A Telxius White Paper Understand & protect How to defend against the threat of DDoS attacks 01. Executive Summary
Denial of service attacks have become one of the primary cybersecurity threats facing enterprises, making DDoS protection an essential part of a cybersecurity strategy ¹
In the last decade, Distributed Denial According to the Arbor Infrastructure This white paper will outline the of Service (DDoS) attacks have become Security Report 2014, the DDoS consequences for your business of an increasingly sophisticated and landscape has evolved as a result of a not preventing DDoS attacks. Grave dangerous threat on the Internet that combination of factors: consequences such as declines in most companies face on a daily basis. productivity, damage to brand and According to research by Ponemon • An increase in the number of attacks reputation, and lost revenue. Institute, on average DDoS attacks cost and wider use of ‘quick hit’ techniques companies $1.5 million annually.2 which involve short, high-intensity In addition, it aims to provide in-depth attacks. insights into the way in which DDoS According to the Davos World Economic attacks are being carried out and how Forum, all organizations should assume • Greater use of hosting and cloud to protect your organisation – and your they have been hacked, or at least facilities as launch points for DDoS customers – against them. Crucially, it agree that it is not a question of ‘if’ attacks in order to circumvent will help assess what an effective DDoS they will be targeted for an attack, but detection and increase attack solution could mean for your business. ‘when’. capacity.
Given the rapid and extraordinary • Higher frequency of application changes that have taken place in the layer DDoS attacks both as a stand- DDoS landscape, companies now alone technique and combined with need to implement security measures volumetric attack methods. that not only protect their clients’ infrastructure but also their own network.
1 Source: http://www.stateoftheinternet.com/security-cybersecurity-ddos-protection-ddos-mitigation.html 2 Source: The Cost of Denial of Service Attacks, Ponemon Institute, March 2015.
This document is the property of Telxius. Any reproduction, distribution or public communication without the express written consent of Telxius is forbidden.
Understand & protect. A Telxius White Paper 3 02. DDoS attacks – what are they?
“The increasingly complex nature of DDoS attacks is making effective detection and mitigation involve more than just deploying an appliance or service. Many organizations that do not have the ability to dedicate resources and skills to monitor and manage their DDoS risk exposure on a daily basis and are seeking increased context and value-added services from their providers for DDoS mitigation.”
Source: Gartner Competitive Landscape: DDoS Mitigation Solutions 28 October 2014 G00261259 Gartner Analyst(s): Sid Deshpande, Principal Research Analyst | Eric Ahlm, Research Director
Distributed Denial of Service (DDoS) 2.1 Understanding attacks DDoS attacks are often launched 2.2 DDoS attack profiles • Simple network attacks: • NTP attacks: NTP is a networking attacks are among the most common against victims by using a network of protocol for clock synchronisation DDoS attacks attempt to saturate your DDoS attack types have moved up the - SYN floods: exploit the threeway threats on the Internet. These attacks zombie machines or botnet. between computer systems. By Internet links to make your service OSI network model over time, climbing handshake of the TCP setup – are generated internationally and sending a long reply to a short unavailable. By overwhelming the from network to session, right up to consuming enough server resources their main task is to saturate network It is important to understand that for malicious request, the attacker is network with a high volume of traffic today’s application layer attacks. So to make the system unresponsive to bandwidth to make the network attacks intended to consume available able to overwhelm a victim’s system or opening a huge number of sessions what do they look like? legitimate traffic. unavailable to its intended users and bandwidth, the only effective strategy with UDP traffic. As the response is that the network’s resources are unable prevent a service being provided. is to mitigate the attack as close as legitimate data coming from valid to bear, performance is reduced to an • Volumetric: consumes high - UDP & ICMP floods: these are easy possible to the source in order to servers, it is especially difficult to unusable level. bandwidth. The flood of incoming for attackers to generate since the Whereas in the past most attacks prevent your Internet links becoming detect. messages (high volume of data) to the UDP protocol doesn’t validate source were random, today’s are more Fundamentally, there are two types saturated. target system forces it to shut down IP addresses, making them easy systematic and often focus on a single of attacks. The first takes place at the • Application attacks: or slow service performance, thereby to forge. They flood random ports organisation. An attacker’s motivation application layer (Layer 7) and the Furthermore, if an attack successfully denying service to legitimate users. on a remote host with numerous - Slowloris attacks: slowly deliver can range from ‘hacktivisim’ and second at the network layer (Layer 3): consumes a huge bandwidth and then UDP packets, causing the host to request headers forcing the extortion, to competitive sabotage or saturates the network’s international • Application layer: consumes low repeatedly check for the application webserver