Differences

This shows you the differences between two versions of the page.

--- en:dpi:dpi_options:opt_ddos:ddos_description [2025/09/24 08:04] – [Organic AntiDDoS System] elena.rudich
+++ en:dpi:dpi_options:opt_ddos:ddos_description [2026/02/19 13:24] (current) – elena.krasnobryzh
@@ Line 1: / Line 1: @@
-====== General Description ======
+======Description of Tools and Architecture======
 {{indexmenu_n>1}}
-**VAS Experts offers a solution to deal with DDoS attacks targeting telecom operators and their infrastructure, which lead to the operator's inability to serve its subscribers. Consequently, this results in mass subscriber churn, financial losses, and reputational damage.**
-VAS Experts offers two options for protection against DDoS attacks:
+**VAS Experts offers a solution to combat DDoS attacks on telecom operators and their infrastructure, which can result in the operator being unable to serve its subscribers. Consequences include mass subscriber churn, financial and reputational losses.**
-  - Using only SSG with the auto-protection function against SYN Flood, UDP Flood, and HTTP Flood. Requires SSG with the DDoS Auto-Protection option (option **ddos**).
-  - Using a combination of SSG and QoE to detect and mitigate all types of DDoS attacks with complete inbound traffic blocking (**blackhole**) and scrubbing on SSG. Requires SSG with the option for Collection and export of protocol and direction statistics in IPFIX format (option **ipfix**) and QoE with the option for Traffic detection and scrubbing (**blackhole and flowspec**) against BotNet and DDoS attacks (option **antiddos**). For scrubbing, SSG version BASE is required.
+VAS Experts provides several options for DDoS protection:
+  - Using SSG only with auto-protection against SYN Flood, UDP Flood, and HTTP Flood. Requires SSG with the Anti-DDoS Auto-protection option (**ddos**). **[[en:dpi:dpi_options:opt_ddos:ssg_ddos|More about configuring DDoS protection using SSG DPI]]**
+  - Using a combination of SSG and QoE to detect all types of DDoS attacks with the ability to fully block incoming traffic (**blackhole**) and clean it on SSG. Requires SSG with the option to collect and export protocol and direction statistics in IPFIX format (**ipfix**) and QoE with the option Traffic detection and cleaning (**blackhole and flowspec**) from BotNet and DDoS attacks (**antiddos**). For traffic cleaning, existing SSGs can be used (available in versions: BASE, BNG with mark and channels options, COMPLETE), or a dedicated SSG BASE server can be deployed to handle part of the traffic. **[[en:dpi:dpi_options:opt_ddos:qoe_ddos|More about configuring DDoS and BotNet detection based on QoE]]**
+<note tip>
+Licensing of the AntiDDoS option within SSG and QoE is described [[en:dpi:licensing|here]].\\ \\
+Requirements:
+  * QoE and GUI latest version. QoE license — any, AntiDDoS purchased as a separate option
+  * SSG license BASE / COMPLETE / BNG with additional options [[en:dpi:dpi_options:opt_priority|mark]] and [[en:dpi:dpi_options:opt_shaping|channels]]
+  * QoE installed on a separate server or VM, **NOT on the SSG server**
+  * For 1Gb/s peak incoming traffic, 8.4 GB is required for statistics storage
+</note>
 =====Most Common Forms of Attacks on Telecom Operators=====
-  - Inbound Channel Overflow
+  - Input channel saturation
-    * Amplification attacks (DNS, NTP, UDP flood, and others)\\ Protection: blackholing attacked addresses or applying flowspec on the uplink channel; other protection methods are ineffective.
+    * Amplification attacks (DNS, NTP, UDP flood, etc.)\\ Protection: blackhole the targeted addresses or use flowspec on the uplink channel; other protection methods are ineffective.
-    * BotNet attacks — each bot generates relatively small traffic resembling legitimate traffic, but the aggregate traffic exceeds the capacity of the operator's ingress channels; source address spoofing is not performed (see also item 2)\\ Complication: the target IP for the attack often involves not one address, but up to a thousand addresses\\ Protection: blackholing attacked addresses, flowspec on the uplink channel (for certain traffic types), creating a list of BotNet network addresses and blocking them on SSG (for certain traffic types)
+    * BotNet attacks — each bot generates relatively small traffic similar to legitimate traffic, but cumulatively the traffic exceeds operator input channel capacity; source address spoofing is not performed (see also item 2)\\ Challenge: often up to a thousand IPs are targeted, not just one\\ Protection: blackhole targeted addresses, flowspec on uplink channel (for some traffic types), create BotNet address list and block them on SSG (for some traffic types)
-  - High PPS Attack:
+  - High PPS attack:
-    * Flood, SYN flood, usually with source IP spoofing\\ Protection: redirecting traffic to SSG for filtering or blackholing attacked addresses
+    * Flood, SYN flood, usually with source IP spoofing\\ Protection: use source IP spoofing protection mechanisms: [[en:dpi:bras_bng:bras_l2_options:bras_l2_vlan_ipsg|]] and [[en:dpi:bras_bng:bras_l2_options:filtering|]]. Redirect traffic to SSG for filtering or enable blackhole for targeted addresses
-  - Compromise of Operator's Network Elements: detected by the presence of SSH and other sessions from the operator's service addresses, which are pre-configured and the addresses are not in the whitelist\\ Protection: detecting such sessions and blocking them by external address
+  - Compromise of operator network elements: detected by the presence of SSH and other sessions from operator service addresses, which are pre-configured and not in the whitelist\\ Protection: detect such sessions and block by external address
 =====AntiDDoS Solution Architecture Based on SSG and QoE=====
-FastMitigator is an intelligent network attack protection system. It is a distributed traffic analysis module that provides real-time detection and blocking of a wide range of cyber threats.
