DDoS protection is not a “one-size-fits-all” product, and when you are under attack you will feel an overwhelming pressure to find an immediate solution. Unfortunately, an ill-suited solution only offers minimal protection at best and at worst keeps you offline until it is removed.
The company Link11 offers two different versions of DDoS Protection: Infrastructure Protection and Web Protection. Both are designed with different implementations in mind, specifically for your networking devices and web applications respectively.
Both services operate by diverting traffic to a scrubbing center, filtering live traffic through multiple layers of protection including AI based filtering, before forwarding the legitimate traffic back to you. Services can be configured as “Always On” or “On Demand”, though “Always On” is strongly advised.
Since Infrastructure Protection is for your network it operates on the first 3 layers of the OSI model (see Figure 1). As a layer 3 solution the instances are based on IPs, the benefit of this is that it provides the same protection irrespective of the protocols used at higher layers. This same instance can protect routers, webservers, mail servers, VPN gateways or any other devices operating on the IP protocol.
Redirecting traffic to Infrastructure Protection utilizes the BGP protocol. It means that each instance is capable of protecting a minimum of 254 devices (/24 announcement). This BGP announcement should be the most specific route for your IPs so that all traffic for your IPs is directed to the scrubbing centers. Return traffic will take an asynchronous route as it does not need to return through Link11 for protection (see figure 2).
Figure 2 Asynchronous Routing
Web Protection offers layer 7 protection for a single HTTP(S) application. Each instance of Web Protection is tailored to the application to provide DDoS protection against threats at any layer including attacks like SQLi and XSS (with WAF) in addition to DDoS attacks.
Redirection of traffic to Web Protection is done via DNS. Once the service is provisioned you will be provided a secure IP (VIP) which you can use for your applications DNS A record. Incoming traffic will be filtered and the legitimate requests forwarded to your servers. The return data will be sent from the origin to Link11 and then to the user who will be expecting a reply from the VIP they sent the request to. This synchronous reply also prevents an attacker from learning the origin's true IP.
Threats can similarly be classified with the OSI Layer model by referring to the protocols or technology that is targeted. Flood style attacks like UDP flood (even though UDP is a layer 4 protocol) are referred to as layer 3 attacks. ICMP is another well known layer 3 protocol for DDoS attacks like the “Ping of Death” and “Smurf Attack”. Layer 7 threats specifically target application protocols like HTTP. While flood style attacks are still seen on layer 7 there are other more subtle attacks that can consume server resources with a minimal traffic increase, like Slowloris.
The key to getting the most out of DDoS Protection is understanding how well the solution fits your environment and what threats you are vulnerable to. Before investigating DDoS protection, arrange a list of your critical systems first and what protocols you need to protect, or at least on which layer of the OSI model those systems are operating. Next consider how much downtime you can tolerate on those systems. Knowing specifically what level of protection you need on which devices will help finding and selecting the right DDoS protection for your systems.