| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| en:dpi:dpi_options:opt_ddos:ddos_description [2026/02/17 14:17] – [Organic AntiDDoS System] elena.krasnobryzh | en:dpi:dpi_options:opt_ddos:ddos_description [2026/02/19 13:24] (current) – elena.krasnobryzh |
|---|
| ====== Description of tools and architecture ====== | ======Description of Tools and Architecture====== |
| {{indexmenu_n>1}} | {{indexmenu_n>1}} |
| **VAS Experts offers a solution to protect telecom operators and their infrastructure from DDoS attacks that may prevent the operator from serving subscribers. As a result, this can lead to massive subscriber churn, financial losses, and reputational damage.** | |
| |
| VAS Experts offers several DDoS protection options: | **VAS Experts offers a solution to combat DDoS attacks on telecom operators and their infrastructure, which can result in the operator being unable to serve its subscribers. Consequences include mass subscriber churn, financial and reputational losses.** |
| - Using only SSG with the built-in automatic protection against SYN Flood, UDP Flood, and HTTP Flood. Requires SSG with the DDoS auto-protection option (**ddos**). | |
| - Using a combination of SSG and QoE to detect any type of DDoS attack with the ability to fully block incoming traffic (**blackhole**) and perform traffic scrubbing on SSG. Requires SSG with the IPFIX statistics collection and export option (**ipfix**) and QoE with the BotNet and DDoS detection and mitigation option (**blackhole and flowspec**) (**antiddos**). For traffic scrubbing, existing SSG versions can be used (available in: BASE, BRAS with **mark** and **channels** options, COMPLETE). A dedicated SSG BASE server can also be deployed to process part of the traffic. | VAS Experts provides several options for DDoS protection: |
| | - Using SSG only with auto-protection against SYN Flood, UDP Flood, and HTTP Flood. Requires SSG with the Anti-DDoS Auto-protection option (**ddos**). **[[en:dpi:dpi_options:opt_ddos:ssg_ddos|More about configuring DDoS protection using SSG DPI]]** |
| | - Using a combination of SSG and QoE to detect all types of DDoS attacks with the ability to fully block incoming traffic (**blackhole**) and clean it on SSG. Requires SSG with the option to collect and export protocol and direction statistics in IPFIX format (**ipfix**) and QoE with the option Traffic detection and cleaning (**blackhole and flowspec**) from BotNet and DDoS attacks (**antiddos**). For traffic cleaning, existing SSGs can be used (available in versions: BASE, BNG with mark and channels options, COMPLETE), or a dedicated SSG BASE server can be deployed to handle part of the traffic. **[[en:dpi:dpi_options:opt_ddos:qoe_ddos|More about configuring DDoS and BotNet detection based on QoE]]** |
| |
| <note tip> | <note tip> |
| Licensing of the AntiDDoS option within SSG and QoE is described [[en:dpi:licensing|here]].\\ \\ | Licensing of the AntiDDoS option within SSG and QoE is described [[en:dpi:licensing|here]].\\ \\ |
| Requirements: | Requirements: |
| * Latest versions of QoE and GUI. Any QoE license is suitable; AntiDDoS is purchased as a separate option. | * QoE and GUI latest version. QoE license — any, AntiDDoS purchased as a separate option |
| * SSG licenses BASE / COMPLETE / BRAS with additional options [[en:dpi:dpi_options:opt_priority|mark]] and [[en:dpi:dpi_options:opt_shaping|channels]] | * SSG license BASE / COMPLETE / BNG with additional options [[en:dpi:dpi_options:opt_priority|mark]] and [[en:dpi:dpi_options:opt_shaping|channels]] |
| * QoE must be installed on a separate server or VM, **NOT on the SSG server** | * QoE installed on a separate server or VM, **NOT on the SSG server** |
| * 8.4 GB of storage is required per 1 Gbps of peak incoming traffic for statistics retention | * For 1Gb/s peak incoming traffic, 8.4 GB is required for statistics storage |
| </note> | </note> |
| |
| ===== Most common types of attacks on telecom operators ===== | =====Most Common Forms of Attacks on Telecom Operators===== |
| - Saturation of inbound links | - Input channel saturation |
| * Amplification attacks (DNS, NTP, UDP flood, and others)\\ Protection: blackhole for attacked addresses or applying flowspec on the uplink channel; other protection methods are ineffective. | * Amplification attacks (DNS, NTP, UDP flood, etc.)\\ Protection: blackhole the targeted addresses or use flowspec on the uplink channel; other protection methods are ineffective. |
