ddos-guard.net Protecting your business DDoS-GUARD: Distributed protection against distributed attacks

Transcription

1 ddos-guard.net Protecting your business DDoS-GUARD: Distributed protection against distributed attacks

2 2 WHAT IS A DDOS-ATTACK AND WHY ARE THEY DANGEROUS? Today's global network is a dynamically developing commercial environment. Unfortunately, the underlying principles of decentralization and lack of control pave the way for misuse of the Internet, in particular for conducting DDoS-attacks. A DDoS-attack is a distributed network data flow aimed to make a targeted resource unavailable for its legitimate users. This resource can be any entity enabled for exchange data on the Internet, e.g., websites, servers, online services (payment gateways, ), as well as networks and autonomous systems. Nowadays DDoS-attacks are used as a tool for: blackmail and extortion; unfair competition; ideological struggle; cyber-bullying. Approaches and tools for launching attacks are constantly changing to make the malicious traffic flow look like it is originated from legitimate users. Therefore, the DDoS prevention techniques that worked six months ago, tomorrow may already be useless. 2 factors that contribute to the spread of the DDoS threats: 1 Widespread of devices vulnerable to hacking (IoT-devices, smartphones, etc.), which are potential bots for performing DDoS-attacks. 2 Constant increase in channel capacity combined with insufficient control over the traffic by telecommunications service providers of the last mile and the expansion of areas of free access to the network.

3 DDoS-attacks have long been a lucrative shady business. Certain groups of people not only conduct, but also develop new algorithms for attack purposes. 3 For this reason, the DDoS-attack mitigation is a process that is reminiscent of the arms race. Cybercriminals have at least 37 ways to attack your online infrastructure This number of DDoS-attack types is known and documented to date, not including combined ones. These attacks are aimed at various layers of the OSI model, and exploit vulnerabilities of UDP, TCP, ICMP and other protocols. One of the main tools for producing malicious traffic is botnets, i.e. networks of infected /compromised devices connected to the Internet. And it's not only PCs but also smartphones, home routers, servers, DVRs, Smart TV, etc. Theoretically, in order to conduct a DDoS-attack absolutely any device that has an IP-address and connection to the Internet can be used. Visit the Knowledge Base page on our website to get acquainted with popular types of attacks -

4 4 SOLUTION FROM DDOS-GUARD: distributed protection against distributed attacks Most of DDoS mitigation providers do not possess a distributed network of scrubbing points. This approach is not reliable for the following reasons: It's easier to give up on the customers under attack rather than protect them Having communication channels overwhelmed with attacks, an Internet service provider considers this as an emergency and a threat to its integrity. This will force the provider to completely discard all traffic coming towards the victim (by null-routing it) before it even reaches a scrubbing facility; Acquiring extra channels as a reserve for receiving attacks is costly The provider designs and creates its own network following the requirements of regular customers, with no capabilities reserved to stand against DDoS-attacks; The attack will have to be dragged up to the scrubbing facility The existing technical means of distributed mitigation against certain types of traffic (BGP FlowSpec, OpenFlow) have a lack of support provided by the manufacturers of the hardware platforms and do not allow effectively control the traffic flow. Based on the above, it becomes evident that high-quality protection against DDoS -attacks can be provided only by a specialized company with its own geographically distributed traffic filtering network, sufficient computing power, and an opportunity for a rapid expansion of communication channel capacity.

5 5 TRAFFIC FILTERING NETWORK DDOS-GUARD At present, our company has a geographically distributed traffic filtering network, with physical communication links connected to Tier-1 networks, which allows for reliable and quick scrubbing of inbound traffic flow. The scrubbing centers are located in: Amsterdam, Netherlands Frankfurt, Germany Moscow, Russia Tokyo, Japan Washington, USA Amsterdam Moscow Washington Frankfurt Tokyo

6 6 The existing topology allows to confidently receive and locally filter large volumes of traffic without creating excessive load on the access providers and without losing network connectivity during attacks. For the customer this results in maintaining proper quality of the service provided to the end user, even under ongoing volumetric attacks on its infrastructure. Following the concept of a constant growth, we are in the process of designing and scheduling for deployment additional points of presence and scrubbing nodes in Europe, North America, and Southeast Asia. The network architecture is designed to meet probable threats and risks associated with DDoS-attacks, and provides three independently reserved layers. Routing layer The main purpose of this layer is fault-tolerant and flexible routing process of large volumes of transmitted traffic, providing connectivity with the maximum number of external networks. An additional goal is the aggregation and reservation for client connections that use physical (fiber optic) and logical (L2/L3 VPN, GRE, IPIP etc.) communication channels. At this level, reliable and high-performance Juniper routers and switches are used. Reserve cluster for packet processing (packet processing layer) The main purpose of this layer is a distributed traffic filtering at the 3rd and 4th layers of the OSI model under ultra-high packet load conditions and total amounts of the incoming traffic flow reaching Gbps at each point of presence. This layer consists of several (2-5 - depending on the selected point of presence) interchangeable devices, which check incoming packets with DPl-based methods. The algorithms used for this process have been developed by the engineers of our company. The layer also allows for immediate communication channels expansion to Gbps at each point of presence.

