Any attack, regardless of form, endangers the availability of your infrastructure, resulting in disrupted or failed service to users and customers. Our free Anti-DDoS protection ensures your infrastructure remains accessible 24/7 through a network capacity of 20+ Tbps and a combination of mitigation techniques, including packet analysis, packet mitigation, and server traffic vacuuming. Read on to learn more about our VAC technology based mitigation solution.
|
Free Anti-DDoS protection |
Anti-DDoS GAME |
|
|---|---|---|
|
Free Anti-DDoS protection |
Anti-DDoS GAME |
|
|
Related products |
||
|
Number of attacks per month |
Unlimited |
Unlimited |
|
Gbps limit of attack |
Unlimited |
Unlimited |
|
Duration of attacks per month |
Unlimited |
Unlimited |
|
Type of attack |
All |
All |
|
Detection and Auto-Mitigation |
✔ |
✔ |
|
Multi-point Mitigation |
Europe (RBX, GRA, SBG, WAW, LIM, ERI) North America (WAS, BHS(BHS) Asia (SGP, SYD) |
Europe (RBX, GRA, SBG, WAW, LIM, ERI) North America (WAS, BHS(BHS) Asia (SGP, SYD) |
|
Permanent mitigation |
✔ |
✔ |
|
Two-way mitigation |
- |
✔ (L3/L4/L7) |
|
12 Tbps of additional network |
✔ |
✔ |
|
Network Firewall |
Configurable |
Configurable |
|
Shield |
✔ |
✔ |
|
Armor |
✔ |
Customizable |
|
API v6 |
✔ |
✔ |
|
Manager v6 |
✔ |
✔ |
|
Support |
Mailing list |
Mailing list |
Understanding DDoS
What is a DDoS attack?
Businesses of all sizes, in any industry are vulnerable to distributed denial of service (DDoS) targeting unless they leverage the right applications to secure against attack.
A DDoS attack aims to render a server, service, or an infrastructure unavailable by overloading the server's bandwidth or monopolizing its resources to the point of depletion. During a DDoS attack, a multitude of requests are sent simultaneously from multiple points across the internet. The intensity of this "crossfire" renders the service unstable, or even worse, unavailable.
There are three major ways DDoS attacks make your site, server, or infrastructure unavailable:
Bandwidth: this type of attack consists of saturating the server's network capacity, rendering it unreachable.
Resources: this type of attack consists of depleting the machine's system resources, which prevents it from responding to legitimate requests.
Exploitation of Software Fault: also called "exploit", this type of attack targets a particular software fault either to make the machine unavailable or to take control of it.
|
Name of Attack |
Type of Attack |
OSI level |
Explanation of attack principle |
|
Name of Attack |
Type of Attack |
OSI level |
Explanation of attack principle |
|
SMURF |
Bandwidth |
L3 |
ICMP broadcast attack usurping the source address to redirect multiple responses to the victim |
|
TCP SYN ACK Reflection Flood |
Bandwidth |
L4 |
Mass sending of TCP connections requests to a large number of machines, usurping the victim's source address. The bandwidth of the victim will be saturated by the responses to these requests |
|
UDP Flood |
Bandwidth |
L4 |
Mass sending of UDP packets (not requiring a previously-established connection) |
|
Distributed DNS Amplification Attack |
Bandwidth |
L7 |
Mass sending of DNS requests usurping the source address of the victim, to a large number of legitimate servers. As the response is more voluminous than the question, an amplification of the attack follows |
|
ICMP Echo Request Flood |
Resource |
L3 |
Also called "Ping Flood, mass sending of packets including the response of the victim, which has the same content as the original packet |
|
IP Packet Fragment Attack |
Resource |
L3 |
Sending of IP packets that voluntarily reference other packets that will never be sent, which saturates the victim’s memory |
|
IGMP Flood |
Resource |
L3 |
Mass sending of IGMP packets (multi-cast management protocol) |
|
TCP SYN Flood |
Resource |
L4 |
Mass sending of TCP connections requests |
|
TCP Spoofed SYN Flood |
Resource |
L4 |
Mass sending of TCP connections requests to usurp the source address |
|
TCP ACK Flood |
Resource |
L4 |
Mass sending of TCP segment delivery receipts |
|
TCP Fragmented Attack |
Resource |
L4 |
Sending of TCP segments that voluntarily reference other segments that will never be sent, which saturates the victim's memory |
|
UDP Fragment Flood |
Resource |
L4 |
Sending of UDP datagrams that voluntarily reference other datagrams that will never be sent, which saturates the victim's memory |
|
DNS Flood |
Resource |
L7 |
Attack of a DNS server by mass sending of requests |
|
HTTP(S) GET/POST Flood |
Resource |
L7 |
Attack of a web server by mass sending of requests |
|
Ping of Death |
Exploit |
L3 |
Sending of ICMP packets which exploit an implementation bug in certain operating systems |
Managing DDoS attacks
Stage 1: The server is operational – no attack
Internet-based services are used without any problem. The traffic passes through the backbone of our network then arrives at the data center. Finally, it is handled by the server that sends back the responses over the internet.
