DDoS-Protection
flowShield is our self-developed, highly flexible and performant Anti-DDoS solution to filter attacks on network (and partly application) level. DDoS-Attacks are filtered automatically. Most customers dont even notice a ongoing mitigation.
In order to mitigate attacks on HTTP, we provide a inline reverse-proxy called flowProxy, which acts as transparent validation proxy, forcing the client to interact. flowProxy needs to be activated manually by the customer, either using our customer area or api.
flowShield Features
Below, you’ll get an overview, how we mainly mitigate DDoS-Attacks on network level.
Technical overview
flowShield DDoS-Filters are based on x86 comodity hardware using Intel Xeon and AMD EPYC CPUs to process the defined application logic. Network connectivity is done using Intel 10G/40G network cards. Traffic is processed in userspace, using the netmap framework, which provides us with really high packet I/O.
Several posix threads has been implemented to handle incoming and outgoing traffic, statistics, export of flow information, dynamically manage flexible filter rules (flexrules), garbage collection, game-query-cache as well as cli commands. Some parts of flowShield has been written in inline Assembler to address some glibc performance limits.
TTD (Time-To-Detect)
DDoS Attacks are usually detected within 2-10 seconds depending on the size of the attack. This applies also for Carpet Bombing Attacks, which might target whole subnets instead of single hosts.
Flowrules
Flowrules are rules, which get deployed on our flowanalyzer infrastructure, which controls our DDoS-Protection. Flowrules can be utilized to trigger certain types of DDoS-Mitigation stages at specific amounts of traffic. Flowrules can match the following:
-
IP-Protocol (e.g. 6 -> TCP)
-
Packetsize (0-2000 bytes, range)
-
Source-Ports (0-65535, range)
-
Dest-Ports (0-65535, range)
-
Traffic Rate (either pps/mbits)
While the following actions can be taken:
-
Log Event
-
Activate Layer4 + Log
-
Activate Layer7 + Log
In the future, we might also provide the ability to announce flowspec routes or blackhole ip-addresses.
Flexrules
Flexrules are intended to allow us configuring the ddos-filters dynamically. Flexrules act similar to well known Router ACLs. Flexrules can match the following conditions:
-
Source-IP-Range (non CIDR)
-
Destination IP-Address
-
IP-Protocol
-
Source-Port-Range (0-65535)
-
Destination-Port-Range (0-65535)
-
Packet-Length-Range (0-1500)
-
Packet Payload (string, 30 bytes max)
-
GeoIP ASN
-
GeoIP Country
The following actions are possible:
-
Discard
-
Accept (Whitelist)
-
Ratelimit after X kpps rate (Whitelist)
-
Ratelimit until X kpps rate (Discard)
ICMP
Echo-Reply packets are ratelimited to 1500 packets per destination ip-address. Once the ratelimit is reached, echo-reply packets are discarded. Echo-Request packets are ratelimited to 1500 packets per destination ip-address. Once the ratelimit is reached, the filter starts answering echo-request packets with echo-reply, packets will be no longer forwarded to the affected ip-address.
TCP
Anomalies
Anomalies such as packets with invalid tcp flag combinations or same source as destination port are discarded.
Ratelimits
Ratelimits might be applied depending on the amount of packets a single client generates.
Synproxy
Every tcp syn packet is authenticated against a so called Synproxy as well as stateful filters. The Synproxy implementation might cause the very first connection attempt to be reset. Usually, this will cause the client to retry the connection, afterwards the tcp handshake is finished.
UDP
UDP Anomaly
Anomalies are well known source-ports used for udp reflection attacks, udp traffic on well known tcp ports such as 22, 25, 80, 443. Beside of that, anomalies are invalid checksums as well as same source as destination port.
UDP Challenge
The following ports are filtered using challenge response authentication:
-
Port 53: All DNS traffic is replied with DNS Truncate, forcing to client to reconnect using TCP
-
Port 2300-2400: Allows only traffic for Arma3/DayZ servers, some packets are cached using Game-Query-Cache
-
Port 9000-9999: Allows only traffic for Teamspeak3 servers, some packets are cached using Game-Query-Cache
-
Port 27000-28000: Allows only traffic for Source Engine Gameservers, some packets are cached using Game-Query-Cache
-
Port 30000-32000: Allows only traffic for FiveM Gameservers, getinfo/getstatus Queries are cached using Game-Query-Cache
UDP Game-Query-Cache
Game-Query-Cache (GQC) is our solution against complex UDP Floods targeting Game- and Voiceservers (such as Teamspeak). The idea behind of the Game-Query-Cache is, to offload as much traffic as possible on the DDoS-Filters (basically the edge), in order to always reply on specific sets of traffic. Game-Query-Cache has been implemented for several portranges and helps to keep Gameservers online, even under very complex attacks.
