What is the purpose of an anti-DDoS solution?
OVH’s anti-DDoS solution protects your server against distributed denial-of-service (DDoS) attacks. To do this, the solution relies on a unique system: the VAC.
What is a DDoS attack?
DDoS attacks aim to make a service or infrastructure unavailable by sending a very high volume of concurrent requests from different sources, all over the internet.
How does this kind of attack make my website, server or infrastructure unavailable?
DDoS attacks can be carried out using a number of different techniques, but the strategies can be put into two main categories:
Bandwidth saturation. By saturating a server’s network capacity, it will become unreachable.
- System resources saturation. By saturating all of a server’s available resources, it will be unable to process new requests, and will be overwhelmed as a result.
For example, an infrastructure that hosts several servers may become unreachable if its bandwidth capacity is saturated due to a DDoS attack. Since the infrastructure's entry point is overwhelmed with requests, incoming traffic to the servers cannot be correctly served, making all of the content hosted on it (websites, applications etc.) unavailable.
Why is the OVH anti-DDoS solution essential for my website, server or infrastructure?
The likelihood of becoming the target of a DDoS attack is high, and attempts to launch them are common. With OVH anti-DDoS protection, you can protect your services against these threats, and ensure that your web users do not experience any issues with slow browsing or inaccessible pages.
What services include OVH anti-DDoS protection?
Our anti-DDoS solution comes with all OVH services apart from Housing, ADSL, SDSL and VDSL products.
Will I need to pay extra for the OVH anti-DDoS solution?
No, OVH’s anti-DDoS solution is included in all of our prices.
What kinds of attacks will the OVH anti-DDoS solution protect me against?
OVH anti-DDoS protection will protect you against distributed denial-of-service attacks.
How will the OVH anti-DDoS solution protect me?
The OVH anti-DDoS solution protects you by relying on a combination of different technologies developed by OVH: the VAC. With the VAC, we can protect services constantly via a mitigation technique.
What is mitigation?
Mitigation refers to the measures put in place to protect your system against DDoS attacks, while letting legitimate traffic pass through.
Am I always protected by the OVH anti-DDoS solution?
Yes. OVH’s anti-DDoS solution has automatic mitigation. Our anti-DDoS technology will automatically detect attacks on your services, and you do not need to make any configuration changes for it to work.
Is there a limit to the number of attacks per month that my service can receive?
There is no time limit for receiving our protection, regardless of how many times your services are targeted by DDoS attacks.
Will the anti-DDoS solution stop working if the attack exceeds a set traffic threshold (in Gbit/s)?
We do not apply any limits in terms of traffic, even if the attacks are high-volume.
Is there a limit on the duration of attacks per month?
Your services are protected without any duration limit. Mitigation is activated as soon as an attack is detected.
What is the OVH anti-DDoS solution made of?
Our anti-DDoS solution is composed of several different internally-built hardware components and technologies. It is present in all OVH points of presence worldwide, so that it can absorb all attacks via the mitigation technique. We are able to mitigate attacks due to a three-step solution, which consists of analysing traffic, then vacuuming it in order to mitigate it. At OVH, mitigation uses a combination of internal technologies that are collectively called a VAC.
What is the VAC?
The VAC is a combination of different technologies developed by OVH, and designed to mitigate DDoS attacks. With its unique composition, it can filter incoming traffic so that only legitimate data packets pass through and reach your servers, while illegitimate traffic is blocked. Notable parts of the VAC include a pre-firewall, the Firewall Network and Shield and Armor.
What is the difference between the VAC and OVH anti-DDoS?
The OVH anti-DDoS solution works based on several components, including the VAC. Before it vacuums up traffic, the traffic is analysed by our internal solutions which can trigger mitigation. As soon as mitigation is triggered, illegitimate traffic is then vacuumed up and sent to the VAC.
Can I deactivate the OVH anti-DDoS solution for my service?
No. Our anti-DDoS solution is applied to all our infrastructures and servers, in order to guarantee optimal protection for our customers. As a result, our services always have automatic or permanent mitigation.
What is automatic mitigation?
Mitigation is activated automatically when an attack is detected on one of your services. You are sent an email notification when this happens, and you can track the progress of the situation from the OVH Control Panel. When the attack is over, you will receive another email notification. Automatic mitigation uses all the technologies of the VAC (pre-firewall, the Firewall Network, and the Shield and Armor hardware).
Can I get permanent mitigation?
By definition, your services are always protected due to automatic mitigation, which activates as soon as an attack is detected (usually within a few seconds). By activating permanent mitigation, you constantly apply a first level of filtering through our Shield hardware, as well as the filtering rules you have defined in the Firewall Network. If required, automatic mitigation can also trigger in order to give you protection that includes all of the VAC’s technology (the pre-firewall, Firewall Network, as well as Shield and Armor hardware). It is important to note that for security and service availability reasons, only our Game servers are locally equipped with permanent mitigation. Our other solutions can use permanent mitigation too - you can enable it from the OVH Control Panel.
Can I customise my Firewall Network configuration?
You can create filtering rules from the OVH Control Panel, via an API. You can also define authorisations and blocks based on specific protocols. These rules can be applied if the Firewall Network is active, and when mitigation is triggered. To get help configuring the Firewall Network, please read the following guide: Configuring the Firewall Network.
How can I tell if my service has been targeted by a DDoS attack?
When an attack is detected on your services, you will be sent a notification about it via email. You can track the progress of the situation via the OVH Control Panel, which will provide you with statistics. When the attack is over, you will receive another email notifying you of this. If you think that your services have been targeted by a DDoS attack and your users are experiencing degraded performance, please feel free to contact the OVH support team, who can look into this.
What are the differences between OVH anti-DDoS solutions and anti-DDoS Game solutions?
Anti-DDoS Game uses specific permanent L7 mitigation, which is reserved for OVH’s Game servers. Protection is constantly enabled, which means that traffic filtering is continuous. As the name suggests, anti-DDoS Game specifically targets certain gaming and communication protocols.
What are four general tips for protecting my infrastructure effectively?
Below, you will find a few tips for ensuring optimal security in addition to the protection provided by our anti-DDoS solution. This non-exhaustive list will give you tips and advice on improving security for your OVH servers.
- Configuring the Firewall Network: Please check that only authorised and required ports for your server are enabled. To avoid your server becoming unavailable due to an incorrect configuration, remember to take into account all of the ports and services you need.
To configure your server: Modify your server’s IP settings by adding custom TCP and UDP values via the Linux kernel.
Public and private networks: If your infrastructure is made up of several servers, use the vRack to connect your machines for any services that require multiple servers.
Prepare a business continuity plan (BCP): If you are able to do so, use our datacentres to duplicate your infrastructure across multiple geographical regions, and draw out a strategy for a service continuity plan (SCP) in advance.