DDoS Attack Mitigation

Block the attack, let legitimate traffic through

Mitigation is a term employed to design the means and measures in place to reduce the negative effects of a DDoS attack. Mitigation consists of filtering illegitmate traffic and hoovering it up with the VAC, while letting legitmate packets go through.

The VAC consists of multiple devices, each with a specific function to block one or more types of attack (DDoS, Flood, etc.). Depending on the attack, one or more defense strategies may be put in place on each VAC device.

Components of the VAC

Actions carried out on the Pre-Firewall

  • Fragment UDP
  • Size of packets
  • Authorization of TCP, UDP, ICMP, GRE protocols
  • Blocking all other protocols

Actions carried out on the Firewall Network

  • Authorize/block an IP or a sub-network of IPs
  • Authorize/block a protocol:
    • IP (all protocols)
    • TCP
    • UDP
    • ICMP
    • GRE
  • Authorize/block a port or TCP/UDP port interval
  • Authorise/block SYN/TCPs
  • Autorize/block all packets except SYN/TCPs

Actions carried out on the Shield

  • Malformed IP header
  • Incorrect IP checksum
  • Incorrect UDP checksum;
  • ICMP limitation
  • Incorrectly fragmented UDP datagram
  • DNS amp

Actions carried out on the Armor

  • Malformed IP header
  • Incomplete fragment
  • Incorrect IP checksum
  • Duplicated fragment
  • Fragment too long
  • IP/TCP/UDP/ICMP packet too long
  • Incorrect TCP/UDP checksum
  • Invalid TCP flags
  • Invalid sequence number
  • Zombie detection
  • TCP SYN authentication
  • DNS authentication
  • Badly formed DNS request
  • DNS limitation