Anti-DDoS >


DDoS Mitigation




DDoS Attack Mitigation



Block the attack, let legitimate traffic through


Mitigation is a term employed to design the means and measures in place to reduce the negative effects of a DDoS attack. Mitigation consists of filtering illegitmate traffic and hoovering it up with the VAC, while letting legitmate packets go through.


The VAC consists of multiple devices, each with a specific function to block one or more types of attack (DDoS, Flood, etc.). Depending on the attack, one or more defense strategies may be put in place on each VAC device.



Components of the VAC

Routers
Backbone
Routers
Data center


Actions carried out on the Pre-Firewall


  • Fragment UDP
  • Size of packets
  • Authorization of TCP, UDP, ICMP, GRE protocols
  • Blocking all other protocols

Actions carried out on the Firewall Network


  • Authorize/block an IP or a sub-network of IPs
  • Authorize/block a protocol:
    • IP (all protocols)
    • TCP
    • UDP
    • ICMP
    • GRE
  • Authorize/block a port or TCP/UDP port interval
  • Authorise/block SYN/TCPs
  • Autorize/block all packets except SYN/TCPs


Actions carried out on the Tilera


  • Malformed IP header
  • Incorrect IP checksum
  • Incorrect UDP checksum;
  • ICMP limitation
  • Incorrectly fragmented UDP datagram
  • DNS amp

Actions carried out on the Arbor


  • Malformed IP header
  • Incomplete fragment
  • Incorrect IP checksum
  • Duplicated fragment
  • Fragment too long
  • IP/TCP/UDP/ICMP packet too long
  • Incorrect TCP/UDP checksum
  • Invalid TCP flags
  • Invalid sequence number
  • Zombie detection
  • TCP SYN authentication
  • DNS authentication
  • Badly formed DNS request
  • DNS limitation