to keep connections open even simple vandalism. Whatever the • Application layer: attacks are trunk links, all your customers could bandwidth. Especially complex listening at that port, and when without completing the requests. reason behind them, DDoS attacks are especially worrisome for SaaS be harmed too. Consequently, the and difficult to detect, such attacks no application is found reply with This eventually overflows the a global issue and no organisation can application providers. These attacks impact can go well beyond negative overwhelm specific elements of an an ICMP Destination Unreachable maximum concurrent connection afford to ignore them. mimic legitimate user traffic to bypass economic impact, leading to customer application server infrastructure. packet. This process saps host pool and leads to denial of additional barebone anti-DDoS solutions and dissatisfaction and damaged brand resources and can ultimately lead connections from legitimate clients. crash the web server. reputation. 2.3 Common DDoS Attacks to inaccessibility. Amplifying ICMP Echo Reply (pings) floods are also - SSL attacks: by establishing • Network layer: attacks bring down Currently, there are a wide variety of common. They overwhelm the target numerous SSL sessions a website or SaaS application by attacks intended to overwhelm a target resource with ICMP Echo Request simultaneously, the application overwhelming network and server and make it inaccessible. Some of the packets, generally sending pa ckets becomes unavailable because the resources, causing downtime and most frequent attacks are: as fast as possible without waiting system is engrossed with processing blocking responses to legitimate for replies. the previous requests. traffic. • TCP State-Exhaustion attacks: These attempt to consume the • DNS attacks: DNS has become a connection state tables that are favourite target for DDoS flooding presented in many infrastructure attacks. Instead of taking down any components, such as load balancers web server by exhausting a DNS or firewalls. server, users simply cannot find their required website.
4 Understand & protect. A Telxius White Paper 5 03. Why is an anti-DDoS solution important?
The volume, magnitude, type and The number of companies attacked Given the growing number and scale • Attacks against banks can interrupt DDoS attacks also continue to increase complexity of DDoS attacks against is increasing all the time and all of DDoS attacks, planning for their their online services preventing in complexity and have reached organisations have increased industry sectors are vulnerable to detection and mitigation is critical. customer and partner access to magnitudes of up to 300 Gbps. substantially over time. Traditional DDoS, especially organisations whose real-time resources or transaction Furthermore, DDoS attackers are not security strategies such as firewalls, business depends on the Internet. The Many enterprises think it is unlikely processing. only targeting the network layer (layer intrusion prevention systems (IPS) or Arbor Infrastructure Security Report their organisation will be attacked. 3) but also the application layer (layer web application firewalls (WAF) which 2014 identified a number of key trends, However, in the 2015 PAC report, • For online gambling companies, an 7) where detection is far more difficult. only defend the perimeter of corporate including: Incident Response Management, outage of their services can lead communications, are no longer 67% of firms reported having had to furious clients, complaints and Clearly enterprises are at a higher sufficient to protect an organisation’s • Shorter attack duration – almost 90% a cyber-breach in the last year, and lost revenues as well as brand and risk of financial loss and reputational network. That’s why it is no longer of attacks last less than an hour. 100% reported a breach at some reputational damage due to the damage than ever before. Network adequate to attempt to protect against time in the past*. This has occurred negative customer experience. security is now critical to their survival these threats from an internal position. • Significant increase in the bandwidth across companies from many industry with DDoS Shield services offering the Today, an organisation requires an consumed by DDoS attacks sectors (financial services enterprises, • The consequences for ISPs (Internet full protection and mitigation capacity alliance with an ICT expert who can – approximately 20% of attacks e-commerce companies, government Service Providers) from a DDoS necessary for corporate peace of mind. provide their business with robust detected are higher than 10 Gbps. institutions, data centres, telcos, attack cannot be overstated. For protection against any kind of attack. healthcare, retail companies, etc.) example, if an attack targets their • Bigger packet-per-second attack as they are all vulnerable to denial DNS infrastructure customers will not volume – in the last year there has of service attacks, especially if their be able to reach a website or send been a 389% increase in average business relies on online operations. an email. And when these business- attack bandwidth. critical applications are not available, The cost of downtime depends on operations and productivity simply • Increase in the number of attacks several factors, such as the type cease. – up by 22%. of organisation, sector, number of people impacted, etc. What’s more, * Source: Duncan Brown PAC Online – Incident Response Management, the financial cost and impact on the June 2015. How European Enterprises are Planning business is staggering: to Prepare for a Cyber Security Breach.