+FastMitigator — an intelligent network attack protection system. It is a distributed traffic analysis module providing real-time detection and mitigation of a wide range of cyber threats.
 {{ :en:dpi:dpi_options:opt_ddos:antiddos.png?nolink&900 |}}
 ====Operation Principle====
-  - Deep Traffic Analysis (DPI) and Statistics Export
+  - Deep traffic analysis (DPI) and statistics export
     * All traffic passes through DPI (SSG), operating in-line or on a traffic mirror.
-    * Full NetFlow in IPFIX format is sent to the QoE system for detailed analysis.
+    * Full NetFlow in IPFIX format is sent to QoE for detailed analysis.
-  - Statistics Analysis and Baseline Formation
+  - Statistical analysis and baseline creation
-    * The analyzer processes Full NetFlow and creates a "normal profile" — a baseline of "healthy" traffic (without attacks and botnet activity).
+    * Analyzer processes Full NetFlow and creates a "normal profile" — a baseline of "healthy" traffic (without attacks or BotNet activity).
-    * The profile is stored in QoE's distributed tables for fast access.
+    * Profile is stored in distributed QoE tables for fast access.
-  - Anomaly Detection
+  - Anomaly detection
-    * A detector based on neural networks and machine learning algorithms identifies deviations, classifies threats, and determines their sources.
+    * Detector based on neural networks and machine learning algorithms identifies deviations, classifies threats, and determines their sources.
-  - Traffic Scrubbing Based on Dynamic Rules
+  - Traffic cleaning based on dynamic rules
-    * Upon attack detection, QoE forms an Attacks container containing:
+    * When an attack is detected, QoE creates an Attacks container containing:
       * IP addresses of attacking hosts
       * Ports used for attacks
-    * The container is transmitted to the SSG DPI, where special Attacks protocols (or protocol groups) are created for each threat type. It is recommended to use a dedicated SSG in in-line mode, which constantly passes all traffic or receives only a portion of traffic for scrubbing.
+    * Container is sent to SSG DPI, where special Attack protocols (or protocol groups) are created for each threat type. It is recommended to use a dedicated SSG in in-line mode, which constantly passes all traffic or receives only part of it for cleaning.
-    * Protection profiles are pre-configured on DPI (e.g., via "18. Session Policing"), where for Attack protocols, the following actions are applied if the operator's channel capacity is not exhausted:
+    * DPI pre-configures protection profiles (e.g., via "18. Session Policing") where Attack protocols are applied if operator channel capacity is not exhausted:
-      * Drop (complete blocking)
+      * Drop (full block)
-      * Policing (bandwidth limiting)
+      * Policing (bandwidth limitation)
-    * The Attacks container is updated in real-time: if an attack stops, IP hosts are removed from the list.
+    * Attacks container is updated in real-time: if the attack stops, IP hosts are removed from the list.
-  - Protection via BGP using Blackhole and Flowspec
+  - Protection via BGP using blackhole and flowspec
-    * In cases where the operator's channel capacity is exhausted, the Attacks container can be passed to a special script that automatically adds subscriber IPs to a blackhole, ensuring the maximum level of protection for the operator's infrastructure. Inbound traffic to these subscribers is dropped at the Uplink channel.
+    * If operator channel capacity is exhausted, Attacks container can be sent to a special script that automatically adds subscriber IPs to blackhole, ensuring maximum infrastructure protection. Incoming traffic to these subscribers is dropped on the uplink channel.
-    * To allow subscribers on blocked public IP addresses to continue accessing the internet, it is necessary to temporarily change their IP address — enable the CG-NAT service on SSG (use a previously announced public address pool). Thus, there is no need to change the IP address on the subscriber's device during the attack; the subscriber will temporarily access the internet via a different public IP address, and when the attack ends, the original IP address is restored — disable the CG-NAT service on SSG.
+    * To allow subscribers on blocked public IPs to access the internet, their IP can be temporarily replaced — enable CG-NAT on SSG (using the previously announced public IP pool). This avoids changing the subscriber device IP during the attack. Access is temporarily via a different public IP, and after the attack ends, the original IP is restored — disable CG-NAT on SSG.
-====Advantages of FastMitigator====
+====FastMitigator Advantages====
   - Distributed architecture — high fault tolerance
   - Adaptive protection — automatic rule updates
   - Deep analytics — neural network algorithms + DPI
-  - Flexibility — support for various blocking scenarios
+  - Flexibility — supports different blocking scenarios
 ====Organic AntiDDoS System====
-The evolution of the DDoS protection solution aims to filter malicious traffic even before it enters the internet. Deploying SSG AntiDDoS complexes at multiple telecom operators will allow stopping BotNet traffic inside the operator's network. Centralized management via VAS Cloud will enable lightning-fast response to any attacks and leave the transport channels between operators, IXs, and Data Centers untouched. If an attack is detected on any resource protected by SSG AntiDDoS, it is possible to transmit filtering parameters to the operator from which the illegitimate traffic originates.
+The development of DDoS protection aims to clean traffic before it reaches the internet. Deploying SSG AntiDDoS complexes across multiple operators will stop BotNet traffic inside the operator network. Centralized management via VAS Cloud allows lightning-fast reaction to any attacks while leaving transport channels between operators, IX, and data centers untouched. Upon detecting an attack on any resource with SSG, parameters for mitigation can be forwarded to the operator from which the illegitimate traffic originates.
 {{ :en:dpi:dpi_options:opt_ddos:antiddos-2.png?nolink&900 |}}
+<note tip>[[en:dpi:qoe_analytics:cases:network_health:flood|Use cases of the solution]]</note>