, inefficient traffic observation by Internet service providers and the expansion of free network access zones make DDoS attacks a weapon available for a wide range of people.

DDoS attacks have long been a sufficient shadow business. Certain groups of people not only conduct them but also develop new algorithms of their performing. That’s why DDoS attack mitigation is a continuous process reminiscent of the arms race.

Taking into account economic and risks of reputation, sooner or later it becomes obvious for a e-commerce business leader that there can be no compromises when it comes to information security matters.

How DDoS attack performed?

Traditionally, massive attacks at the 3rd and 4th levels of OSI model are considered as a main threat in the expert community. Those are amplification attacks and the ones exploiting vulnerabilities of protocols. Attacks of these types show an increasing sustainable growth tendency, forcing members of the global network to take preventive measures with the purpose of protection their own networks. Despite the fact that a significant number of autonomous systems control traffic flows below 10 Gbps, the size of modern DDoS attacks increasingly exceeds tens and hundreds of gigabits per second. Figure 1 depicts a DDoS attack mechanism.  

The mechanism of DDoS mitigation system

In such circumstances the appearance and active development of specialist companies that offer protection methods to the end users become inevitable.   By entrusting the protection procedures to experts, the customers can focus on the core areas of their business without having to worry about updating the protection remedies, purchasing of excess network capacities, and improving the professional skills of staff.

DISTRIBUTED PROTECTION AGAINST DISTRIBUTED ATTACKS

Taking into consideration the global nature and ubiquity of DDoS attacks, it is must be admitted that the only effective way of dealing with them remains the construction of a distributed mitigation network. In other words, it is possible to guarantee safety of customers only if the attacking traffic is received and scrubbed as close to its source as possible. Most of the companies that offer protection against DDoS attacks, do not possess a distributed network of filters, assuming that the process of transmitting traffic to the scrubbing center is the responsibility of backbone providers or Internet service providers (ISP). This approach is incorrect for the following reasons:

  • The provider does not consider protection against massive attacks as a primary service, preferring stability of services provided to other customers;
  • The provider is not willing to bear the risks associated with DDoS attacks. Having communication channels overwhelmed with attacks, an Internet service provider considers this as an emergency and a threat to its integrity. This will force the provider to completely discard all traffic coming towards the victim before it even reaches a scrubbing facility;
  • The provider designs and creates its own network following the requirements of regular customers, with no capabilities reserved to stand against DDoS attacks;
  • The existing technical means of distributed mitigation against certain types of traffic (BGP FlowSpec, OpenFlow) have a lack of support provided by the manufacturers of the hardware platforms and do not allow effectively control the traffic flow.

our conclusion:

High-quality protection against DDoS attacks can be provided only by a specialized company with its own geographically distributed traffic scrubbing network, sufficient computing and routing capabilities.

TRAFFIC SCRUBBING NETWORK Today our company has a geographically distributed traffic scrubbing network with direct physical connection to Tier-1 networks. That allows us to scrub inbound traffic flow quick and reliable. The scrubbing centers are located in several countries around the world from Santa Clara to Hong Kong passing by Amsterdam and Moscow The existing topology allows us to receive and locally scrub large amounts of traffic without creating excessive load on the backbone providers or without losing network connectivity during attacks. For our customers it is reflected in minimum delays (local traffic is scrubbed locally) and proper quality of service even under mass attacks on their resources. Following the concept of sustainable growth, we are always projecting additional points of presence and scrubbing centers in Europe, North America, Middle East and Southeast Asia.

SCRUBBING NETWORK

The main purpose of this layer is fault-tolerant and flexible routing process of large amounts of transmitted traffic, providing connectivity with the maximum number of external networks. It’s additional objective is aggregation and reservation of client connections that use physical (fiber optic) and logical (L2/L3 VPN, GRE, IPIP etc.) communication channels. We use reliable and high-performance Juniper routers MX 480, MX 960 and switches EX4550, EX4200 at this level.

The main purpose of this layer is a distributed traffic filtering at the 3rd and 4th layers of the OSI model under ultra-high packet load conditions and total amounts of the incoming traffic flow reaching 100-200 Gbps at each point of presence. This layer consists of several (2-5 – depending on the point of presence) interchangeable devices that check incoming packets using DPl-based methods. The algorithms used for this process have been developed by the engineers of our company. Maximum capacity is 80 Gbps on each device and 80-200 Gbps on each scrubbing enter. The layer also allows for immediate communication channels extension to 500-1000 Gbps at each point of presence. The total capacity of the scrubbing network:

  • passive band (IP packet processing limitation without establishment a TCP connection – 1500 Gbps and 300 Mpps.
  • active band (IP packets processing limitation that require an established TCP connection) – 450 Gbps and 150 Mpps.

Special attention should be paid to that the scrubbing process and routing of traffic to the end user takes place directly at the receiving point that reduces delays, minimizes changes in connectivity and creates additional opportunities for reservation.

The main purpose of this layer is implementing methods to validate OSI Layer 5-7 requests (, HTTPS, DNS, SMTP, etc.). The processes of HTTPS decryption, validation, and encryption take place here. The total capacity of the layer is 500,000 requests per second. The layer is reserved regardless of batch processing and routing and remains functional until complete failure of all the nodes.

TOTAL TRAFFIC CONTROL