ddos-guard.net Protecting your business DDoS-GUARD: Distributed protection against distributed attacks

Similar documents
VDS. About the customer. Case study

CLOUD-BASED DDOS PROTECTION FOR HOSTING PROVIDERS

Table of contents Contacts 18

WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING

NETWORK DDOS PROTECTION STANDBY OR PERMANENT INFRASTRUCTURE PROTECTION VIA BGP ROUTING

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Intelligent Programmatic Peering Summary Report

Cloudflare Advanced DDoS Protection

Enterprise D/DoS Mitigation Solution offering

Check Point DDoS Protector Introduction

An Introduction to DDoS attacks trends and protection Alessandro Bulletti Consulting Engineer, Arbor Networks

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Practical Guide to Choosing a DDoS Mitigation Service WHITEPAPER

Indicate whether the statement is true or false.

DDoS Protection in Backbone Networks

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

Comprehensive DDoS Attack Protection: Cloud-based, Enterprise Grade Mitigation F5 Silverline

Check Point DDoS Protector Simple and Easy Mitigation

DDOS-GUARD Q DDoS Attack Report

Cato Cloud. Global SD-WAN with Built-in Network Security. Solution Brief. Cato Cloud Solution Brief. The Future of SD-WAN. Today.

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Prolexic Attack Report Q4 2011

Why IPS Devices and Firewalls Fail to Stop DDoS Threats

2nd SIG-NOC meeting and DDoS Mitigation Workshop Scrubbing Away DDOS Attacks. 9 th November 2015

Chapter 10: Denial-of-Services

DNS SECURITY BENEFITS OF OUTSOURCING YOUR DNS TO AN IP ANYCAST+ PROVIDER

HOW TO HANDLE A RANSOM- DRIVEN DDOS ATTACK

FIREWALL BEST PRACTICES TO BLOCK

Imperva Incapsula Product Overview

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

Ensuring the Success of E-Business Sites. January 2000

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Multi-vector DDOS Attacks

Arbor White Paper Keeping the Lights On

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

Seceon s Open Threat Management software

Arbor Solution Brief Arbor Cloud for Enterprises

Data Center Interconnect Solution Overview

Comprehensive datacenter protection

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

State of the Internet Security Q Mihnea-Costin Grigore Security Technical Project Manager

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

Mitigating Outgoing Spam, DoS/DDoS Attacks and Other Security Threats

Flow-based Traffic Visibility

Integrated Access Management Solutions. Access Televentures

ALTITUDE DOESN T MAKE YOU SAFE. Satcom Direct s Comprehensive Cyber Security Portfolio for Business Aviation

Inline DDoS Protection versus Scrubbing Center Solutions. Solution Brief

Corrigendum 3. Tender Number: 10/ dated

Analisi degli attacchi DDOS e delle contromisure

THE STATE OF MEDIA SECURITY HOW MEDIA COMPANIES ARE SECURING THEIR ONLINE PROPERTIES

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Computer Science 461 Final Exam May 22, :30-3:30pm

DDoS Detection&Mitigation: Radware Solution

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Internet2 DDoS Mitigation Update

DDoS Protection in Backbone Networks Deployed at Trenka Informatik AG (

2. Layer-2 Ethernet-based VPN

IBM Cloud Internet Services: Optimizing security to protect your web applications

Driving Network Visibility

Allot IoT Defense Solutions for Enterprises to Ensure IoT Service Continuity. Solution Brief

Network Security Monitoring with Flow Data

SONICWALL SECURITY HEALTH CHECK PSO 2017

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Why Firewalls? Firewall Characteristics

INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Cybersecurity. Anna Chan, Marketing Director, Akamai Technologies

Changing the Voice of

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Q-Balancer Range FAQ The Q-Balance LB Series General Sales FAQ

Cisco IPS AIM Deployment, Benefits, and Capabilities

SONICWALL SECURITY HEALTH CHECK SERVICE

PROVIDING SECURE INTERNET SERVICES ARBOR TMS INTEGRATION

ASA Access Control. Section 3

SONICWALL SECURITY HEALTH CHECK SERVICE

F5 Warsaw SOC. Kamil Woniak. Security Operations Manager, F5 Networks

Increase Threat Detection & Incident Response

Radware s Attack Mitigation Solution Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Cisco 5921 Embedded Services Router

Distributed Systems. 21. Content Delivery Networks (CDN) Paul Krzyzanowski. Rutgers University. Fall 2018

Business Strategy Theatre

A GUIDE TO DDoS PROTECTION

TDC DoS Protection Service Description and Special Terms

F5 DDoS Hybrid Defender : Setup. Version

Securing Your Microsoft Azure Virtual Networks

Proxy server is a server (a computer system or an application program) that acts as an intermediary between for requests from clients seeking

Five Key Considerations When Implementing Secure Remote Access to Your IIoT Machines. Blanch Huang Product Manager

DDoS Introduction. We see things others can t. Pablo Grande.