Mitigation by volume Mitigation time Attack Attack Application & Demand for Attack Mobile durations frequency infrastructure DDoS detection sizes network 0% 1% per month attacks and mitigation services 8% 5% 15% <5 Gbps 1-6 hrs In 2014, short and The number Infrastructure-layer Service providers The size of Mobile devices sharp attacks of attacks attacks continue are are seeing DDoS attacks began participating 5-10 Gbps 15-60 mins appeared to be experienced per to dominate increased demand has increased in DDoS attacks. 50% 55% 39% more common, month continues DDoS attacks but for DDoS detection dramatically. 10-20 Gbps <15 mins with 90 percent of to increase year by application-layer and mitigation In 2014, attacks >=20 Gbps >12 hrs attacks lasting less year. attacks have services. volume reached up 27% than one hour. become increasingly to 300 Gbps. 6-12 hrs common in recent years.
* Based on Arbor infrastructure security report (2014)
6 Understand & protect. A Telxius White Paper 7 04. Towards a new world of protection
Because DDoS attacks are among the 4.1 Why traditional tactics Initially, when attacks were simple they An IPS looks for attack patterns inside Defending against the current DDoS 4.3 Overview of anti-DDoS most difficult to defend against, it is are not sufficient may have offered some protection. connections as it inspects contents. It attacks that threaten a business’s solutions essential to prepare a robust plan of Unfortunately, the attacks are now far has a database of known vulnerabilities online availability requires a action to ensure an immediate and Traditional security tactics are too large and complex to rely on this and compares the traffic with these purposebuilt architecture that includes Some of the most popular DDoS appropriate response. This poses a based on perimeter protection of the approach. vulnerabilities. IPS performance largely the ability to specifically detect and responses, such as router filtering, huge challenge for all organisations. customer network. Devices such as depends on the number of signatures it defeat increasingly sophisticated, black hole routing, local DDoS Intrusion Prevention Systems (IPS) or A firewall implements an access control can manage. complex and deceptive incursions. This mitigation and over-provisioning of Many enterprises rely on specific firewalls, are essential elements of policy between two or more security approach relies as much onpreparation bandwidth, are not optimised to deal DDoS protection mechanisms that are most security strategies, but they are domains and inspects the traffic flow An IPS is characterised by heuristic and response as it does on security with increasingly sophisticated modern not sufficient to stop complex, high simply not designed to stop modern through each of them. It controls both behaviour: it learns from the past at the intelligence, which informs strategy. attacks. capacity attacks before they reach the DDoS attacks: incoming and outgoing network traffic expense of consuming large amounts corporate network. and can allow certain packets to pass of resources. This explains why an IPS is 4.3.1 Over-provisioning • They cannot stop attacks that are too 4.2 Challenges of the ‘new through or disable access for them. vulnerable to DDoS attacks that require world’ of protection of bandwidth The problem is that some organisations large or complex. However, a firewall cannot evaluate the complex analysis and, as a result, run The proliferation of DDoS attacks This approach is commercially are unaware of the scope and contents of ‘legitimate’ packets and out of memory session table or CPU, prohibitive as a DDoS prevention limitations of protection solutions or • Attackers easily overrun perimeter can unknowingly let some attacks pass etc. requires a new approach that provides devices by hitting it with more complete DDoS protection to ensure strategy and does not provide an indeed the full scale and complexity through onto the Web server. efficient measurement, due to the of the current attacks. Hence they traffic than the upstream Internet Examples of typical attacks affecting business continuity. connection or more traffic than the continuous increase in volume of unwittingly run the risk of choosing the Moreover, since firewalls are stateful, IPS include slowloris, teardrop and device can handle. attacks. With current attacks capable wrong technology for DDoS protection. they are also vulnerable to DDoS tcp0window. In order to meet the demands of the ‘new world’ protection, a good DDoS of carrying up to 300 Gbps, even the attacks and often become the targets best provisioned network can be • HTTPS attacks will not be detected or themselves. Examples of typical protection solution should: mitigated. 4.1.3 Web Application Firewall overwhelmed. Furthermore, over- attacks affecting firewalls include syn (WAF) provisioning can address attacks at flood, rst flood and fin flood. • Be delivered by an operator with • They have high CPU load, low A WAF controls the traffic that is strong skills in DDoS detection and network-level, but not at application- throughput and performance. delivered to a web server in order to mitigation. level. 