A unique system for protecting against distributed denial-of-service attacks
The pre-firewall is the first component of our VAC system. It is fully managed by OVH, and applies rules that define filters directing data packets to the Firewall Network (see below). These rules are applicable to all OVH solutions. When a DDoS attack is launched, the pre-firewall manages part of the filtering, and sends the rest to the Firewall Network, which has customizable rules. Our pre-firewall is based on an Arista 7508R, which can reach a communication capacity of 28.8 Tbit/s. Isolation by VRF then routes the traffic through our system’s successive stages.
The Firewall Network
This is the second component of the VAC. The Firewall Network is a solution that limits exposure to attacks from the public network. It activates automatically as soon as a DDoS attack starts. You can configure it by creating up to 20 rules, which will filter packets more finely and can be adapted to fit your server’s activity. Each rule is a specific authorization you can use to optimize protection for your service. This firewall activates automatically whenever a DDoS attack begins, and you cannot deactivate it until the attack is over. This is why it is important to keep your firewall rules up-to-date. You can use this technical guide to help you configure rules.
Shield and Armor
The Shield and Armor hardware intervenes if an attack is more targeted, and offloads part of the filtering from the server’s processor. The Shield intervenes if an attack uses an amplification technique (DNS amp, NTP amp). Armor is the most advanced filter in our VAC, and intervenes in mitigating the very strongest attacks.