About our Anti-DDoS

Default ACL (Access Control Lists) on VLAN

Preset Access Control Lists ( ACL ) rules that protect against diverse attack types, such as DNS (Domain Name System) and/or UDP attacks. The rules are consistently updated and maintained throughout to ensure ongoing security.

Automatic detection and auto null route

With automatic detection, it will discover incoming DDoS attacks. Once an attacker network is detected, this service blocks all traffic from it. Also, null routing silently discards (or "drops") malicious incoming traffic. The undesired traffic is directed to a route that goes nowhere, protecting the infrastructure. Null routing renders the target server inaccessible to anyone, including clean traffic.

Custom ACL (Access Control Lists) on VLAN

With this feature, you can preset their own ACL rules to protect against most of attack types. For example, they can set the specific ports, protocols, IP addresses that need to be protected from attacks.

Rate limiting

If a specific destination IP/port combination is not critical to the continued operation of the application running on the server, it can be set to receive a limited amount of traffic.

• It limits total traffic for a destination to a configurable Mbps value, such as “all traffic to a certain destination port.”

• If the rate limit is exceeded, the overflow traffic is discarded randomly, affecting both legitimate and illegitimate traffic.

Understanding Rate Limits

Rate limits control the number of requests that a server can receive within a specific timeframe. These limits help maintain service quality and prevent abuse. Once exceeded, further requests may be blocked or delayed until the limit resets.

For example:

• If you normally expect 10 Mbps traffic to a certain destination IP & destination port combination, you might decide to set a 20 Mbps rate limit.

• But if you then receive a 90 Mbps attack, the 20 Mbps rate limit will drop exceeding 80 Mbps randomly meaning you’ll pass through approximately 4 Mbps of legitimate traffic and 16 Mbps of illegitimate traffic.

• This means you effectively have 60% packet loss on your legitimate 10 Mbps of traffic when the rate limit is performing exactly as it was configured to do.

• Its usefulness is therefore very limited for the actual application you’re trying to protect; hard discard or accept methods are often more appropriate.

Clients often rate limit ICMP traffic to ensure servers respond to pings during normal operation, but halt responses during ICMP-based DDoS attacks. Meanwhile, the application/protocol/port which runs on the server remains unaffected by this ICMP traffic rate limit.

Warden

For unparalleled anti-DDoS protection, Warden is our custom software that filters traffic on a dynamic whitelist furnished by the customer. Its capabilities provide inline filtering, which allows you to achieve a higher level of specificity and detail when filtering their traffic stream.

In other words, only IPs explicitly listed in the whitelist can pass through. One of the key advantages of Warden is its ability to operate without introducing latency. By bypassing the operating system (OS) and directly receiving traffic through the network interface card (NIC), Warden offloads the filtering process from the OS, ensuring efficient and high-performance filtering.

Warden is designed to be flexible and adaptable. New features are continuously added whenever technically feasible, enabling you to benefit from the latest advancements in traffic filtering technology. In the event of server failures, Warden follows a fail-open system. If two servers fail, instead of blocking traffic, Warden allows all traffic to pass through. This ensures that your network remains operational even in challenging situations.

Warden also supports Active-Active setups, allowing horizontal scaling. This means you can expand the capacity of your filtering infrastructure by adding more instances of Warden, distributing the workload, and ensuring scalability.

Warden allows you to specify IPs (through API) to whitelist or blacklist at line rate speeds and takes effect within seconds of adding the IP to the specified lists.

For more information on integrating Warden, please refer to Warden: Overview of how it works

Byte matching

Byte matching is a technique that identifies and filters out malicious or undesirable traffic from incoming network packets based on specific byte patterns. Customers can tailor specified signatures. As a result, it blocks the bytes that are not supposed to enter the network by taking appropriate actions to safeguard the targeted infrastructure.

API support

This feature allows you to tailor your own protection as needed by managing protection profiles and white/blacklists through the API.