Stage 2: The DDoS attack begins
The attack is launched via the internet and on the backbone. Given the surplus capacity of the bandwidth on the backbone, the attack will not cause saturation on any link. The attack reaches the server, which begins to handle the initial attack. At the same time, analysis of the traffic flags that an attack is underway and triggers the mitigation.
Stage 3: Mitigation of the attack
Between 15 and 120 seconds after the attack has begun, mitigation is automatically activated. Incoming server traffic is vacuumed by the 3 VACs, with a total capacity of 480 Gbps (3x 160 Gbps) of mitigation, hosted in three OVH data centers. The attack is blocked with no duration or size limit, regardless of type. Legitimate traffic passes through the VAC and arrives at the server. The server responds directly without going back through the VAC. This process is called auto-mitigation.
Stage 4: End of the attack
Generating an attack is costly, and even more so when it is ineffective. After a certain time has passed, the attack will come to an end. Auto-mitigation is maintained for 26 hours after the attack has ended. This means any new attack that occurs within a few minutes, a few hours, or 24 hours will be blocked. After just 26 hours, auto-mitigation is disabled but remains ready to be reactivated upon detection of a new attack.
Anti-DDoS protection
To protect your servers and services from attacks, OVHcloud offers a mitigation solution based on VAC technology - an exclusive combination of techniques to:
- Analyze all packets at high speed, in real time
- Vacuum your server's incoming traffic
- Mitigate by singling out illegitimate IP packets, while allowing legitimate ones to pass through
Anti-DDoS GAME protection
The gaming/e-sports industries are especially prone to distributed denial-of-service attacks. Protection solutions implemented by hosting providers often have limited capacities when faced with the intensity and frequency of these attacks, especially UDP flood attacks, which exploit the User Datagram Protocol (UDP) - the protocol used by the majority of games and voice servers.
To protect these customers, we developed an Anti-DDoS protection specifically adapted to Game servers.
List of compatible games and applications:
Half-life, Team Fortress Classic, Counter-Strike 1.6, Counter-Strike: Source, Half-life Deathmatch Classic, Half-life 2, Half-life 2: Deathmatch, Day of Defeat, Day of Defeat : Source, Left 4 Dead, Left 4 Dead 2, Team Fortress 2, Counter-Strike : Global Offensive, Garry's Mod, Grand Theft Auto, San Andreas Multiplayer SA:MP, Multi Theft Auto San Andreas MTA:SA, TrackMania (+ TCP protocol), TrackMania 2 (+ TCP protocol), ShootMania Storm (+ TCP protocol), Minecraft pocket edition, Minecraft ARK : Survival Evolved, RUST, Teamspeak, Mumble.
Anti-DDoS protection tailored to your game
To provide the best possible protection against attacks, the OVH engineers analyzed how the most popular gaming platforms (Counter Strike, TeamFortress, Minecraft) and communication modules (TeamSpeak and Mumble) operate. In a lab and by looking at real user tests, they studied the vulnerabilities of these applications and documented the various attack strategies. This reverse engineering enabled them to provide a tailored response to each large game family: for each family, they developed a profile - or a group of predefined rules - that can be deployed by the user in one click to filter illegitimate traffic flowing in and out of the UDP ports.
Two-way mitigation: a filter on entry and exit
For every type of attack, we've built a specific response closely integrated to the servers and directly integrated within the Tilera hardware. The big innovation is a filter that analyzes the incoming and outgoing traffic to better identify legitimate requests. It's capable of distinguishing real clients connecting to the machine from harmful attacks. Anti-DDoS GAME therefore also plays the role of a cache and a filter for TCP/IP and UDP packets.