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Deploying a Next-Generation IPS Infrastructure

CABLE MSO AND TELCO USE CASE HANDBOOK

Security for SIP-based VoIP Communications Solutions

The Myth of Network Address Translation as Security

Use Cases. E-Commerce. Enterprise

Denial of Service and Distributed Denial of Service Attacks

Detect & Respond to IoT Botnets AS AN ISP. Christoph Giese Telekom Security; Cyber DefenSe Center

The IBM Platform Computing HPC Cloud Service. Solution Overview

Configuring NAT for IP Address Conservation

Transcription:

ddos-guard.net Protecting your business DDoS-GUARD: Distributed protection against distributed attacks

2 WHAT IS A DDOS-ATTACK AND WHY ARE THEY DANGEROUS? Today's global network is a dynamically developing commercial environment. Unfortunately, the underlying principles of decentralization and lack of control pave the way for misuse of the Internet, in particular for conducting DDoS-attacks. A DDoS-attack is a distributed network data flow aimed to make a targeted resource unavailable for its legitimate users. This resource can be any entity enabled for exchange data on the Internet, e.g., websites, servers, online services (payment gateways, e-mail), as well as networks and autonomous systems. Nowadays DDoS-attacks are used as a tool for: blackmail and extortion; unfair competition; ideological struggle; cyber-bullying. Approaches and tools for launching attacks are constantly changing to make the malicious traffic flow look like it is originated from legitimate users. Therefore, the DDoS prevention techniques that worked six months ago, tomorrow may already be useless. 2 factors that contribute to the spread of the DDoS threats: 1 Widespread of devices vulnerable to hacking (IoT-devices, smartphones, etc.), which are potential bots for performing DDoS-attacks. 2 Constant increase in channel capacity combined with insufficient control over the traffic by telecommunications service providers of the last mile and the expansion of areas of free access to the network.

DDoS-attacks have long been a lucrative shady business. Certain groups of people not only conduct, but also develop new algorithms for attack purposes. 3 For this reason, the DDoS-attack mitigation is a process that is reminiscent of the arms race. Cybercriminals have at least 37 ways to attack your online infrastructure This number of DDoS-attack types is known and documented to date, not including combined ones. These attacks are aimed at various layers of the OSI model, and exploit vulnerabilities of UDP, TCP, ICMP and other protocols. One of the main tools for producing malicious traffic is botnets, i.e. networks of infected /compromised devices connected to the Internet. And it's not only PCs but also smartphones, home routers, servers, DVRs, Smart TV, etc. Theoretically, in order to conduct a DDoS-attack absolutely any device that has an IP-address and connection to the Internet can be used. Visit the Knowledge Base page on our website to get acquainted with popular types of attacks - https://ddos-guard.net/en/terminology

4 SOLUTION FROM DDOS-GUARD: distributed protection against distributed attacks Most of DDoS mitigation providers do not possess a distributed network of scrubbing points. This approach is not reliable for the following reasons: It's easier to give up on the customers under attack rather than protect them Having communication channels overwhelmed with attacks, an Internet service provider considers this as an emergency and a threat to its integrity. This will force the provider to completely discard all traffic coming towards the victim (by null-routing it) before it even reaches a scrubbing facility; Acquiring extra channels as a reserve for receiving attacks is costly The provider designs and creates its own network following the requirements of regular customers, with no capabilities reserved to stand against DDoS-attacks; The attack will have to be dragged up to the scrubbing facility The existing technical means of distributed mitigation against certain types of traffic (BGP FlowSpec, OpenFlow) have a lack of support provided by the manufacturers of the hardware platforms and do not allow effectively control the traffic flow. Based on the above, it becomes evident that high-quality protection against DDoS -attacks can be provided only by a specialized company with its own geographically distributed traffic filtering network, sufficient computing power, and an opportunity for a rapid expansion of communication channel capacity.

5 TRAFFIC FILTERING NETWORK DDOS-GUARD At present, our company has a geographically distributed traffic filtering network, with physical communication links connected to Tier-1 networks, which allows for reliable and quick scrubbing of inbound traffic flow. The scrubbing centers are located in: Amsterdam, Netherlands Frankfurt, Germany Moscow, Russia Tokyo, Japan Washington, USA Amsterdam Moscow Washington Frankfurt Tokyo

