How does our DDoS protection work? Print

  • 12

Our DDoS protection services are provided by combahton IT Services, a specialist in high-quality advanced DDoS protection services.

The current filter capacity is 800 Gbit and is accomplished by several filter solutions. Combahton uses the pre-filtering of network carriers as well as their custom DDoS filters which are subject to continuous optimization and further development. A large DDoS attack, for example, is already limited at the entry points of their carriers and only reaches their uplinks with a few Mbit.

In the past, Combahton has been able to filter out several voluminous attacks without any problems using their strategic setup. One of them was a DNS reflection attack which targeted a server over 16 hours with approximately 40 Gbit/s as well as some extremely voluminous TCP and UDP floods which reached peaks of around 20 Mpps.

Functionality

This is how the DDoS protection works, in order.

  1. Measurement and recording of network traffic via sampled flow
  2. Recognition of an attack based on certain patterns/thresholds
  3. Activation of DDoS filters via BGP Announcement within 2-3 seconds
  4. NOC permanently monitors the protection infrastructure with alerting of readiness in case of filter bypass based on threshold values and anomalies

Filter Mechanisms

  • Prefiltering through upstreams
  • Pre-filtering by combahton's edge-router
  • Granular filtering through DDoS filters based on flowShield
  • User Validation Filtering for HTTP layer 7 attacks through a redundant reverse proxy cluster

Protocol Specific Filtering

Currently, the following protocols are protected against Layer7 attacks based on a user/bot behaviour pattern analysis:

  • SAMP server
  • Teamspeak3 Server
  • Source engine server
  • Various other game servers
  • HTTP(s) layer 7 mitigation

HTTP Layer 7 Filtering

Combahton's sophisticated layer 7 filters support up to 2 million HTTP(S) requests per second and are powered by their redundant reverse proxy cluster with 40Gbit/s capacity.

Technical Details

  • ICMP / IGMP (including PING) is discarded
  • UDP source port 19, 69, 111, 123, 137, 161, 389, 520, 1434, 1900, 9987, 11211 are limited (10Mbit)
  • TCP / UDP Fragmented (packets larger than 1500 byte) are discarded
  • UDP destination port 9000 to 9999 is strictly filtered against TeamSpeak 3 packets
  • UDP destination port 27000 to 29000 is strictly filtered against Source Engine packets
  • UDP destination port 53 is strictly filtered against DNS packets and forces TCP truncation
  • The route when running a traceroute or MTR ends at edge1.ffmX.combahton.net
  • With HTTP Layer7 Mitigation enabled, all TCP traffic on ports 80 and 443 is routed through a reverse proxy
  • All traffic (except TCP / UDP) and is blocked

All further traffic (TCP / UDP) is strictly validated:

  • TCP connections are only possible if a TCP SYN or SYN-ACK packet has been sent and accepted before, the filters act as a kind of asynchronous stateful firewall for server applications. The establishment of a first connection (SYN or SYN-ACK) may take much longer or is interrupted for the first time, websites may load a bit slower
  • UDP connections are only possible if they are carried out by a "valid client", spoofing is prevented by an intelligent adjustment of all connection parameters

Was this answer helpful?

« Back