VDS. About the customer. Case study

Transcription

1

2 About the customer FirstVDS provides virtual servers (VDS). The project has been existing since 2002 and is specialized solely on virtual servers Leasing service. The company's equipment is hosted in а private data center in Moscow. The hosting company guarantees 99.6% uptime and competent technical support. Among FirstVDS customers are website owners, moьile application developers, web studios, administrators of game servers. Tens of thousands of people have already chosen FirstVDS as а partner. st VDS Case study One of the most popular FirstVDS services was an opportunity to еnаые protection against DDoS attacks For а customer For at Least а week. Although the reliaьility of the service provided Ьу а partner company was quite satisfying, over time, а need For more FlexiЫe service plans and а wider range of protection enaьling options For various time periods has appeared. This was due to the constant rise in the number and complexity of DDoS attacks targeted various I nternet resources. And if Large corporate customers were Fully contented with the terms of protection, the vast Low-budget segment was not satisfied with the cost and minimum availaыe terms of the service. This situation has developed because а DDoS attack is an unpredictaыe phenomenon. 1 t can Last а couple of minutes, but also can Ье ongoing For weeks. Sometimes the first attack is Followed Ьу а series, sometimes it ends with а single attempt. OF course, preventive protection is а perfect solution, however it is not appropriate For every project. ln this regard, protection may Ье required For an indefinite period, as well as an opportunity to еnаые it during an ongoing attack. Having considered enquiries of the customers, the management of FirstVDS had come to the conclusion to find а new protection service provider partner, which would satisfy customer requests. One of the mandatory conditions were an aьility to Ьill Legitimate traffic exclusively (excluding parasitic one) For exact calculation of the service cost For customers and Formation of the various service plans with individual parameters. And also - minimizing traffic delays when Forwarding From one network to another, and system staьility.

3 Objective Organize the transfer of client traffic passing through the FirstVDS network to the secure network of DDoS-GUARD, where the traffic is to Ье passed through special-purpose filters. The filtering equipment computes and Ыocks malicious traffic and passes Legitimate one to the end point. The cleaned traffic is delivered via а physical communication Link while GRE / 1 PI Р tunnels аге also estaьlished as а backup. Solution During the course of preplanning and negotiations between the hosting company and DDoS-GUARD, the engineers came to the conclusion that the best way to redirect traffic is to estaьlish а physical communication channel to the FirstVDS data center, which allows For minimizing Latency. Apart From the high-quality protection service, DDoS-GUARD offered I Р transit service on very FavoraЫe terms For FirstVDS. Due to this, the customer management decided to employ DDoS-GUARD as а main lnternet service provider For their hosting services. Now DDoS-GUARD provides protection against DDoS attacks up to the 4th OSI Layer. А direct cross-connect and two BGP sessions were estaыished For enaыing I Р transit, and both companies аге now already working over а possibllity to provide FirstVDS customers with application Level protection (оп demand) availaыe For order in the client агеа. DDoS-GUARD AS Customer AS Physical Link (соррег, fiber) Customer network Cross-connect scheme

4 Why DDoS-GUARD? The automatic DDoS-GUARD filters allow to reduce to а minimum (not even to minutes, but to CPU clock cycles) the time needed to rescue the attacked resource and neutralize the negative effects of attacks. Currently, DDoS-GUARD possesses а geographically distributed network with total capacity over 1.5 Tbps, which allows to securely and quickly check incoming traffic. The main nodes of the network: Amsterdam (Netherlands) Frankfurt (Germany) Moscow (Russia) Tokyo (Japan) The network architecture is designed to meet ргоьаые threats and risks associated with DDoS attacks, and has three independently-reserved layers: Routing layer At this level, reliaыe and efficient routers Brocade М LX/M LXe are used. There is а possibllity For rapid extending without changing the ports and existing connectivity topology with external networks. Reserve cluster for packet processing This layer consists of several (2-5 - depending оп selected point of presence) the mutually reserved devices, which check packets with DPl-based methods. The utilized algorithms have Ьееп developed Ьу the engineers of our company. lt is necessary to рау special attention to prevent a possible attack and its routing to the final user takes place directly at the receiving point, which reduces latency to а minimum and creates additional possibllities For reservation. Reserve cluster for processing of application level requests The main task is to implement methods to validate OSI Layer 5+ requests, which аге НТТР, HTTPS, DNS, SMTP, etc. Неге the processes of decryption, validation, and encryption of HTTPS traffic take place. The layer is reserved regardless of the packet processing and routing.

5

6

7

8