4.1.2 Intrusion Detection protect it against security threats. It follows that traditional network Systems (IDS) and • Have strong network bandwidth From an ISP (Internet Service Provider) security solutions such as firewalls, Intrusion Prevention The mechanisms used by WAF capabilities to be able to receive perspective, the over-provisioning of IPS and WAF are insufficient to handle Systems (IPS) devices affect memory and CPU. As a huge amount of traffic without bandwidth should be carried out with the latest DDoS threats. Indeed they a result, the number of servers that causing network congestion. every interconnection point, i.e. with An IDS monitors events in an IT other ISP and peering connectivity, may actually exacerbate the problem system – complementing the first can be protected is usually rather by becoming bottlenecks during small and only for at-risk URLs. The • Provide high mitigation capacity. either nationally or internationally. line of defence (behind firewalls). It In order to be effective, the the attacks. offers some excellent attackdetection noncompromised URLs that are not protected subsequently become a • Not add unnecessary latency to the overprovisioning should be completed capabilities, but cannot mitigate as part of a purpose-built architecture 4.1.1 Firewalls target for DDoS attacks. networks that it protects. the impact of the attacks and is not against DDoS attacks, whose associated A common belief is that deploying a designed to withstand high-volume WAF devices are unable to detect floods • Ensure a quick response time. costs may be excessive when taken into strong enough firewall will protect an attacks. of legitimate requests because they consideration along with the trunk links. organisation against DDoS attacks. Not do not consider them to be malicious • Protect all points of vulnerability – so. The firewall alone is insufficient. An IPS identifies malicious activity From the point of view of a corporate and attempt to block it. However, it is traffic. Hence such attacks easily mitigating volumetric and application exhaust the connection table. attacks as well as ISP neutrality. customer, this solution would drive Firewalls offer a primary level of not designed to stop the latest types up the cost of the Internet connection protection and are one of many options of attacks. Similar to a firewall, an Examples of typical attacks affecting • Possess built-in, cost-efficient and yet still not guarantee against in a comprehensive toolkit when IPS is stateful and vulnerable to DDoS application layer or very high volume WAF include LOIC, Slowloris, RUDY scalability and flexibility. implementing an IT security policy. attacks. attacks. and tcp syn. However, they were never intended to protect against DDoS attacks.
8 Understand & protect. A Telxius White Paper 9 4.3.2 Router filtering ISPs should take into account that • Specialist team: Mitigating DDoS • Higher latency: Although the • Clean traffic delivery: The cleaning means the customer’s router must the dimensioning of their national attacks requires a large number of traffic is only diverted under attack, of malicious traffic is carried out by support GRE tunnels for delivering Many security teams use access control interconnections is subject to peering activities that are best managed by the solution diverts more traffic BGP diverting, while the clean traffic the clean traffic. The client must also lists (ACLs) to filter out undesirable traffic agreements. So, despite having local highly qualified operators, skilled in the than necessary and adds latency goes via GRE tunnel or a new physical possess powerful routers in order as a strategy to defend their network. equipment, it could still result in service. Support is delivered by specific for delivering the clean traffic. link deployed between the scrubbing to re-inject the traffic. On the other Although router ACLs can provide a first saturation of the links. group exclusively devoted to dealing Additionally, the scrubbing centres are centre and the customer’s router. hand, delivery through a new physical line of defence against basic and simple efficiently with DDoS attacks. distributed internationally and many link to access the client network attacks, they are useless on their own • Limited knowledge of DDoS attacks hops are added in order to divert the On the one hand, delivery via GRE requires a new circuit to be installed. against more sophisticated threats such and equipment: Skilled network and • Transparent solution: It is a non- traffic towards them. tunnel has a major impact on the CPU As a result, both a GRE tunnel and as application level attacks. security engineers are required to intrusive solution which is completely load because all C class traffic flows a scenario based on physical links implement mitigation devices and a transparent since the client’s traffic is through the GRE tunnel, not just the means it will