A router located next to the machine analyzes packets. This router treats every hosted game as a special case. For example, the router acts as a cache to relieve the router of useless requests.
Anti-DDoS Solution
The OVH network is capable of absorbing all attacks. With an additional 17+ Tbps of capacity maintained in relation to the standard usage of all our customers, the OVH network is able to withstand, vacuum, and mitigate a high number of attacks. During the mitigation process, spread across 9 data centers and 3 continents, the attack vacuuming is reinforced. All our customers' SLAs are balanced and guaranteed in this way, and the service will never be disrupted.
Analyze
We use the netflow sent by the routers and analyzed by our detection solutions to identify attacks. Each router sends a summary of 1/2000 of traffic in real time. Our solution analyzes this summary and compares it to the attack signatures. If the comparison is positive, the mitigation is set up in a matter of seconds.
The signatures analyzed are based on the traffic thresholds in "packets per second" (Pps, Kpps, Mpps, Gpps) or "bytes per second" (Bps, Kbps, Mbps, Gbps) on a certain packet type such as:
- DNS
- CMP
- IP Fragment
- IP NULL
- IP Private
- TCP NULL
- TCP RST
- TCP SYN
- TCP ACK
- UDP
Traffic Vacuum
The principle of DDoS attacks is to overload services. Sometimes the provider's entire network is incapable of handling the load. Thanks to our 17+ Tbps network capacity, OVH infrastructure can absorb a very high quantity of traffic during attacks, much more than the services offered by competitors.
When the attack is global, the mitigation services, replicated in eight OVH data centers across three continents, activate simultaneously to combine their power and absorb the traffic. Their total capacity mitigation is more than 4 Tbps. Other customers and services will not be affected at all.
Mitigate
By default, all OVH servers are equipped with automatic DDoS attack mitigation that activates in the event of an attack (reactive mitigation). Customers also have access to permanent mitigation (permanent rules) as well as Network Firewall configuration.
Mitigation is a term employed to design the means and measures in place to reduce the negative effects of a DDoS attack. Mitigation At OVH consists of filtering illegitimate traffic and hoovering it up with our the VAC technology, while letting legitimate packets go through.
The VAC consists of multiple devices, each with a specific function to block one or more types of attack (DDoS, Flood, etc.). Depending on the attack, one or more defense strategies may be put in place on each VAC device.
Actions carried out on the Pre-Firewall
- Fragment UDP
- Size of packets
- Authorization of TCP, UDP, ICMP, GRE protocols
- Blocking all other protocols
Actions carried out on the Network Firewall
- Authorize/block an IP or a sub-network of IPs
- Authorize/block a protocol
- IP (all protocols)
- TCP
- UDP
- ICMP
- GRE
- Authorize/block a port or TCP/UDP port interval
- Authorize/block SYN/TCPs
- Authorize/block all packets except SYN/TCPs
Actions carried out on the Shield
- Malformed IP header
- Incorrect IP checksum
- Incorrect UDP checksum
- ICMP limitation
- Incorrectly fragmented UDP datagram
- DNS amp
Actions carried out on the Armor
- Malformed IP header
- Incomplete fragment
- Incorrect IP checksum
- Duplicated fragment
- Fragment too long
- IP/TCP/UDP/ICMP packet too long
- Incorrect TCP/UDP checksum
- Invalid TCP flags
- Invalid sequence number
- Zombie detection
- TCP SYN authentication
- DNS authentication
- Badly formed DNS request
- DNS limitation
Pre-firewall
The Pre-Firewall is based on Arista 7508R, which is able to connect 288 100 G ports, i.e. 28.8 Tbps of communication capacity. VRF isolation then allows the traffic to be routed within successive stages.
|
Model |
Arista 7508R |
|
Supervision card |
2x DCS-7500-SUP2 |
|
Processor |
Multicore x86 |
|
Frequency |
2.13 GHz |
|
RAM |
32 GB |
|
Fabric |
DCS-7508R-FM |
|
Service cards |
2x 7500R-36CQ |
|
Capacity |
28.8 Tbps / 34.5 Bpps |
|
Total pre-firewall capacity |
1.2 Tbps / 1.8 Bpps |
Network Firewall
The Network Firewall is composed of vRouters executing OVH-developed code, enabling all traffic to be classified so that rules can be applied (access-lists).