7 7 Reserve cluster for processing of application level requests (application layer) The main purpose of this layer is to implement methods to validate OSI Layer 5+ requests, which mostly are НТТР and HTTPS. Here, the processes of HTTPS decryption, validation, and encryption take place. The layer is reserved regardless of the packet processing and routing. It is worth noting that for traffic filtering purpose we use our own developments. This allows us to guarantee and provide services fully at the declared level of availability (unlike businesses that resell services of larger mitigation providers), and also eliminates the possibility of undesirable leaks of information.

8 78 PROTECTION SOLUTIONS for websites Website protection may imply transferring files and databases of a website onto our protected hosting server as the first option, and applying a remote solution, which is a reverse proxy method, as the second (no need for redeployment). The reverse proxy technology allows a specified server to perform indirect requests to other network services. First, a client request reaches the proxy server cluster, where the request is checked. Then, if the request is valid, the proxy server establishes a connection with a server where the protected website is hosted, and sends the verified request for further processing. The response sent by the protected server back to the client who initiated the request is delivered in reverse order. If a customer chooses a reverse proxy protection, we provide a protected IP-address that further must be used in DNS as the A-record value of the protected website. Once the settings are set, all client requests to the protected website will go through our filters, and only after the verification process is complete, the requests are transmitted to the guarded server. However, if a technical problem occurs (not related to DDoS) on a side of a third party hosting service provider, where the protected website is deployed, it may become unavailable for reasons beyond our control. Therefore, for maximum security, we encourage you to host your websites on our secure hosting server or order a protected physical / virtual one. The customer can choose a server's location. The modern virtualization platform that we offer to customers makes it possible to efficiently optimize the server and have maximum control over it.

9 NETWORK PROTECTION SOLUTIONS for enterprise customers 9 For enterprise customers who have their own computing infrastructure, we can offer a network protection service called Protected IP-transit. This service is essential for owners of multiservice networks, i.e. networks with heterogeneous traffic. Within the scope of this solution, as a base option a customer can order protection for L2-L4 of the OSI model. The enhanced solution provides protection against HTTP-bots (L7 filtering) inclusively. Customer integration options (network integration): Virtual tunnel Logical line Physical line GRE, IPIP L2/L3 VPN, VLAN GbE, 10GbE, 40GbE In most cases, a dedicated logical or physical line is preferred over a virtual tunnel through the public network, because intermediate Internet service providers can label the tunnel traffic with a minimum priority. For the customer this may mean a non-guaranteed availability and unpredictable parameters of the virtual link (including latency, packet loss, jitter, fragmentation, etc.), i.e. a decline in the quality of the service.

10 10 Interested in providing high-quality services to our customers, we offer to establish a direct connection to the DDoS-GUARD mitigation network in one of our points of presence, or to make use of a dedicated line ordered from one of the intermediate providers. In order to transmit the client traffic, one can use a dynamic routing protocol BGP, or take advantage of a static route, in case a use of the DDoS-GUARD IP-addresses is preferred. To use BGP, a customer must own an Autonomous System (AS) or a pool of own IP-addresses. In case where a customer has an own AS, the protection via BGP connection looks as follows: BGP ANNOUNCEMENT OF CUSTOMER SUBNETS X.X.X.0/24 BGP ANNOUNCEMENT OF CUSTOMER SUBNETS X.X.X.0/24 Internet DDoS-GUARD AS DDoS Customer AS WWW LEGITIMATE TRAFFIC DDoS-GUARD filtering network LEGITIMATE TRAFFIC Customer network If a customer doesn't have their own AS, we can provide an IP-address pool of the needed size. In this case the protection scheme looks as follows: BGP ANNOUNCEMENT OF OWN SUBNETS Internet WWW DDoS DDoS-GUARD AS LEGITIMATE TRAFFIC DDoS-GUARD filtering network LEGITIMATE TRAFFIC Customer network Our expert technical staff will help you choose the most appropriate solution

11 OUR CUSTOMERS 11 Join DDoS-GUARD! Ensure informational security of your business today!

12 #ddos-guard