Technology
Microfine™ Granularity
Adaptive Threshold Estimation
Virtual Identifiers
Scan Prevention
Source Tracking
Protocol Anomaly
Custom ASICs
White Papers
FAQs
Overview Presentation
DoS Articles
 

Request Further Information

Click the icon below to:
  • Request a price quotation.
  • Request Competitive Analysis of DDoS mitigation solutions available in the market.
  • Request a Webinar.
  • Request a technical call to discuss your DDoS mitigation needs.
Request Further Information from IntruGuard

How to Set Up DDoS Protected Web Hosting

Introduction

Webhosting is a competitive space. DDoS attacks have been growing since year 2010.

DDoS attacks pose a huge risk to a company's Internet connectivity and their prevention can save companies millions of dollars a year, especially for companies that depend on the Internet as a business platform and for those who the Internet is an element of their core IT infrastructure.

How do webhosts ensure that their webhosting business is safe from DDoS attacks? How do they ensure that they don't get a call from their key customers in the middle of the night? How do they ensure that they don't have to search through logs to figure out the attack type and sources and change the router and switch configuration?

IntruGuard has a solution for webhosts using hardware logic based appliances - IG200/2000.

In the sections below, we describe a typical webhosting configuration.

Network Diagram

Following diagram shows the typical infrastructure required for a web host. The hosting involves VPS, Dedicated Servers, and shared services. The infrastructure may also contain VPN clouds.

All these appliances are protecte by edge security provided by IntruGuard IG200/IG2000 DDoS Mitigation appliances.

The hosts must establish peering connections with multiple core Internet Service Providers to provide first level of attack protection.

They must monitor each peer closely and continously in order to deliver the fastest response time to customer's critical and latency-sensitive applications.

The Bypass Switches ensure that under critical failure of IG200/2000 DDoS mitigation appliances the connectivity is still maintained.

 

Dual WAN Link Deployment for Cost-conscious Hosts

In the following diagram a deployment scheme is shown which allows one IG200/IG2000 with Dual-WAN-Link option enabled to protect two Internet links.

The bypass switches are optional but recommended components that ensure connectivity in case of critical failure or power failure.

Some Key Protections Provided by IntruGuard Appliances

    1. Initial filtering using wire-speed Access Control Lists.
    2. Prevention of access to/from bogon IPs (you can define a private bogon IP list as well)
    3. Prevention of access to known infected host source IP addresses.
    4. Access to only allowed ports and protocols.
    5. Deep and granular packet inspection.
    6. Verification of protocol state such as TCP three-way handshake.
    7. Protection from protocol anomalies at layer 3, 4 and 7.
    8. Mitigation from spoofed attacks. IG2000 uses challenge-response algorithms like TCP SYN cookie, ACK cookie  and SYN retransmission mechanism to distinguish between spoofed and legi timate traffic.
    9. Continuous learning and adaptive filtering to ensure that you don't have to keep changing the policies as your business gradually grows.
    10. Statistical Analysis and Anomaly Recognition filtering for zero day attacks. Using statistical Analysis, unusual number of packets or high traffic rate from spoofed and non-spoofed clients can be identified and filtered. Using Anomaly recognition, auto-learning of normal baselines for granular header parameters can be used to identify and filter malicious activities.
    11. Source Tracking. Patented Source Tracking algorithms involve associating identified attacks with non-spoofed sources (esp. from botnets).
    12. Application Level Filtering. IG2000 deep packet inspection engine provides comprehensive application-layer intelligence, allowing the engine to understand User-Agent, Cookie, Referer and Host fields besides the URLs. Any attack that involves repeated access using one of them, is immediately thwarted in hardware logic within mili-seconds.
    13. Prevention of slow, resource exhaustion attacks. IG200/2000 appliances monitor up to 1 M TCP connections and look for misbehavior and can optionally aggressively age connections that are idling without activity. Similarly if a source establishes too many concurrent connections, it can be identified automatically.
    14. Prevention of botnet HTTP attacks. To further mitigate HTTP application level attacks, IG200/2000 can enforce intelligent HTTP filtering to ensure the certain restrictions on HTTP header parameters. These can identify scripted botnet attacks that all appear similar to a trained logic.

 

How to Provide DDoS Protected Clean Pipes to Remotely Hosted Sites

The same mechanism described above can also be used to provide a clean pipe to an end-user server.

The customer diverts all the traffic to the nearest DDoS Protected Hosting node. Once the traffic hits the node, it is scrubbed and cleaned. The clean traffic is then placed back onto the wire and delivered to the end-user server.

Clean Pipes Solution Using IntruGuard Appliances

 

Further Reading:

How to add IntruGuard appliances to existing Cisco Guard setup.

Protecting ISP infrastructure from DDOS attacks.