|
Processor |
2x1697v4 |
|
RAM |
64 GB DD4 ECC |
|
Network cards |
2x ConnectX-4 2x 100 Gbps |
|
Capacity |
200 Gbps / 100 Mpps |
|
Number per VAC |
3 |
Shield
Shield is an OVHcloud-developed software solution that runs on vRouters. Its purpose is to mitigate known attacks, mainly those that work via amplification (DNS Amp, NTP Amp)
|
Processor |
2x1697v4 |
|
RAM |
64 GB DD4 ECC |
|
Network cards |
2x ConnectX-4 2x 100 Gbps |
|
Capacity |
200 Gbps / 100 Mpps |
|
Number per VAC |
3 |
Armor
Armor is the most advanced VAC software solution, designed to mitigate advanced persistent attacks. It runs on vRouters with FPGA cards in order to reduce the CPU load on part of the processing and obtain the best performance levels on complex algorithms.
|
Processor |
2x1697v4 |
|
RAM |
64 GB DD4 ECC |
|
Network cards |
2x ConnectX-4 2x 100 Gbps |
|
FPGA |
XUSP3S with 4x 100 Gbps |
|
Capacity |
200 Gbps / 100 Mpps |
|
Number per VAC |
3 |
Anti-DDoS Resources
Recommended forms of protection
|
Your situation |
Our advice |
|
Your situation |
Our advice |
|
OVHcloud Network Firewall settings |
Ensure that only authorized and necessary ports are enabled on your server; don't miss any port or service to avoid disconnection due to incorrect settings. Use the Network Firewall interface on your OVHcloud Control Panel or API. |
|
Configuration of your server settings |
Adjust your server's IP settings by customizing the TCP, UDP values in/proc of your Linux. |
|
Public and private network |
If your infrastructure consists of several servers, use vRack for all services between your servers. |
|
Test the permanent mitigation |
You can activate mitigation on your server and thus verify that it's working correctly under the VAC. That way, you won't get any nasty surprises on the day you get attacked. |
|
In the event of an attack |
Follow the situation via the Control Panel to confirm when it has been restored. By default, the mitigation will stop 26 hrs after the start of the attack. |
|
Prepare a business contingency plan |
If possible, use our three data centers to duplicate your infrastructure geographically and devise a service continuity plan in advance. |
RESTful API
In addition to the Control Panel which enables you to control your mitigation strategies and Network Firewall on a daily basis, OVH offers customers a comprehensive and secure API that lists all possible actions.
A clear and documented RESTful API, ideal for developers.
The OVH RESTful API allows you to list all the administration actions on your network security, on one page and by category. Each function has a description, action buttons, and for developers, examples of code for integrating these functions into your scripts. In addition to the quick control of your security services, the OVH RESTful API opens up wide possibilities to automate certain tasks, integrate them into your development, and update the configuration of your app settings and policies.
Glossary
|
Anti-DDoS |
Set of computing techniques aimed at protecting online services from DDoS attacks |
|
DDoS |
Distributed DoS; The principle is the same as DoS, but with multiple points of attack |
|
DoS |
Denial of service; a type of cyber-attack |
|
Mitigation |
The act of identifying, selecting the appropriate filtration and isolation, and neutralizing the effects of a cyber-attack |
|
SLA |
Service Level Agreement; the obligations of the supplier in terms of quality and availability of services |
|
Synflood or SYN Flood |
A cyber-attack carried out on the basis of SYN requests |
|
VAC |
FAQ
The Anti-DDoS protection is included for free with all servers, no matter the duration of your contract.
We provide free, 24/7 mitigation to 100% of OVH infrastructures and servers. The only way to protect our customers is to protect all of them. This is why all of our servers must be protected.
If a specific policy has not been selected via the API or the Control Panel, OVH will apply standard mitigation rules for your server. This is done in an automatic and escalating manner (increasingly restrictive until isolation of the results).
All policies have been set up to protect the attacked ports by leaving other ports open. This preserves the SLA of servers on the other ports.
The professional use option allows you to proactively choose which policies will be applied in the event of an active attack (at any time). If the policy selected by the customer is not sufficient, an OVH policy will take over until the attack is stabilized; this allows the customer to decide which is the best solution before OVH decides for them.