General Description [Документация VAS Experts]
Документация VAS Experts Документация VAS Experts-mobile
in

Settings

  • Show page
  • Old revisions
  • Export to PDF
  • Fold/unfold all
  • Backlinks
  • Show page
  • Old revisions
  • Export to PDF
  • Fold/unfold all
  • Backlinks

    • Differences

    This shows you the differences between two versions of the page.

    Link to this comparison view

    Both sides previous revisionPrevious revision
    Next revision    		Previous revision
    en:dpi:dpi_options:opt_ddos:ddos_description [2025/09/23 10:44] elena.krasnobryzhen:dpi:dpi_options:opt_ddos:ddos_description [2025/09/24 08:04] (current) – [Organic AntiDDoS System] elena.rudich
    Line 1: Line 1:
     ====== General Description ====== ====== General Description ======
     {{indexmenu_n>1}} {{indexmenu_n>1}}
    -**VAS Experts offers a solution to combat DDoS attacks targeting telecom operators and their infrastructure, which lead to the operator's inability to serve its subscribers. Consequently, this results in mass subscriber churn, financial losses, and reputational damage.**+**VAS Experts offers a solution to deal with DDoS attacks targeting telecom operators and their infrastructure, which lead to the operator's inability to serve its subscribers. Consequently, this results in mass subscriber churn, financial losses, and reputational damage.**
      
    -VAS Experts offers several options for protection against DDoS attacks:+VAS Experts offers two options for protection against DDoS attacks:
       - Using only SSG with the auto-protection function against SYN Flood, UDP Flood, and HTTP Flood. Requires SSG with the DDoS Auto-Protection option (option **ddos**).   - Using only SSG with the auto-protection function against SYN Flood, UDP Flood, and HTTP Flood. Requires SSG with the DDoS Auto-Protection option (option **ddos**).
    -  - Using a combination of SSG and QoE to detect all types of DDoS attacks with the capability for complete inbound traffic blocking (**blackhole**) and scrubbing on SSG. Requires SSG with the option for Collection and export of protocol and direction statistics in IPFIX format (option **ipfix**) and QoE with the option for Traffic detection and scrubbing (**blackhole and flowspec**) against BotNet and DDoS attacks (option **antiddos**). For scrubbing, SSG version BASE is required.+  - Using a combination of SSG and QoE to detect and mitigate all types of DDoS attacks with complete inbound traffic blocking (**blackhole**) and scrubbing on SSG. Requires SSG with the option for Collection and export of protocol and direction statistics in IPFIX format (option **ipfix**) and QoE with the option for Traffic detection and scrubbing (**blackhole and flowspec**) against BotNet and DDoS attacks (option **antiddos**). For scrubbing, SSG version BASE is required.
      
     =====Most Common Forms of Attacks on Telecom Operators===== =====Most Common Forms of Attacks on Telecom Operators=====
    -  - Ingress Channel Overflow+  - Inbound Channel Overflow
         * Amplification attacks (DNS, NTP, UDP flood, and others)\\ Protection: blackholing attacked addresses or applying flowspec on the uplink channel; other protection methods are ineffective.     * Amplification attacks (DNS, NTP, UDP flood, and others)\\ Protection: blackholing attacked addresses or applying flowspec on the uplink channel; other protection methods are ineffective.
         * BotNet attacks — each bot generates relatively small traffic resembling legitimate traffic, but the aggregate traffic exceeds the capacity of the operator's ingress channels; source address spoofing is not performed (see also item 2)\\ Complication: the target IP for the attack often involves not one address, but up to a thousand addresses\\ Protection: blackholing attacked addresses, flowspec on the uplink channel (for certain traffic types), creating a list of BotNet network addresses and blocking them on SSG (for certain traffic types)     * BotNet attacks — each bot generates relatively small traffic resembling legitimate traffic, but the aggregate traffic exceeds the capacity of the operator's ingress channels; source address spoofing is not performed (see also item 2)\\ Complication: the target IP for the attack often involves not one address, but up to a thousand addresses\\ Protection: blackholing attacked addresses, flowspec on the uplink channel (for certain traffic types), creating a list of BotNet network addresses and blocking them on SSG (for certain traffic types)
    Line 49: Line 49:
      
     ====Organic AntiDDoS System==== ====Organic AntiDDoS System====
    -The evolution of the DDoS protection solution aims to scrub traffic even before it enters the internet. Deploying SSG AntiDDoS complexes at multiple telecom operators will allow stopping BotNet traffic inside the operator's network. Centralized management via VAS Cloud will enable lightning-fast response to any attacks and leave even the transport channels between operators, IXs, and Data Centers untouched. If an attack is detected on any resource protected by SSG, it is possible to transmit parameters for scrubbing to the operator from which the illegitimate traffic originates.+The evolution of the DDoS protection solution aims to filter malicious traffic even before it enters the internet. Deploying SSG AntiDDoS complexes at multiple telecom operators will allow stopping BotNet traffic inside the operator's network. Centralized management via VAS Cloud will enable lightning-fast response to any attacks and leave the transport channels between operators, IXs, and Data Centers untouched. If an attack is detected on any resource protected by SSG AntiDDoS, it is possible to transmit filtering parameters to the operator from which the illegitimate traffic originates.
      
     {{ :en:dpi:dpi_options:opt_ddos:antiddos-2.png?nolink&900 |}} {{ :en:dpi:dpi_options:opt_ddos:antiddos-2.png?nolink&900 |}}