How We Defend Against DDoS Attacks
Introduction
Our networks are fortified with advanced DDoS filters meticulously configured to swiftly detect and repel network-based DDoS attacks in near real-time. These measures are instituted to forestall latency and service disruptions, ensuring our users a steadfast and uninterrupted experience.
Technical Overview
Our DDoS protection architecture is delineated by two pivotal components: Pre-filtering and Post-filtering.
Pre-filtering by Aurologic
Pre-filtering is administered by Aurologic, effectively thwarting large-scale amplification attacks that could potentially inundate our network infrastructure. Aurologic is adept at blocking various types of Layer-3 and Layer-4 attacks, including:
- TCP SYN Floods
- ICMP Floods
- UDP Reflection Attacks
- IGMP Floods
- IP Packet Fragment Attacks
- And many more...
AS203446 Post-Filtering
Subsequently, what Aurologic permits is meticulously handled by post-filtering software. This software operates on a cluster of Intel Xeon systems with Mellanox network cards engineered for high performance and scalability.
Protection Against Protocol Attacks
Post-filtering can neutralize various types of attacks, including:
- Invalid packets
- Anomalies in TCP flag combinations (e.g., no flag, SYN-FIN, SYN fragment, LAND attack)
- Protection against SYN-ACK amplification attacks
- IP options
- Packet size validation (preventing the 'Ping of Death')
- TCP/UDP/SSL/ICMP flood protection
- Per-connection traffic control
Challenge-based Authentication
Our software integrates diverse challenge-based authentication mechanisms:
- TCP SYN cookies, SYN authentication
- ACK authentication
- Spoof detection
- DNS authentication
- Zero-day Automated Protection (ZAPR)
We also leverage machine learning to recognize and filter attack patterns in real-time, providing:
- ZAPR: Machine Learning-powered attack pattern recognition
- TCP progression tracking
- Capability to prevent zero-day attacks
- No pre-configuration or manual intervention needed
- Swift, automated response
Through the integration of advanced AI techniques, our system adapts to novel forms of network-level attacks, delivering robust security with minimal latency or disruption. This ensures a stable, uninterrupted experience for our users.
Additional Mitigation Techniques
Customized Post-Filtering for Special Requirements
For clients with specific needs or those facing intricate attacks, we offer tailor-made adjustments to our post-filtering process. These include, but are not limited to:
- Explanation of custom post-filtering options
- Geo rate-limits or blocks: These settings restrict or block all incoming traffic from specific geographical regions, useful for mitigating attacks originating from those areas.
- ASN rate-limit or blocking: This feature limits or blocks traffic from specific Autonomous System Numbers (ASNs), particularly effective against large-scale attacks from a single network operator.
- IP Blacklists: A compilation of IP addresses denied access to the network, effectively blocking known malicious actors.
- Packet Length Filters: These filters scrutinize the size of each data packet, blocking suspiciously large or small packets to effectively mitigate attacks exploiting packet size.
- And many more...
For further information, please refer to our support (DISCORD).