incur higher costs than a Furthermore, the saturation of Internet security strategy. not inspected directly. When an attack IP traffic that is under attack. This Tier-1 solution. interconnections is still not avoided. is detected, only the IPs that are the • Commercial costs: CAPEX on target of the attack are diverted to the This means that whilst router filtering equipment is required. This can be scrubbing centres. This means that could be a complementary solution expensive, have ongoing operational clean traffic is delivered back to the for an ISP, it is never appropriate for a Comparison of anti-DDoS solutions costs and indeed lie dormant until an network without affecting the rest of corporate customer. attack is made. the services – assuring continuity of the services that are not under attack. 4.3.3 Black hole routing Operating the service and acquiring Over provisioning of bandwidth Black hole routing is when an ISP experience in DDoS attacks mitigation • Full protection: The service provides blocks all the traffic heading towards a is not easy. Finding skilled people and full protection with no need to hire Local solution victim from a domain or IP address. The the learning process involved is quite DDoS protection from each ISP – as Cloud solution with a provider agnostic problem with this is that it can result in difficult and time consuming. This long as additional routing measures to the connectivity not only discarding malicious traffic but means that even if you spend money can be applied. (No Tier-1) also legitimate packets. Not only is the on the acquisition of local equipment,
Cost Cloud solution with website in question affected but also any you still need a strong, skilled team that • Cost savings: This solution means no a connectivity provider (Tier-1) others that are sharing the same servers understands how to apply the right cost is incurred in relation to the traffic or even routers. countermeasures when an attack takes generated by the attack. Black hole routing place. This means that black hole routing is 4.3.6 Cloud solution with a not an ideal solution because it casts Moreover, the cost associated with the provider agnostic to the such a wide net – in some cases helping Internet transit service also increases due connectivity (No Tier-1) hackers to achieve the chaos they desire. to the associated expense of the malicious Efficiency Consequently, it should only be used in traffic which must be paid to the ISP. Due consideration should be given to Size: Time taken to have the solution ready. exceptional circumstances. purchasing a carrier-agnostic service. Colour: Green (no experience required). 4.3.5 Cloud solution with a However, when compared with a Tier-1 Magenta (the stronger the colour, the more the experience required). solution, the following should also be 4.3.4 Local DDoS mitigation connectivity provider taken into account: is not enough (Tier-1) Implementing a local DDoS solution has A cloud-based solution provided by • Carrier-agnostic service: The solution several limitations in the face of today’s a Tier-1 ISP has significant benefits is agnostic to the ISP, so if the client Comparison of Local vs Cloud solutions more sophisticated attacks: over other solutions. The service is connected to several ISPs, it is not from an ISP perspective is completely transparent, both in necessary to purchase an anti-DDoS • It cannot stop DDoS attacks that configuration and operation, with no solution with each of them. Local solution Cloud-based solution are too large: Although they have a impact on customer routers. Price $$ $ greater chance of detecting suspicious The infrastructure is • Global coverage: Mitigation capacity Low High traffic on the application layer, they can The main characteristics are as follows: supported on several Tier-1 networks, only protect their own bandwidth. It’s so that the service has global coverage. Redundancy Yes Yes unlikely that an enterprise, or even an • Tier-1 network – global coverage: Volumetric attacks detection Yes Yes ISP, would have enough bandwidth to The advantage of global visibility that • High cost: These anti-DDoS service Application attacks detection Not all Not all manage the very large modern DDoS comes from a Tier-1 network with strong providers do not have their own International mitigation No Yes attacks. A local DDoS solution simply experience in networks and routing. network. As such they are required to Defence against link saturation No Yes cannot manage volumetric network pay their own Internet providers to floods that saturate an enterprise’s • High mitigation capacity: transport the traffic to the scrubbing Need to have security staff Yes No Internet pipe. Hence such attacks must The high mitigation capacity that this centres. As a result, the cost of this Operational cost Yes No be mitigated from the cloud. type of solution provides means that kind of solution is usually higher than CAPEX investment Yes No almost any kind of volumetric attack a Tier-1 solution. Implementation time Months Days can be stopped.
