A denial of service against a web site is launched by overwhelming the site and related services (such as DNS) with tsunami requests from multiple infected computers - "a botnet" under the control of the attacker. With 1000s of infected computers in a botnet connected via high speed DSL / cable modem from all over the world, a serious denial of service attack can scale to multiple gigabits per second of traffic.
Rayservers Enterprise Anti-DDOS Dedicated 1 Gig-E Cabinet - Monthly
| Quote |
DDoS - A Simplified Explanation
A nice business day on the Internet... your hosting provider provides a steady stream of life-sustaining data for your business.
A tsunami of data is unleashed by your enemies that control infected computers on the Internet.... that overwhelm your hosting provider and your business.
You rush to buy an out-of-the-box hardware solution from a brand name company... your hosting provider continues to be overwhelmed by the data despite your purchase of an appliance to stop the flood of traffic.
The correct solution is to arrange a robust DDoS filtering system with adequate upstream bandwidth capability to seperate the valid traffic from the tsunami caused by the criminals. There are only a few peering points on the planet have the necessary capacity to solve the problem. We predict that internet systems will, and must, evolve to meter the flow of traffic to contain such abuse. The problem is one of economics -- called the Tragedy of the Commons.
How do you protect yourself against a DDOS attack?
The simple non-techinical answer is that you use a firewall with high bandwidth connections to drop packets from abusive hosts while allowing genuine requests through to the affected service via a reverse proxy.
What does it cost?
The main cost of a DDOS attack is the cost of paying for the bandwidth and the possibility that the available bandwidth is exceeded even to your ISP or colocation provider. When this happens it usually means your ISP will request upstream ISPs to shut off access to your IP block to protect themselves and their other customers. With our ability to scale to multiple 10 gbps connections, we will not leave you in the cold.
This sounds expensive, how do I justify it to my corporation?
What is the salary budget of your IT department? What does a competent IT person cost?. The servers and bandwidth work 24x7 to provide business continuity to your company!
I own a hardware DDOS protection appliance - is that sufficient?
Any anti-DDOS appliance is only as good as the upstream bandwidth available to it for it to absorb the DDOS traffic. We can colocate your appliance with high bandwidth connections. We believe that OpenBSD provides the best protection and flexibility there is to for an anti-DDOS firewall, which is why we use it.
My servers are located in facility x in country y - can you help?
Certainly. By obtaining high bandwidth anti-ddos servers that reverse proxy the legitimate traffic to your exisiting servers we can protect your current investment in technology.
Anti-DDoS resources
- Cisco has several whitepapers and products that can be used as anti-ddos appliances:
- Toplayer has an anti-ddos Intrusion Prevention Appliance
OpenBSD
- The PF Packet Filter
- Priority Queues
- Operating System Fingerprinting - reward secure operating systems!
- Address Pools and Load Balancing
- Tracking Abusive Hosts (Example below):
- pass in on $ext_if proto tcp to $web_server \
port www flags S/SA keep state \
(max-src-conn 100, max-src-conn-rate 15/5, overload flush)
- pass in on $ext_if proto tcp to $web_server \
Robust EMail
Reverse Proxy Solutions:
The bottom line
The bottom line is that whatever the appliance you use, you need upstream bandwidth to be able to discard the attack traffic while allowing legitimate traffic to your exisiting servers. You also need competent persons who understand the technical issues, hardware and network bottlenecks and can put a solution in place that is resistant to abuse that works with your budget.