Mitigation techniques for the largest internet attacks
Distributed denial-of-service attacks use multiple vectors for hackers to succeed. The most popular is the distribution of attacking devices. An attacker can leverage a large number of computers (or other devices like cameras, DVRs, IoT, ...), usually known as a botnet, from all around the world. These types of attacks may saturate an entire infrastructure before even touching the target server making the situation totally unmanageable at a single destination point or by a single user. To combat DDoS attacks, OVHcloud employs a combination of a global presence, over-provisioning of network capacity, distributed detection logic, and high-performance filtering devices. Based on experience and using the latest innovations, we offer a system that lets you focus on what matters to you so you need not worry about network attacks.
Before we mitigate
Network attacks can be detected using real-time analysis of the data sent by routers (netflow, sflow, or other protocols). If any suspicious traffic is detected, then internal routing mechanisms redirect traffic via a number of distributed VAC nodes (from vacuuming) for deeper analysis, and precise filtration.
Once traffic is routed to our VAC infrastructure nodes, a deep analysis is performed. This happens simultaneously in all of our datacenters, so the processing power of all regions (more than 17Tbps as of 2021) is combined together. To guarantee the best quality level, we establish multiple network connections per region and keep network capacity over-provisioned. This provides us the ability to process attacks without affecting legitimate activities.
Finally, mitigation consists of multi-stage traffic filtering, so that only legitimate traffic reaches a server. This is the most complicated part and does the most difficult work. We designed this part leveraging well-known ACL technology with innovations on the x86 architecture and code implementation on ultra-fast FPGA chips.
How DDoS mitigation is performed at OVHcloud
When a request or simple network packet comes from the internet, the first point we can see it at is inside the Point-of-Presence (PoP) - the place where the OVHcloud network connects to other providers. For the best protection, we install Hardware Client Amplitude Policiers (HCAP) in such places - a component of a global Anti-DDoS system. Then, packets are routed inside our backbone network and delivered to our datacentres.
OVHcloud datacentres are equipped with a special and high-performance hardware stack, including a VAC DDoS mitigation node. This works for both local protection, and also as a part of a global system, which means it can unload to other places during big attacks. Packets can go directly to a datacentre's racks and servers or via deep analysis and mitigation by VAC, in the case of suspicious traffic.
Last, but not least, for products with additional application-level protection (like BareMetal Game range with Game DDoS Protection) there is an additional filtration system that works close to the service itself for a deep application understanding and fine attack traffic mitigation.
Hardware Client Amplitude Policer (HCAP) is the very first component in the line of defense that protects services for every customer. It can offload the datacentre's VAC nodes if needed for the best performance and load distribution while under attack. It may act also as a rate-limiting component if needed.
The Edge Network Firewall
The first component of the VAC, the Edge Network Firewall is a solution that limits exposure to network-layer attacks from the public network. It activates automatically as soon as a DDoS attack begins. It is possible to configure up to 20 customer-side subset rules which will filter packets more precisely adapted to your server’s activity. Each rule is a specific authorization you can use to optimise the protection for your service (and secure network bandwidth inside a datacentre). This firewall activates automatically whenever a DDoS attack begins and stays activated for the duration of an attack (you can also configure it to be enabled all-time). This technical guide will help you configure rules.
Shield and Armor
The Shield and Armor hardware performs advanced threat detection preventing a server’s resources (mainly CPU cycles) from being saturated. The Shield intervenes if an attacker uses an amplification technique (DNS amplification or NTP amplification), IP spoofing, or reflection attack vectors. As the last component in the line of defense, Armor, is the most advanced filter in our VAC system and intervenes by mitigating the most advanced attacks (including, but not limited to: TCP/SYN/cookie auth handshake, zombie detection, TCP/UDP/GRE/AH/ESP/... flood mitigations and others).
Ready to get started?
Create an account and launch your services in minutes.
Find out more about Mitigation
What is mitigation?
The mitigation process is OVHcloud's automatic scrubbing center. This is the place where our advanced technology is taking a deep look into packets and malicious traffic (DDoS or other known vulnerabilities) is removed while allowing legitimate traffic to pass through.
Can I get permanent mitigation?
By definition, your services are always protected due to automatic mitigation (always-on detection), which activates within seconds once an attack is detected. By activating permanent mitigation, you constantly apply a first level of filtering through our Shield hardware, as well as with the filtering rules you have defined in the Edge Network Firewall. If automatic mitigation is triggered, all stages of VAC will be involved. It is important to note that for security and service availability reasons, only our game range of servers may have deep packet analysis (Game DDoS Protection) always enabled. Our other solutions can use permanent mitigation too - you can enable it from the OVHcloud's Control Panel.
What is the VAC?
The VAC is a principal part of our Anti-DDoS Infrastructure and is a combination of different technologies constantly being developed by OVHcloud, and designed to mitigate DDoS attacks. VAC can filter incoming traffic so that only legitimate data packets pass through and reach your server, while illegitimate traffic is blocked. Notably, VAC includes an Edge Network Firewall and Shield and Armor components.
Can I customise my Edge Network Firewall (ENF)?
Yes, you can create filtering rules either in the OVHcloud Control Panel or via an API. You can define allow or deny rules based on specific protocols. Those rules will be automatically applied if the Edge Network Firewall is active, or when automatic mitigation is triggered. This way, you can offload your server’s iptables firewall to the network edge, securing the network link from saturation. For more information about configuring the Edge Network Firewall, read the following guide: "Configuring the Firewall Network".
How can I tell if my service has been attacked by DDoS?
When an attack is detected on your services, you will receive a notification via email. You can track the progress of the situation via the OVHcloud Control Panel, which will provide you with statistics. Also, when the attack is over, we will notify you via another email. If you think that your services have been targeted by a DDoS attack and your users are experiencing degraded performance, please feel free to contact the OVHcloud support team, who can look into this.