10 Understand & protect. A Telxius White Paper 11 05. Our DDoS Shield solution
Our DDoS Shield service is an Internet As a global telecommunications 5.1 Service description 5.1.1 Monitoring 5.1.2 Detection transit value-added service, which company, we provide customers The DDoS Shield service combines The system is capable of providing Using the monitored data, the offers a security solution that detects with services that deliver maximum several functionalities, fully adapted to passive and non-intrusive monitoring service is able to detect any kind and mitigates DDoS attacks. efficiency and a compressive protection a customer’s needs, to provide a highly of the network’s traffic – analysing of volumetric attack targeted at against Internet threats. Our global effective solution against DDoS attacks: our international network backbone, a business at the entry point of DDoS Shield represents an effective Tier-1 network and strong experience gathering flow statistics from the our International Network. security solution that helps an in networks and routing allows us to • Monitoring. border routers and providing global Although many attacks have national organisation repel these attacks at our combine all the required capabilities • Detection. and perimeter detection of the entire origins, they usually make use of International network’s entry points to provide a complete solution against network. This flexible service does not international networks in order to before they reach our customers’ DDoS attacks. • Mitigation. require the installation of equipment mask their real source. Attackers networks. • Traffic and attacks reporting. within the customer network, nor does usually spoof the source IP address • Real-time service status data via it divert traffic when there is no attack of the packets sent to a target in the an online portal. or threat in progress. hope of a third-party device sending unwanted data to the attacker’s victim. This makes it difficult to block the attack as well as cloaking their Top countries of origin real network location.
Fig.01* Our service provides global protection against such aggression. When Internet Client Internet ClientTaiwan 4% Other 3% abnormal traffic behaviour is detected, Australia 4% the service generates a warning that Internet Detected Client Internet Scrubbing Client Attack Centre is stored and classified according to a specified threshold. It is then analysed Detected Legitimate traffic Scrubbing Germany 4% Attack Centre by a team of professional technicians. Malicious traffic Russia 4% Detection Legitimate traffic Mitigation Malicious traffic Detection Mitigation Korea 4%
China 37%
Spain 6%
India 7% Internet Client Internet Client
Detected Scrubbing UK 10% USA 17% Attack Centre Legitimate traffic Detection Malicious traffic Mitigation * Source Fig.01 and Fig.02: Akamai: State of the Internet Report, September 2015. 2015 executive review [Q2 2015 connectivity & security]
12 Understand & protect. A Telxius White Paper 13 Top sources of DDoS attacks in Q2 2015 Fig.02*
Top 4 Originating Countries
Top 10 Originating Countries
5.1.3 Mitigation 5.1.4 Customer on-premise 5.1.5 Local equipment 5.1.7 Traffic reports DDoS 5.1.8 Client Portal The DDoS Shield also deploys scrubbing equipment (CPE) operation or supply mitigation is not enough The service also provides customers centres installed in the network. Any Customers have the option to If a customer has local security The service can also generate with an online portal where it is traffic deemed suspicious by the implement on-premise equipment infrastructure and would like to use it to customised reports related to traffic, possible to consult a wide range of data detection equipment is then pushed (CPE). CPE helps to protect against complement the cloud-based solution, regardless of DDoS attacks, including: and information. The portal gives full towards these centres. early application-layer attacks and we offer the options of operating the visibility of the following: is designed to detect and stop DDoS equipment or supplying it. • Statistics on traffic volume broken In the scrubbing centres the traffic is attacks immediately, without upfront down by application. • Service: provisioned IP address. analysed and, if necessary, cleansed of configuration or any user interaction. 5.1.6 Attack reports malicious content. The system is able to • Statistics of IP sub network • Attacks and mitigation actions: Once a DDoS attack is mitigated, the identify both malicious and legitimate Additionally, CPE can be integrated distribution or autonomous systems access to attack reports. system provides a report containing traffic. The former is discarded while with a cloud-based solution to (ASN) towards which most traffic is data about the attack’s volume, the latter is re-directed to the client, mitigate attacks in the cloud. When an sent or received. • Traffic: access to traffic reports. characteristics, evolution and any ensuring service continuity. attack begins to saturate connection measures that have been taken. These bandwidth, CPE appliance sends a • A view of the traffic on a network, • Alarms: Information about alarms in reports include detailed information With our DDoS solution only signal to the cloud-based equipment country by country, etc. Such reports progress, recent alarms (those that about attacks/anomalies, including the targeted network’s traffic and mitigation begins. In this way, our provide additional value by giving have been set off in the last 24 hours), graphs, protocols, entry and departure is manipulated for mitigation. customers can maintain availability of tangible results which show exactly classification of the alarm/ anomaly points, plus IP addresses targeted. Furthermore, we implement different networks, services and applications. how the service is running and according to their degree of potential mitigation mechanisms. protecting a network. impact or severity (high, medium or low). The system is capable of mitigating an attack as close as possible to the entry More information about our service point. Depending from where it enters can be found on Page 16. the International Network, it will be sent to either one scrubbing centre or another without deviations to other remote Internet networks, so that low latency is guaranteed. Moreover, the service ensures that the clean traffic is delivered to clients in a transparent way, without affecting the rest of their services.
