DoS/DDoS attacks protection

Present day global network is a dynamically developing commercial environment. Unfortunately, the underlying principles of decentralization and lack of control behind it pave the way for misusing the Internet, particularly for conducting DDoS attacks. It is generally accepted that a DDoS attack is a distributed flood of requests from the devices (bots) controlled by cyber criminal groups. DDoS attack tools and methods are constantly changing making them look like as if they came from legitimate users. Those malicious traffic detecting and blocking mechanisms that worked six months ago may become useless tomorrow. On one hand, the inevitable development of the Internet of things (IoT) leads to an avalanche-like increase in the number of networked devices, and thus the potential number of bots participating in the attack. On the other hand, ever-increasing channel capacity, inefficient traffic observation by Internet service providers and the expansion of free network access zones make DDoS attacks a weapon available for a wide range of people.

DDoS attacks have long been a sufficient shadow business. Certain groups of people not only conduct them but also develop new algorithms of their performing. That’s why DDoS attack mitigation is a continuous process reminiscent of the arms race.

Taking into account economic and risks of reputation, sooner or later it becomes obvious for a e-commerce business leader that there can be no compromises when it comes to information security matters.

How DDoS attack performed?

Traditionally, massive attacks at the 3rd and 4th levels of OSI model are considered as a main threat in the expert community. Those are amplification attacks and the ones exploiting vulnerabilities of protocols. Attacks of these types show an increasing sustainable growth tendency, forcing members of the global network to take preventive measures with the purpose of protection their own networks. Despite the fact that a significant number of autonomous systems control traffic flows below 10 Gbps, the size of modern DDoS attacks increasingly exceeds tens and hundreds of gigabits per second. Figure 1 depicts a DDoS attack mechanism.

The mechanism of DDoS mitigation system

In such circumstances the appearance and active development of specialist companies that offer protection methods to the end users become inevitable. By entrusting the protection procedures to experts, the customers can focus on the core areas of their business without having to worry about updating the protection remedies, purchasing of excess network capacities, and improving the professional skills of staff.

DISTRIBUTED PROTECTION AGAINST DISTRIBUTED ATTACKS

Taking into consideration the global nature and ubiquity of DDoS attacks, it is must be admitted that the only effective way of dealing with them remains the construction of a distributed mitigation network. In other words, it is possible to guarantee safety of customers only if the attacking traffic is received and scrubbed as close to its source as possible. Most of the companies that offer protection against DDoS attacks, do not possess a distributed network of filters, assuming that the process of transmitting traffic to the scrubbing center is the responsibility of backbone providers or Internet service providers (ISP). This approach is incorrect for the following reasons:

The provider does not consider protection against massive attacks as a primary service, preferring stability of services provided to other customers;
The provider is not willing to bear the risks associated with DDoS attacks. Having communication channels overwhelmed with attacks, an Internet service provider considers this as an emergency and a threat to its integrity. This will force the provider to completely discard all traffic coming towards the victim before it even reaches a scrubbing facility;
The provider designs and creates its own network following the requirements of regular customers, with no capabilities reserved to stand against DDoS attacks;
The existing technical means of distributed mitigation against certain types of traffic (BGP FlowSpec, OpenFlow) have a lack of support provided by the manufacturers of the hardware platforms and do not allow effectively control the traffic flow.

our conclusion:

High-quality protection against DDoS attacks can be provided only by a specialized company with its own geographically distributed traffic scrubbing network, sufficient computing and routing capabilities.

TRAFFIC SCRUBBING NETWORK Today our company has a geographically distributed traffic scrubbing network with direct physical connection to Tier-1 networks. That allows us to scrub inbound traffic flow quick and reliable. The scrubbing centers are located in several countries around the world from Santa Clara to Hong Kong passing by Amsterdam and Moscow The existing topology allows us to receive and locally scrub large amounts of traffic without creating excessive load on the backbone providers or without losing network connectivity during attacks. For our customers it is reflected in minimum delays (local traffic is scrubbed locally) and proper quality of service even under mass attacks on their resources. Following the concept of sustainable growth, we are always projecting additional points of presence and scrubbing centers in Europe, North America, Middle East and Southeast Asia.

SCRUBBING NETWORK

Routing layer

The main purpose of this layer is fault-tolerant and flexible routing process of large amounts of transmitted traffic, providing connectivity with the maximum number of external networks. It’s additional objective is aggregation and reservation of client connections that use physical (fiber optic) and logical (L2/L3 VPN, GRE, IPIP etc.) communication channels. We use reliable and high-performance Juniper routers MX 480, MX 960 and switches EX4550, EX4200 at this level.

Reserve cluster for packet processing (packet processing layer)

The main purpose of this layer is a distributed traffic filtering at the 3rd and 4th layers of the OSI model under ultra-high packet load conditions and total amounts of the incoming traffic flow reaching 100-200 Gbps at each point of presence. This layer consists of several (2-5 – depending on the point of presence) interchangeable devices that check incoming packets using DPl-based methods. The algorithms used for this process have been developed by the engineers of our company. Maximum capacity is 80 Gbps on each device and 80-200 Gbps on each scrubbing enter. The layer also allows for immediate communication channels extension to 500-1000 Gbps at each point of presence. The total capacity of the scrubbing network:

passive band (IP packet processing limitation without establishment a TCP connection – 1500 Gbps and 300 Mpps.
active band (IP packets processing limitation that require an established TCP connection) – 450 Gbps and 150 Mpps.

Special attention should be paid to that the scrubbing process and routing of traffic to the end user takes place directly at the receiving point that reduces delays, minimizes changes in connectivity and creates additional opportunities for reservation.

Reserved cluster for application level requests (application layer)

The main purpose of this layer is implementing methods to validate OSI Layer 5-7 requests (, HTTPS, DNS, SMTP, etc.). The processes of HTTPS decryption, validation, and encryption take place here. The total capacity of the layer is 500,000 requests per second. The layer is reserved regardless of batch processing and routing and remains functional until complete failure of all the nodes.

TOTAL TRAFFIC CONTROL

Proprietary solution

For the purpose of traffic scrubbing we apply our own developments only. This allows us not only to guarantee and fulfill the declared level of uptime in contrast to companies that resell protection services, but also to exclude the possibility of information leakage.

Round-the-clock monitoring and control

By having round-the-clock shifts it is possible for us to identify and block previously unknown types of attacks well-timed. After mitigating the attack the information about its type is transferred to the development team in order to upgrade the existing scrubbers with necessary capabilities or create new ones to counter the new threat automatically. Therefore, we do not abandon our customers even facing tough and unusual situations but fight for the availability of their online assets.

Geographically distributed mitigation network

O ur own geographically distributed network and direct interaction with the world’s largest backbone providers gives us an opportunity to provide services independently on the traffic control policies of certain countries and providers.

The combination of these factors allows us to provide a quality and reliable service, and most notably – to make it as convenient for our customer as it’s possible.