6 The existing topology allows to confidently receive and locally filter large volumes of traffic without creating excessive load on the access providers and without losing network connectivity during attacks. For the customer this results in maintaining proper quality of the service provided to the end user, even under ongoing volumetric attacks on its infrastructure. Following the concept of a constant growth, we are in the process of designing and scheduling for deployment additional points of presence and scrubbing nodes in Europe, North America, and Southeast Asia. The network architecture is designed to meet probable threats and risks associated with DDoS-attacks, and provides three independently reserved layers. Routing layer The main purpose of this layer is fault-tolerant and flexible routing process of large volumes of transmitted traffic, providing connectivity with the maximum number of external networks. An additional goal is the aggregation and reservation for client connections that use physical (fiber optic) and logical (L2/L3 VPN, GRE, IPIP etc.) communication channels. At this level, reliable and high-performance Juniper routers and switches are used. Reserve cluster for packet processing (packet processing layer) The main purpose of this layer is a distributed traffic filtering at the 3rd and 4th layers of the OSI model under ultra-high packet load conditions and total amounts of the incoming traffic flow reaching 100-200 Gbps at each point of presence. This layer consists of several (2-5 - depending on the selected point of presence) interchangeable devices, which check incoming packets with DPl-based methods. The algorithms used for this process have been developed by the engineers of our company. The layer also allows for immediate communication channels expansion to 500-1000 Gbps at each point of presence.

7 Reserve cluster for processing of application level requests (application layer) The main purpose of this layer is to implement methods to validate OSI Layer 5+ requests, which mostly are НТТР and HTTPS. Here, the processes of HTTPS decryption, validation, and encryption take place. The layer is reserved regardless of the packet processing and routing. It is worth noting that for traffic filtering purpose we use our own developments. This allows us to guarantee and provide services fully at the declared level of availability (unlike businesses that resell services of larger mitigation providers), and also eliminates the possibility of undesirable leaks of information.

78 PROTECTION SOLUTIONS for websites Website protection may imply transferring files and databases of a website onto our protected hosting server as the first option, and applying a remote solution, which is a reverse proxy method, as the second (no need for redeployment). The reverse proxy technology allows a specified server to perform indirect requests to other network services. First, a client request reaches the proxy server cluster, where the request is checked. Then, if the request is valid, the proxy server establishes a connection with a server where the protected website is hosted, and sends the verified request for further processing. The response sent by the protected server back to the client who initiated the request is delivered in reverse order. If a customer chooses a reverse proxy protection, we provide a protected IP-address that further must be used in DNS as the A-record value of the protected website. Once the settings are set, all client requests to the protected website will go through our filters, and only after the verification process is complete, the requests are transmitted to the guarded server. However, if a technical problem occurs (not related to DDoS) on a side of a third party hosting service provider, where the protected website is deployed, it may become unavailable for reasons beyond our control. Therefore, for maximum security, we encourage you to host your websites on our secure hosting server or order a protected physical / virtual one. The customer can choose a server's location. The modern virtualization platform that we offer to customers makes it possible to efficiently optimize the server and have maximum control over it.

NETWORK PROTECTION SOLUTIONS for enterprise customers 9 For enterprise customers who have their own computing infrastructure, we can offer a network protection service called Protected IP-transit. This service is essential for owners of multiservice networks, i.e. networks with heterogeneous traffic. Within the scope of this solution, as a base option a customer can order protection for L2-L4 of the OSI model. The enhanced solution provides protection against HTTP-bots (L7 filtering) inclusively. Customer integration options (network integration): Virtual tunnel Logical line Physical line GRE, IPIP L2/L3 VPN, VLAN GbE, 10GbE, 40GbE In most cases, a dedicated logical or physical line is preferred over a virtual tunnel through the public network, because intermediate Internet service providers can label the tunnel traffic with a minimum priority. For the customer this may mean a non-guaranteed availability and unpredictable parameters of the virtual link (including latency, packet loss, jitter, fragmentation, etc.), i.e. a decline in the quality of the service.

10 Interested in providing high-quality services to our customers, we offer to establish a direct connection to the DDoS-GUARD mitigation network in one of our points of presence, or to make use of a dedicated line ordered from one of the intermediate providers. In order to transmit the client traffic, one can use a dynamic routing protocol BGP, or take advantage of a static route, in case a use of the DDoS-GUARD IP-addresses is preferred. To use BGP, a customer must own an Autonomous System (AS) or a pool of own IP-addresses. In case where a customer has an own AS, the protection via BGP connection looks as follows: BGP ANNOUNCEMENT OF CUSTOMER SUBNETS X.X.X.0/24 BGP ANNOUNCEMENT OF CUSTOMER SUBNETS X.X.X.0/24 Internet DDoS-GUARD AS DDoS Customer AS WWW LEGITIMATE TRAFFIC DDoS-GUARD filtering network LEGITIMATE TRAFFIC Customer network If a customer doesn't have their own AS, we can provide an IP-address pool of the needed size. In this case the protection scheme looks as follows: BGP ANNOUNCEMENT OF OWN SUBNETS Internet WWW DDoS DDoS-GUARD AS LEGITIMATE TRAFFIC DDoS-GUARD filtering network LEGITIMATE TRAFFIC Customer network Our expert technical staff will help you choose the most appropriate solution

OUR CUSTOMERS 11 Join DDoS-GUARD! Ensure informational security of your business today!

+31 208 087 317 sales@ddos-guard.net ddos-guard.net @ddosguard #ddos-guard

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback