DDoS IP protection
“DDoS IP protection for private networks. It defends your IP network infrastructure against large scale DDoS attacks”
The Serverius DDoS IP protection service protects Layer 2 and BGP networks. Its unique web portal with integrated API functionality offers BGP network full control and easy integration. Therefore it’s the best Layer 3, and 4 mitigation service without any IP limits, missing technology, or hidden cost afterward.
Proven DDoS Attack Protection
Heavy-traffic DDoS attacks protection to defend and control IP network environments. It will effectively defend against complex attacks in milliseconds, ensuring customers’ infrastructure continuity.
How DDoS IP protection works
By default, all incoming data traffic from the Internet will be filtered through the Serverius scrubbing facilities. Based on a per IP configuration, the dirty traffic will be blocked, and all normal traffic will be forwarded back to the user.
Users with their own ASN can use the DDoS IP protection service as one of their normal IP transit carriers. Just by announcing a /24 or larger, no data traffic is filtered by default. In case of having a DDoS attack on one of its IP subnets, the user can enable the attack IP subnet(s) for protection.
For example, when a /32 is attacked, but the /24 is announced, only the /32 is filtered by the DDoS IP protection service! This way it will save some higher latency and possible false positives to the IP subnets that are not under attack.
Centrally managed platform
To be prepared for future attacks, users can configure their defenses upfront. One simple configuration for only a single /32 subnet, or an advance configuration for multiple /24 subnets, it all can be configured by the Serverius client panel.
In-line or out-of-path protection
It’s up to the user to decide which DDoS protection method he will use: in-line (always-on), or out-of-path by using a flow analyzer to automatically re-route traffic when there is a DDoS attack. The Serverius NOC as a Service can install, configure and maintain Flow analyzers like Wanguard. This will ensure that complex configuration will work during advanced DDoS attacks, and will remain working for a long time.
Serverius is an official Wanguard reseller. Therefore, users can purchase discounted Wanguard licenses.
Serverius his leading low latency scrubbing facilities are working in real-time. They will block DDoS attacks from the first attack packet within a split of a second. In addition to Serverius its known premium network quality, any European IP subnet will experience low latency and premium route quality. Read more »
Service connection & network and traffic delivery
There are many ways to make a connection to the DDoS IP protection cleaning engine part of your defenses. Depending on the user its IP infrastructure, he can choose from the following options:
By 2nd BGP session on SpeedIX, AMS-IX, or NL-IX.
If you are a member of one of the 3 Dutch internet exchanges, you can create a 2nd BGP session to Serverius and announce your IP subnets under your ASN.
By Serverius its Internet connectivity
When using the Serverius Internet connectivity, any IP subnets can be protected with just one mouse click in the client panel. It will work with any Layer 2 internet connection, and also with all IP subnets which are under a private ASN which is using the Serverius network as an internet carrier.
By physical fiber connection
Direct fibers connection at one of the Serverius datacenter or Serverius Point of Presence (PoP) can be used to establish a physical fiber connection.
By GRE tunnel from your BGP network to Serverius
Remote connections can be made by a redundant GRE tunnel. Incoming and/or outgoing data traffic will pass Serverius and will be cleaned for you. You can use many GRE tunnels to different Serverius routers in different physical data centers.
By carrier VLAN to a Serverius PoP
Any carrier in Europe can transport a VLAN to a Dutch Point of Presence (PoP) in the Netherlands.
Configurable technology at your fingertips
The only person who knows which services are running on its IP subnets is the network IP administrator. Based on what is running on a IP subnet, he should be able to create it’s own DDoS protection defense layer for it. Therefore Serverius its self service web portal offers tunable features to configure everything yourself.
Custom made IP security
Users can create a personalized protection environment called “Safe Zones”. Every Safe Zone can hold one or multiple IPv4 (up to a /32 up to a /19) and IPv6 subnets where multiple security feature can be enabled. This way the user can create specific configuration per IP, per software application, per Web Application.
The most important layer is the “baseline” protection layer (see image next to this text) where you can set all possible checks for TCP/UDP/ICMP/DNS/SIP/HTTP/HTTPS and other type of data traffic and protocols.
Include & exclude IP subnets
When you are using the Serverius DDoS protection to protect your private IP infrastructure, you can forward all data traffic transparently and enable protection for smaller subnets like a /32 single IP address. It’s even possible to exclude IP subnets from larger subnets.
Attack packet capture
When you are under attack you can capture packets and download them as .pcap files. This will help you to evaluate your attacks and make your protection layer even better.
