Inter.link offers a multi-tiered DDoS Protection service integrated directly into our sustainable IP Transit network. Scrubbing centres are distributed across the network to ensure traffic is cleaned as efficiently as possible.
However, this dedication to protected transit doesn’t just start with our multi-tiered DDoS Protection service.
Unlike other connectivity providers, we also include complimentary ‘best effort’ DDoS Protection for every customer with our IP Transit or IP Access services. This article explains what complimentary protection involves and why this approach is different from typical providers.
How do typical connectivity providers react to DDoS Attacks?
When customers experience a DDoS attack, a typical response from connectivity providers is to shut them down in the first few minutes of the attack. This is called blackholing and involves sending all traffic going through this IP address to null, creating a blackhole for that IP address.
Being shut down so quickly is not desirable for customers that want to be online even though they’re attacked, especially if they have their own DDoS Protection for example.
This presents a challenge for customers and particularly game server and hosting companies that are looking for a provider that helps them to stay online and give them the ability to defend themselves until it is deemed impossible because the attack is too big.
Are Customers Always Shut Down?
Some providers might shut down a customer if they see 10G of DDoS traffic or some might shut them down if they see 500G of traffic.
There are even some providers that claim to never shut down customers, but this is not realistic because it cannot be guaranteed. There have even been examples of a well-renowed DDoS protection providers shutting down customers because it’s not just about bandwidth, it’s also an equation where cost, revenue, and the protection of other customers is considered too.
How does Inter.link’s complimentary protection work?
With Inter.link’s ‘best effort’ complimentary DDoS Protection, we have implemented different measures that help the customer to stay online for as long as possible.
This gives customers a greater chance for their business to remain active online even when experiencing an attack, even when they haven’t bought the guaranteed DDoS Protection service.
Best Practice Filters
The first measure of protection Inter.link has in place is called best practice filters.
There are a number of vectors on the Internet that have been there for years and are well-known to be used for DDoS attacks. Inter.link can mitigate those vectors even before an attack is starting.
One example is called memcached, a Linux daemon that is very well known for being used for amplification DDoS attacks. This is not a challenge to mitigate because almost nobody is using that type of traffic vector pattern for real traffic.
Rate Limiting IP Addresses
In case the attack is still coming through, another measure we utilise is rate limiting. Rate limiting is different from scrubbing. Scrubbing is when the traffic is actively cleaned, making sure the customer is only left with safe traffic, so they are protected.
Rate limiting means that Inter.link looks at the patterns, the attack, and limits the amount of traffic from either source or destination IP addresses.
Block all traffic from source ports
The next possibility would be, if the number of attacks of IP addresses is big, we can check if all the attacks are coming from the same source port.
An IP address has a street plus a house number, so we could check whether this is something we can block all traffic from source port X toward the customer. This could help protect the customer from an attack.
Rate limiting the destination ports
If blocking traffic from the source port doesn’t help, the next step would be blocking or rate limiting only the destination port.
So, for example a customer runs a web shop that is port 80 TCP and the attack traffic (UDP traffic port 0) is reaching the customer and overwhelming the servers but it is attacking the wrong thing, so limiting this traffic would not harm the customer.
If rate limiting the destination port still doesn’t help, and the customer is attacked on a port on that is serving their actual business or web shop, we could even decide to rate limit this traffic. That would possibly impact the web shop, but still it would keep the email servers, other infrastructure, and everything else is still live.
Rate limiting is similar to when you bring your car to a car wash. There’s a blower at the end and when you drive out, it looks like it will hit the car but it slowly moves upward. This is the principle of rate limiting where we try to limit and close the shield as much as we can to reduce the volume of attack traffic reaching the customer.
How long we can do this depends on the attack and the customer. This is not a guarantee because if in the end, the one thing that is being attacked is for example a web shop on TCP 80 and TCP 80 is exactly what is being attacked and this is the only thing the customer does, the only thing we can do is shut it down and then the customer is offline.
This is the limitation of Inter.link’s complimentary protection. Then only our paid DDoS mitigation is the solution because that is able to clean traffic efficiently and thoroughly.
In Conclusion
These measures are how Inter.link helps customers to stay online as long as possible.
This complimentary protection is not a replacement for Inter.link’s paid DDoS protection service but it helps customers to stay online longer, thereby having less of a chance to lose business.
Customers also have more time to react because the attackers evolve.
You often see attacks where for the first 10 minutes, the attackers attack one thing, then they figure out it doesn’t work so they change and attack something else.
What about requesting help when an attack is already happening?
In addition, if a customer is experiencing an attack and they haven’t purchased Inter.link’s DDoS Protection yet, they can open a ticket with us in the middle of the night to request extra support. We would help this customer but there would be a charge.
If a customer wants guaranteed protection, they need to have booked DDoS Protection in the Inter.link portal. They can even book this and activate it when an attack is happening – only an activate IP service is required for immediate protection.
However, it is important to note that our DDoS Protection is most effective when it has had the time to become familiar with a customer’s normal traffic first (learning phase).