DDoS Mitigation

DDoS Monitoring and Mitigation Services

Orchestrated DDoS attacks can be devastating to your network. DDoS attacks can cause network congestion, accidental data loss, botted or compromised hosts, accidental major service outage, advanced persistent threat on your network, exposure of regulated and non-regulated data, web defacement or industrial espionage. Using intelligent and network inherent DDoS monitoring and mitigation services provided by Xtel, in collaboration with Arbor Networks, customers are able to mitigate attacks quickly minimizing both financial and legal risk. Xtel, industry-leading network provider can help you implement a multi-layer DDoS protection service directly into your network to actively monitor, detect and destroy DDoS attacks before they start.

Comprehensive Threat Detection

Data centers and public networks present multiple targets for DDoS attacks. These targets include infrastructure devices (e.g., routers, switches and load balancers), domain name systems (DNS), bandwidth capacity and key applications such as Web, eCommerce, voice and video. Even security devices such as firewalls and intrusion prevention systems are targets of attack. The Xtel Cleanpipe solution provides the most comprehensive and adaptive suite of threat detection capabilities in the industry, designed to protect diverse resources from complex, blended attacks. These capabilities include statistical anomaly detection, protocol anomaly detection, fingerprint matching and profiled anomaly detection. Xtel’s Cleanpipe continually learns and adapts in real-time, alerting operators to attacks, as well as to unusual changes in demand and service levels.

Proactive, Surgical Mitigation in Seconds

Key to effective mitigation is the ability to identify and block attack traffic while allowing non-attack traffic to flow through to its intended destination. Large-scale DDoS attacks affect not only the intended victim, but also other unfortunate customers who may be using the same shared network service. To reduce this collateral damage, service providers and hosting providers often shut down all traffic destined for the victim’s site, thus completing the DDoS attack. Whether it’s a high-volume flood attack designed to exhaust bandwidth capacity or a targeted attack looking to bring down a Web site, in some cases, Xtel’s Cleanpipe solution can isolate and remove the attack traffic, without affecting other users, in as fast as a few seconds. Methods include identifying and black-listing malicious hosts, IP location-based mitigation, protocol anomaly-based filtering, malformed packet removal and rate limiting (to gracefully manage non-malicious demand spikes).

Cleanpipe Real-Time Mitigation/Reporting Portal

Xtel’s Cleanpipe real-time mitigation portal shows IT management exactly what is generating a DDoS alert and what effect the countermeasures are having on the attack. It provides the ability to modify countermeasures and delivers full packet capture and decode to get a detailed view of both normal and attack packet streams. This information is stored for future reference and management reporting—giving operators and managers full visibility and reporting into attacks on their business operations.

Cleanpipe DDoS Defense Specifications

  • Simultaneous Sessions
  • Not session limited
  • Deployment Modes
  • Inline Active, Inline Monitoring, SPAN port, Diversion/Reinjection
  • Block Actions
  • Source blocking/source suspend, per packet blocking, a combination of source, header, and rate-based blocking
  • Attack Protections
  • Flood Attacks (TCP, UDP, ICMP, DNS, SSDP, NTP, SNMP, SQL RS,
  • Chargen Amplification
  • DNS Amplification
  • Microsoft SQL Resolution Service AmplificationNTP Amplification SNMP Amplification, SSDP Amplification)
  • Fragmentation Attacks (Teardrop, Targa3, Jolt2,Nestea)
  • TCP Stack Attacks (SYN, FIN, RST, SYN ACK, URG-PSH, TCP Flags)
  • Application Attacks (HTTP GET floods, SIP Invite floods, DNS attacks, HTTPS protocol attacks)
  • DNS Cache Poisoning
  • Vulnerability attacks
  • Resource exhaustion attacks (Slowloris, Pyloris, LOIC, etc.)
  • Flash crowd protection
  • IPv4 and IPv6 attacks hidden in SSL encrypted packets
  • DDoS Countermeasures
  • Volumetric-Only Counter Measures
  • Full Set of Countermeasures:
  • Invalid Packets
  • IPv4/IPV6 Address Filter Lists
  • IPv4/IPV6 Black/White Filter Lists
  • Packet Header Filtering
  • IP Location Filter Lists
  • Zombie Detection
  • Per Connection Flood Protection
  • TCP Syn Authentication
  • TCP Connection Limiting
  • TCP Connection Reset
  • Payload Regular Expression Filter
  • Shaping
  • IP Location Policing
  • Inline Filter
  • Blacklist Fingerprints
  • Protocol Baselines
  • HTTP Authentication
  • HTTP Malformed
  • HTTP Scoping
  • HTTP Rate Limiting
  • HTTP/URL Regular Expression
  • DNS Authentication
  • DNS Malformed
  • DNS Scoping
  • DNS Rate Limiting

Ready To Learn More?