| * BotNet attacks — each bot generates relatively small traffic similar to legitimate traffic, but in total the traffic exceeds the capacity of the operator’s inbound links; source IP spoofing is not used (see also section 2)\\ Complication: the attack target is often not a single IP address but up to thousands of addresses\\ Protection: blackhole for attacked addresses, flowspec on the uplink channel (for certain traffic types), creation of a BotNet address list and blocking them on SSG (for certain traffic types) | * BotNet attacks — each bot generates relatively small traffic similar to legitimate traffic, but cumulatively the traffic exceeds operator input channel capacity; source address spoofing is not performed (see also item 2)\\ Challenge: often up to a thousand IPs are targeted, not just one\\ Protection: blackhole targeted addresses, flowspec on uplink channel (for some traffic types), create BotNet address list and block them on SSG (for some traffic types) |
| - High PPS attacks: | - High PPS attack: |
| * Flood, SYN flood, usually with source IP spoofing\\ Protection: use source IP anti-spoofing mechanisms: [[en:dpi:bras_bng:bras_l2_options:bras_l2_vlan_ipsg|]] and [[en:dpi:bras_bng:bras_l2_options:filtering|]]. Enable traffic redirection to SSG for filtering or activate blackhole for attacked addresses. | * Flood, SYN flood, usually with source IP spoofing\\ Protection: use source IP spoofing protection mechanisms: [[en:dpi:bras_bng:bras_l2_options:bras_l2_vlan_ipsg|]] and [[en:dpi:bras_bng:bras_l2_options:filtering|]]. Redirect traffic to SSG for filtering or enable blackhole for targeted addresses |
| - Compromise of operator network elements: detected by the presence of SSH and other sessions from operator service addresses that are preconfigured and not included in the whitelist\\ Protection: detection of such sessions and blocking by external address | - Compromise of operator network elements: detected by the presence of SSH and other sessions from operator service addresses, which are pre-configured and not in the whitelist\\ Protection: detect such sessions and block by external address |
| |
| ===== AntiDDoS solution architecture based on SSG and QoE ===== | =====AntiDDoS Solution Architecture Based on SSG and QoE===== |
| FastMitigator is an intelligent network attack protection system. It is a distributed traffic analysis module that ensures real-time detection and mitigation of a wide range of cyber threats. | FastMitigator — an intelligent network attack protection system. It is a distributed traffic analysis module providing real-time detection and mitigation of a wide range of cyber threats. |
| |
| {{:en:dpi:dpi_options:opt_ddos:antiddos.png?nolink&900 |}} | {{ :en:dpi:dpi_options:opt_ddos:antiddos.png?nolink&900 |}} |
| |
| ==== Operating principle ==== | ====Operation Principle==== |
| - Deep traffic inspection (DPI) and statistics export | - Deep traffic analysis (DPI) and statistics export |
| * All traffic passes through DPI (SSG), operating in-line or via traffic mirroring. | * All traffic passes through DPI (SSG), operating in-line or on a traffic mirror. |
| * Full NetFlow in IPFIX format is sent to the QoE system for detailed analysis. | * Full NetFlow in IPFIX format is sent to QoE for detailed analysis. |
| - Statistics analysis and baseline creation | - Statistical analysis and baseline creation |
| * The analyzer processes Full NetFlow and creates a “normal profile” — a baseline of “healthy” traffic (without attacks or botnet activity). | * Analyzer processes Full NetFlow and creates a "normal profile" — a baseline of "healthy" traffic (without attacks or BotNet activity). |
| * The profile is stored in distributed QoE tables for fast access. | * Profile is stored in distributed QoE tables for fast access. |
| - Anomaly detection | - Anomaly detection |
| * A detector based on neural networks and machine learning algorithms identifies deviations, classifies threats, and determines their sources. | * Detector based on neural networks and machine learning algorithms identifies deviations, classifies threats, and determines their sources. |
| - Traffic scrubbing using dynamic rules | - Traffic cleaning based on dynamic rules |
| * When an attack is detected, an Attacks container is generated in QoE containing: | * When an attack is detected, QoE creates an Attacks container containing: |
| * IP addresses of attacking hosts | * IP addresses of attacking hosts |
| * Ports used for attacks | * Ports used for attacks |
