DOSarrest's DDoS protection service is the cornerstone of our company and we have been providing DDoS protection to our global customer base since 2007, many of these customers are still using our service today. Our systems are leading edge and we have just introduced our latest (April 2014) core platform as well as a new customer portal, that has been in development and testing for the last 2 years. This new platform has capabilities that makes our DDoS protection service able to deal with the most sophisticated attacks.
Our DDoS protection service does not have a number of different tiers of service with confusing options and support levels. This is a fully managed DDoS Protection service, every customer receives the same protection level and support at the same price, period.
Below you will find detailed information on these attacks and how the XcellHost network protects against them:
Layer 3/4 attacks
Most DDoS attacks target the transport and network layers of a communications system. These layers are represented as layers 3 and 4 of the OSI model. The so called "transport" layer of the network stack specifies the protocol (e.g., TCP or UDP) by which two hosts on a network communicate with one another. Attacks directed at layers 3 and 4 are designed to flood a network interface with attack traffic in order to overwhelm its resources and deny it the ability to respond to legitimate traffic. More specifically, attacks of this nature aim to saturate the capacity of a network switch, or overwhelm a server's network card or its CPU's ability to handle attack traffic.
With XcellHost, all attack traffic that would otherwise directly hit your server infrastructure is automatically routed to XcellHost's global Anycast network of datacenters. Once attack traffic is shifted, we are able to leverage the significant global capacity of our network, as well as racks-upon-racks of server infrastructure, to absorb the floods of attack traffic at our network edge. This means that XcellHost is able to prevent even a single packet of attack traffic from a traditional layer 3/4 attack from ever reaching a site protected by XcellHost.
DNS amplification attacks
DNS amplification attacks, one form of DRDoS, are on the rise and have become the largest source of Layer 3/4 DDoS attacks. XcellHost routinely mitigates attacks that exceed 100Gpbs, and recently protected a customer from an attack that exceeded 300Gbps
XcellHost's "Anycast" network was specifically designed to stop massive layer 3/4 attacks. By using Anycast, we are able to announce the same IP addresses from each of our 23 worldwide data centers. The network itself load balances requests to the nearest facility. Under normal circumstances this helps us ensure that your site's visitors are automatically routed to the nearest data center on our network to ensure the best performance. When there is an attack, Anycast serves to effectively scatter and dilute attack traffic across our entire network of data centers. Because every data center announces the same IP address for any XcellHost customer, traffic cannot be directed to any one location. Instead of the attack being many-to-one, it becomes many-to-many with no single point on the network a single point of failure.
One of the first amplification attacks was known as a SMURF attack. In a SMURF attack an attacker sends ICMP requests (i.e., ping requests) to a network's broadcast address (i.e., X.X.X.255) announced from a router configured to relay ICMP to all devices behind the router. The attacker then spoofs the source of the ICMP request to be the IP address of the intended victim. Because ICMP does not include a handshake, the destination has no means of verifying if the source IP is legitimate. The router receives the request and passes it on to all the devices that sit behind it. Each of these devices then respond back to the ping. The attacker is able to amplify the attack by a multiple equal to the number of devices behind the router (i.e., if you have 5 devices behind the router then the attacker is able to amplify the attack 5x
SMURF attacks are largely a thing of the past. For the most part, network operators have configured their routers to disable the relay of ICMP requests sent to a network's broadcast address.
When a TCP connection is established there is a handshake. The server initiating the TCP session first sends a SYN (for synchronize) request to the receiving server. The receiving server responds with an ACK (for acknowledge). After that handshake, data can be exchanged. In an ACK reflection attack, the attacker sends lots of SYN packets to servers with a spoofed source IP address pointing to the intended victim. The servers then respond to the victim's IP with an ACK creating the attack.
Like DNS reflection attacks, ACK attacks disguise the source of the attack making it appear to come from legitimate servers. However, unlike a DNS reflection attack, there is no amplification factor: the bandwidth from the ACKs is symmetrical to the bandwidth the attacker has to generate the SYNs. The XcellHost network is configured to drop unmatched ACKs, which mitigates these types of attacks.
Layer 7 attacks
A new breed of attacks target Layer 7 of the OSI model, the "application" layer. These attacks focus on specific characteristics of web applications that create bottlenecks. For example, the so-called Slow Read attack sends packets slowly across multiple connections. Because Apache opens a new thread for each connection, and since connections are maintained as long as there is traffic being sent, an attacker can overwhelm a web server by exhausting its thread pool relatively quickly.
XcellHost has protections in place against many of these attacks, and in real world experiences we generally reduce HTTP attack traffic by 90%. For most attacks, and for most of our customers, this is enough to keep them online. However, the 10% of traffic that does get through traditional protections can still be overwhelming to customers with limited resources or in the face of very large attacks. In this case, XcellHost offers a security setting called "I'm Under Attack" mode (IUAM).
Making DoS a thing of the past
As technology advances DoS attacks will only increase in complexity and magnitude. Traditional on-premise DoS solutions simply can not adapt to the wide range of new attack vectors, and are rendered completely ineffective for attacks that exceed an organization's network capacity.
The XcellHost network is designed to mitigate and keep pace with the changing threat landscape. XcellHost, as an operator of one of the largest global networks on the Internet, is able to leverage its aggregate network capacity across 24 points of presence, and is able to learn from attacks against any individual customer to protect all customers on our network.