Filters (firewall rules)
Filters are like firewall rules, they will allow users to adjust their security layer to their IP subnets. It can block or rate limit data traffic like firewall rules. As a result it will make a Safe Zones even more personal. Mostly it’s used to block specific types of data traffic and it’s the essential tool-set to win the play of cat and mouse attacks.
Self learning user baseline
To achieve best possible protection level and to avoid any false positive, all configuration thresholds should be periodically tuned to match the safe zone traffic. Therefore the user specific thresholds can automatically be tuned by the “baseline learning mode”. The system will analyze the traffic of the safe zone for a period of time and will adjust the thresholds based on the analytic results.
Note: when a defense is enabled the protection system will only collect statistics on the traffic and will activate the defense mechanism only in case the traffic exceeds the threshold.
Learning Cycle (Days) : This value indicates the period of time for each learning cycle. The learning result is applied to the defense policy only after such a learning cycle ends.
Value Is Larger Than the Current Value the system automatically applies baseline learning results to defense policies once the learning cycle ends if the recommended value is larger than the current value.
Geographically IP blocking.
A location policy can permit, block, or implement traffic limiting for traffic of a country or a region.
Many attacks on the Internet are launched by attacks by controlling zombie hosts. These zombie hosts may be centrally located in a specific region. A location policy can block or implement traffic limiting by region, effectively prevents attacks from a specific region. In addition, a location policy can take the pass action on traffic from a trusted region.
Also, if you want to allow only one or more countries you can block all countries and allow only the countries you prefer.
IP reputation protection
Tracking of most active 5 million zombies and automatic daily update of the IP reputation database to rapidly block attacks; local access IP reputation learning to create dynamic IP reputation based on local service sessions, rapidly forward service access traffic, and enhance user experience.
Attack signature database
RUDY, slowhttptest, slowloris, LOIC, AnonCannon, RefRef, ApacheKill, and ApacheBench attack signature databases; automatic weekly update of these signature databases
Users have the ability to automate their protection and integrate it into their own client environments. You can see al functionality at api.serverius.net
Built on the Serverius industry-leading hardware + own build software architecture. It delivers up to 2,7Tbps+ DDoS attack protection, which is the highest in the European industry.
Use it in-line or out-of-path, and effectively respond to DDoS attacks within milliseconds. It’s a multi-layer defending setup, it’s the fastest in the European industry.
With full traffic collection and per-packet analysis capabilities, the service provides accurate defense against any type of DDoS attack.
Default DDoS attack tools defense
Known DDoS attack tooling will be blocked by default signatures (like some examples in the list below). The Serverius NOC is adding frequently new signatures and users can create their own combinations of settings to protect any kind of future DDoS attack on their custom-made applications.
- Defense against protocol abuse attacks
Defense against LAND, Fraggle, Smurf, Winnuke, Ping of Death, Teardrop, and TCP Error Flag attacks
- Web application protection
Defense against HTTP GET flood, HTTP POST flood, HTTP slow header, HTTP slow POST, HTTPS flood, WordPress reflection and amplification, RUDY, and LOIC attacks; packet validity check
- Defense against scanning and sniffing attacks
Defense against address sweep and port scan attacks, and attacks using Tracert packets and IP options, such as IP source routing, timestamp, and route record options
- DNS application protection
Defense against DNS Query flood, DNS Reply flood, and DNS cache poisoning attacks; source-based rate limiting
- Defense against network-type attacks
Defense against SYN flood, SYN-ACK flood, ACK flood, FIN flood, RST flood, TCP Fragment flood, UDP flood, UDP Fragment flood, IP flood, ICMP flood, TCP connection flood, SockStress, TCP retransmission, and TCP null connection attacks
- SIP application protection
Defense against SIP flood and SIP Methods flood attacks, including Register flood, De-registration flood, Authentication flood, and Call flood attacks; support for source rate limiting
- Defense against UDP reflection and amplification attacks
Defense against NTP, DNS, SSDP, Chargen, TFTP, SNMP, NetBIOS, QOTD, Quake Network Protocol, PortMapper, Microsoft SQL Resolution Service, RIPv1, and Steam Protocol reflection and amplification attacks
IP, TCP, UDP, ICMP, DNS, SIP, and HTTP packet filters
- Attack signature databases
RUDY, SlowHTTPTest, SlowLoris, LOIC, AnonCannon, RefRef, ApacheKill, ApacheBench; automatic update every week