| * The container is transmitted to SSG DPI, where special Attacks protocols (or protocol groups) are created for each threat type. It is recommended to use a dedicated SSG in in-line mode that continuously passes all traffic or receives only part of the traffic for scrubbing. | * Container is sent to SSG DPI, where special Attack protocols (or protocol groups) are created for each threat type. It is recommended to use a dedicated SSG in in-line mode, which constantly passes all traffic or receives only part of it for cleaning. |
| * Protection profiles are preconfigured on DPI (for example, via “18. Session policing”), where for Attack protocols the following actions are applied if channel capacity is not exhausted: | * DPI pre-configures protection profiles (e.g., via "18. Session Policing") where Attack protocols are applied if operator channel capacity is not exhausted: |
| * Drop (complete blocking) | * Drop (full block) |
| * Policing (bandwidth limitation) | * Policing (bandwidth limitation) |
| * The Attacks container is updated in real time: if the attack stops, host IPs are removed from the list. | * Attacks container is updated in real-time: if the attack stops, IP hosts are removed from the list. |
| - Protection via BGP using blackhole and flowspec | - Protection via BGP using blackhole and flowspec |
| * If the operator’s channel capacity is exhausted, the Attacks container can be passed to a special script that automatically adds subscriber IPs to blackhole, ensuring maximum infrastructure protection. Incoming traffic to these subscribers is dropped at the uplink channel. | * If operator channel capacity is exhausted, Attacks container can be sent to a special script that automatically adds subscriber IPs to blackhole, ensuring maximum infrastructure protection. Incoming traffic to these subscribers is dropped on the uplink channel. |
| * To ensure subscribers with blocked public IP addresses continue to access the Internet, their IP address must be temporarily substituted — enable the CG-NAT service on SSG (using a previously announced public IP pool). This eliminates the need to change the IP address on the subscriber’s device during the attack. The subscriber temporarily receives Internet access via another public IP address, and after the attack ends, the original IP address is restored — disable the CG-NAT service on SSG. | * To allow subscribers on blocked public IPs to access the internet, their IP can be temporarily replaced — enable CG-NAT on SSG (using the previously announced public IP pool). This avoids changing the subscriber device IP during the attack. Access is temporarily via a different public IP, and after the attack ends, the original IP is restored — disable CG-NAT on SSG. |
| |
| ==== FastMitigator advantages ==== | ====FastMitigator Advantages==== |
| - Distributed architecture — high fault tolerance | - Distributed architecture — high fault tolerance |
| - Adaptive protection — automatic rule updates | - Adaptive protection — automatic rule updates |
| - Deep analytics — neural network algorithms + DPI | - Deep analytics — neural network algorithms + DPI |
| - Flexibility — support for different blocking scenarios | - Flexibility — supports different blocking scenarios |
| | |
| | ====Organic AntiDDoS System==== |
| | The development of DDoS protection aims to clean traffic before it reaches the internet. Deploying SSG AntiDDoS complexes across multiple operators will stop BotNet traffic inside the operator network. Centralized management via VAS Cloud allows lightning-fast reaction to any attacks while leaving transport channels between operators, IX, and data centers untouched. Upon detecting an attack on any resource with SSG, parameters for mitigation can be forwarded to the operator from which the illegitimate traffic originates. |
| |
| ==== Organic AntiDDoS System ==== | {{ :en:dpi:dpi_options:opt_ddos:antiddos-2.png?nolink&900 |}} |
| Further development of the DDoS protection solution is aimed at scrubbing traffic before it reaches the Internet network. Deployment of SSG AntiDDoS systems across multiple telecom operators allows BotNet traffic to be stopped within the operator’s network. Centralized management via VAS Cloud enables rapid response to any attack while keeping even transport links between operators, IX, and data centers unaffected. If an attack is detected on any resource protected by SSG, scrubbing parameters can be transmitted to the operator from which the illegitimate traffic originates. | |
| |
| {{:en:dpi:dpi_options:opt_ddos:antiddos-2.png?nolink&900 |}} | <note tip>[[en:dpi:qoe_analytics:cases:network_health:flood|Use cases of the solution]]</note> |
| \\ \\ | |
| <note tip>[[en:dpi:qoe_analytics:cases:network_health:flood|Solution usage scenarios]]</note> | |
| |
