Infrastructure Security from DDoS Attacks¶

In this article

• Core DDoS Protection
• Enhanced DDoS Defense
• Differences in Services

Modern web resources and internet services are vulnerable to distributed denial-of-service (DDoS) attacks, which can cause critical systems to fail, paralyzing entire companies and organizations. Therefore, ensuring reliable protection against DDoS attacks is a top priority for maintaining uninterrupted online service operations. HOSTKEY offers two comprehensive solutions against DDoS attacks from company DDoS-Guard: the basic free version and the advanced paid version. Each solution has its unique activation features, level of protection, and provided capabilities.

Core DDoS Protection¶

The comprehensive DDoS defense system is a robust solution against DDoS attacks, leveraging announced routes through BGP and traffic filtering. All protected networks are announced to all providers, including DDoS-Guard, ensuring optimal availability of incoming traffic via standard BGP AS-PATH. External providers are aware of multiple AS-PATHs to these networks and store route information in their routers' routing database (RIB).

To monitor incoming traffic, Sflow analysis is configured on all access points. Upon exceeding the threshold value for a specific IP address (the server port plus 50% bandwidth capacity) a trigger is activated. Subsequently, the subnet ceases to be announced to all access points except DDoS-Guard. Providers cleanse RIB information of other AS-PATHs, leaving only one route to the attacked subnet through DDoS-Guard. DDoS-Guard filters traffic, allowing only sanitized flows to reach the server.

After two hours, the subnet is re-announced to all access points. If the attack persists, the mechanism will activate again. A safeguard feature allows protecting infrastructure even if an attack is so powerful or complex that it penetrates DDoS-Guard's defense. In this case, upon a second trigger activation 10 minutes after the initial one, when the subnet is already under protection, the DDoS blackhole mechanism is activated. It sends a route /32 to all providers, blocking traffic to a specific IP address. Automatic unlocking occurs two hours after blackhole activation.

Enhanced DDoS Defense¶

The free version of the DDoS defense has several shortcomings in its previous implementation. When processing scenarios for protection, a minor degradation of service occurs over several minutes due to losses during switching to DDoS-Guard. Although modifications to the routing information base (RIB) database usually enable a smooth transition to an alternative route, the degradation persists.

Furthermore, only coarse-grained threshold values are used, which means that only simple and effective attacks can trigger protection. However, this mechanism does not safeguard against attacks targeting protocol vulnerabilities, such as small-scale SYN flood or UDP-flood attacks, which may not exceed threshold values and thereby fail to transition under protection. Although these attacks are generally non-critical for most services, some websites may experience significant degradation of performance.

To address this issue, a permanent defense solution is offered for critical services. Several designated subnets have been allocated specifically for these purposes. These subnets are announced only through DDoS-Guard and consistently cleansed of malicious traffic.

Since data traffic on these subnets is expensive, this service is provided on a paid basis. Thus, the enhanced version of DDoS defense allows for the protection of critical services from various types of DDoS attacks, including those targeting protocol vulnerabilities and small-scale attacks that may not exceed threshold values in standard protection mode.

Differences in Services¶