Our DDoS protection services are provided by combahton IT Services, a specialist in high-quality advanced DDoS protection services.
The current filter capacity is 800 Gbit and is accomplished by several filter solutions. Combahton uses the pre-filtering of network carriers as well as their custom DDoS filters which are subject to continuous optimization and further development. A large DDoS attack, for example, is already limited at the entry points of their carriers and only reaches their uplinks with a few Mbit.
In the past, Combahton has been able to filter out several voluminous attacks without any problems using their strategic setup. One of them was a DNS reflection attack which targeted a server over 16 hours with approximately 40 Gbit/s as well as some extremely voluminous TCP and UDP floods which reached peaks of around 20 Mpps.
Functionality
This is how the DDoS protection works, in order.
- Measurement and recording of network traffic via sampled flow
- Recognition of an attack based on certain patterns/thresholds
- Activation of DDoS filters via BGP Announcement within 2-3 seconds
- NOC permanently monitors the protection infrastructure with alerting of readiness in case of filter bypass based on threshold values and anomalies
Filter Mechanisms
- Prefiltering through upstreams
- Pre-filtering by combahton's edge-router
- Granular filtering through DDoS filters based on flowShield
- User Validation Filtering for HTTP layer 7 attacks through a redundant reverse proxy cluster
Protocol Specific Filtering
Currently, the following protocols are protected against Layer7 attacks based on a user/bot behaviour pattern analysis:
- SAMP server
- Teamspeak3 Server
- Source engine server
- Various other game servers
- HTTP(s) layer 7 mitigation
HTTP Layer 7 Filtering
Combahton's sophisticated layer 7 filters support up to 2 million HTTP(S) requests per second and are powered by their redundant reverse proxy cluster with 40Gbit/s capacity.
Technical Details
- ICMP / IGMP (including PING) is discarded
- UDP source port 19, 69, 111, 123, 137, 161, 389, 520, 1434, 1900, 9987, 11211 are limited (10Mbit)
- TCP / UDP Fragmented (packets larger than 1500 byte) are discarded
- UDP destination port 9000 to 9999 is strictly filtered against TeamSpeak 3 packets
- UDP destination port 27000 to 29000 is strictly filtered against Source Engine packets
- UDP destination port 53 is strictly filtered against DNS packets and forces TCP truncation
- The route when running a traceroute or MTR ends at edge1.ffmX.combahton.net
- With HTTP Layer7 Mitigation enabled, all TCP traffic on ports 80 and 443 is routed through a reverse proxy
- All traffic (except TCP / UDP) and is blocked
All further traffic (TCP / UDP) is strictly validated:
- TCP connections are only possible if a TCP SYN or SYN-ACK packet has been sent and accepted before, the filters act as a kind of asynchronous stateful firewall for server applications. The establishment of a first connection (SYN or SYN-ACK) may take much longer or is interrupted for the first time, websites may load a bit slower
- UDP connections are only possible if they are carried out by a "valid client", spoofing is prevented by an intelligent adjustment of all connection parameters