14 Understand & protect. A Telxius White Paper 15 Our DDoS Shield value proposition
We combine all the capabilities of our In addition, we can handle larger The solution protects the customer’s So that our customers do not have to Granularity and transparency Privacy platform to provide a smart and global attacks than any single organisation network from the outside and invest in highly skilled, around-theclock We are able to proactively detect and The service provides passive and non- service that fully protects customers with an on-premise solution. Local monetises the economic damages personnel to operate the service route all the suspicious traffic to the intrusive monitoring of the customer from DDoS attacks whilst minimising solutions can be swamped by caused not only to them but also to efficiently, we offer 24/7 worldwide scrubbing centre, mitigating the attacks traffic since the traffic is not directly impact on their business operations. attacks that are higher than the local their own customers. support to fight DDoS attacks. Our before they reach an organisation’s inspected. It analyses statistical mitigation capacity. They overwhelm expert technicians constantly monitor, network. information on traffic which guarantees the international links and degrade detect and analyse the real-time Complete Managed Cloud Service Strong experience the privacy of the packets. the Internet transit service – not just evolution of attacks – responding Our DDoS Shield service is a managed We combine all the capabilities of The deviation of the suspicious traffic impacting on the intended target victim instantly to malicious traffic. As a cloud-based service. Solutions based our global Tier-1 network and strong to the scrubbing centres is based on but also on the victim’s customers. result, we are able to mitigate attacks Flexible and versatile on the cloud such as the one we offer, experience in networks and routing as specific IP announcements so that only within minutes, having routed the The versatility of our service means that provide scalability and a global solution a leading ISP. The result is a complete the IPs attacked are diverted. The clean Moreover, our DDoS Shield service malicious traffic through our scrubbing our solution can meet each customer’s in order to protect your business service that we believe no other set of traffic is simply delivered back to our is able to cover a huge number of centres. individual needs. It’s totally adaptable against the most common types of solutions can match. customer’s network without affecting connectivity scenarios using several to any connectivity and flexibility DDoS attacks. the rest of their services. mechanisms that simplify problem Smarter and reliable required through contract options. resolution for our clients. 24/7 support We use proprietary, market-leading We are able to mitigate an attack as Telefonica is ISO/IEC 27001:2007 Low Latency technology to detect and route all Quality of service commitment close as possible to the source in order certified and is a member of FIRST, the The scrubbing centres are situated in Wide coverage the suspicious traffic to the nearest to prevent your Internet links from global Forum for Incident Response and our own network. This means we deal We are committed to guaranteeing Our Tier-1 international network scrubbing centre in our global becoming saturated. Security Teams. As an organisation we with the attacks as close as possible to specific Service Level Agreements (SLA) is interconnected with the leading network. Several detection and have over 7 years’ experience in this their source. The traffic is diverted as for the Global DDoS Shield Service: Internet players and provides daily scrubbing centres are deployed in space, and our team consists of highly little as possible in order to guarantee traffic of more than 4.5 Tbps. The DDoS our international network to deliver a • Time information after an attack qualified and knowledgeable security that our latency is always lower than Shield service provides global visibility reliable and widely available solution detection SLA. professionals. that of other solutions in the market. covering our entire international capable of mitigating attacks close to network. their entry point. • Time for starting a mitigation SLA. • Availability of the service SLA.
Telxius International Network dam
Amste r Hamburg
London Düsseldorf Global visibility Berlin Frankfurt Prague With a capacity higher than Tbps Munich of a Tier-1 networkParis Viena
Albany Bilbao Marseille Chicago Cleveland NYC Philadelphia Barcelona Madrid Palma Kansas City Ses Covetes Ashburn Chipiona Global visib Detection and mitigation of Estepona Herndon Virginia Beach Roquetas Palo Alto Conil Nashville Full protectionEl Djemila Raleigh Tetuan Los Angeles Melilla Dallas Atlanta Tanger any kind of attack: network, transport and
Jacksonville Houston Tallahassee of your network application layers ility of a Tier-1 network Orlando Titusville El Medano Laredo Tampa Boca Raton Altavista McAllen Hollywood Miami dam San
Amste r Hamburg Cacique Juan
London Düsseldorf Berlin Frankfurt Tórtola Prague Pto. Barrios Higher mitigation capacity than Munich St. Croix Praia Guatemala Dakar Viena Paris Pto. San Jose Aruba Maximum capacity Barranquilla Curacao other solutions in the market Albany Bilbao Marseille Chicago Cleveland NYC San Jose a Philadelphia Barcelona Cartagena Palma otonou Madrid Caracas C Kansas City Ses Covetes Panamá Acc r Lagos Ashburn Abidjan ChipionaEstepona Herndon Virginia Beach Roquetas Palo Alto Conil
Nashville El Djemila Raleigh Douala Tetuan Los Angeles Melilla Dallas Atlanta Tanger Bogota
Jacksonville Libreville Houston Manta Tallahassee DDoS Shield Orlando Titusville El Medano Laredo Tampa Boca Raton Salinas McAllen Altavista Hollywood Expertise in DDoS detection and Miami Fortaleza San Juan Mancora Cacique mitigation backed up by 7 years Luanda Pto. Barrios Tórtola Telxius Coverage Experience St. Croix Praia Guatemala Dakar Pto. San Jose Aruba Curacao Lima Barranquilla operating the service Telxius Extended Coverage Salvador San Jose Cartagena a Lurin otonou
Caracas C Panamá Acc r Lagos Abidjan
Douala Telxius International PoP Bogota Manta Libreville Arica Salinas Telxius Landing Station Fortaleza Mancora São Paulo Rio de Telxius Coverage Luanda Off-Net Landing Station Santos Janeiro Lima Service adapted Telxius Extended Coverage Salvador Lurin SAM-1 cable Flexible, versatile and adaptable Telxius International PoP Telxius Landing Station Arica PCCS cable Valparaiso Buenos to your needs São Paulo Los Andes Off-Net Landing Station Rio de Aires Melkbosstrand Santos Janeiro Santiago SAM-1 cable UNISUR cable Maldonado
PCCS cable Valparaiso Los Andes Buenos SAM-1 Extension to Dominican Republic Las Toninas Aires Melkbosstrand Santiago UNISUR cable Maldonado MAREA cable SAM-1 Extension to Dominican Republic Las Toninas 24x7 worldwide support provided by MAREA cable BRUSA cable BRUSA cable Global service a team of security experts staff Telxius Fibre Route Telxius Fibre Route Extended Fibre Route Extended Fibre Route
16 Understand & protect. A Telxius White Paper 17 Why Telxius?
Telxius, created in 2016, is the new global telecommunications infrastructure company of the Telefónica Group, whose aim is to capture the exponential increase of data traffic expected in the coming years. With an international high-capacity cable network, Telxius manages a 65,000 km network of submarine fiber optic cables connecting Europe and America, 31,000 km of which are owned by Telxius. It includes, among other infrastructures, SAM-1, the submarine cable system which has connected the United States with Central America and South America since the year 2000, PCCS (Pacific Caribbean Cable System), which connects the US, Puerto Rico, Curazao, Colombia, Panama and Ecuador, and Unisur, which connects Uruguay and Argentina. It is expected that BRUSA, the new offshore cable measuring nearly 11,000 km and connecting Brazil, Puerto Rico and the US, will be operational in 2018, as well as MAREA, a cable which will link the United States and Europe, in partnership with Microsoft and Facebook. Telxius also features 16,000 telecommunications towers in five countries, with one of the largest tower catalogues in the market among independent infrastructure companies.
18 Find out more about our services and the benefits they can bring to your business, visit: telxius.com or email us at: [email protected]