In order to operate correctly, the customer is supposed to not apply any ratelimits on the protected server. Otherwise, GQC will not work correctly, which will render the protected service offline. All GQC activity is logged and can be reviewed by our customer support staff.
UDP Applications
The following port-ranges has been implemented specifically to operate the following gameservers:
-
2300-2400: DayZ and Arma 3, as well as Arma 3 Query
-
5761-5794: Atlas
-
7000-8999: Generic Games
-
9000-9999: Teamspeak3
-
12800-13100: Hurtworld
-
19132: Minecraft Pocket Edition
-
22000-22020: Rage-MP / MTA
-
22126: Rage-MP / MTA
-
23000-23200: Battlefield
-
27000-28000: All Source Engine / Query Games such as Counter Strike 1.6, Counter Strike Source, Counter Strike GO, The Ship, Garrys Mod, Nuclear Dawn, Call of Duty Modern Warfare 3, Starbound, Space Engineers, 7 Days to Die, Rust, Quake Live, ARK: Survival Evolved, Valheim, Mordhau
-
30000-32000: FiveM GTA-MP
-
36123-36128: Stormworks
Please use the recommended ranges. If you miss a game, please contact our customer service. We will analyze the game in question and add specific filters.
UDP Ratelimit
We have implemented very specific ratelimits for well known udp destination port-ranges. A default rate-limit of 120pps is applied for every source ip-address. Default limits are overrided by custom defined ratelimits. Please make sure to operate your service within custom defined default portrange. For example, Source Engine Games cant be operated stable outside of port 27000-28000, as the ratelimit of 120pps might be too low.
UDP Deep-Packet-Inspection
Some specific packet content of well known attack samples is discarded depending on it’s payload. Therefore, DPI has been implemented.
UDP Firstconnect
In order to filter spoofed udp packets, we have implemented a intelligent algorythm, which tracks the state of a udp packet and reacts accordingly (either accept/discard). The firstconnect filter typically filters all other remaining bad traffic.
Well known technical impact
During active DDoS-Filters, you might notice some impact, such as:
-
Incoming DNS replies are limited to 1.1.1.1, 8.8.4.4, 8.8.8.8 and our own dns caches. Traffic from alternative dns resolvers can be allowed through flexrules.
-
ICMP Traffic might be ratelimited, discarded or replied - icmp packetloss or higher latency might occur (doesnt affect other protocols)
-
TCP Traffic enforces authentication, which might cause the connection to be reset at the first connection attempt
-
UDP Traffic might be ratelimited or enforces reconnection under some circumstances
Please note: ICMP traffic will be ratelimited/replied/discarded. Do not take stability of ICMP traffic into account, whenever the DDoS-Filters are active. Packetloss for ICMP or unusual behavior doesnt mean, there is anything going wrong.
If you encounter any other impact, please contact our customer support. Due to extensive logging and flow collection, we are mostly able to track down any reported anomaly.
flowProxy Features
flowProxy is a inline HTTP client validation reverseproxy, which is activated transparently. Beside of other well known ddos mitigation providers such as companies called C****flare, we dont require you to change your dns records. flowProxy filters are activated on network level, which allows transparent activation.
flowProxy is activated by customer area or API. You can call the API (for example) based on the amount of requests your server is reporting, e.g. by periodically checking the server status. Alternatively, you can permanently switch on flowProxy.
Technical details
flowProxy is a modified, well known reverse proxy, using our own program code to validate visitors based on the possibility if they can interact with the page. Coupled with L7-Captcha, our self written high performance captcha generator, we provide a full stack Layer7 DDoS-Protection solution.
flowProxy runs on comodity x86 hardware and uses Intel 10G network cards to provide even enough headroom for pretty large POST floods. Incoming traffic is prefiltered using a netmap application, which blocks repeatedly abusive clients on network level (IP Ban).
Typical layer7 floods ranging between 500 up to 50.000 requests per second. We have several technical implementations in place to filter even larger attacks.
flowProxy redirects traffic transparently on the following ports:
-
Port 80 - HTTP
-
Port 443 - HTTPS
-
Port 8443 - HTTPS
-
Port 30000-32000 HTTP/HTTPS - FiveM specific caching / filtering
All requests are sent from the following ranges:
-
160.20.144.8/29
-
45.11.17.32/29
-
185.117.1.32/29
-
109.71.255.32/29
Please make sure to whitelist the above ranges. You can use the X-Forwarded-For header to obtain the visitors real ip-addresses using for example apache mod_remoteip or nginx header mapping.
Customization
Currently we provide the ability to define custom challenges such as automated Javascript AES, Button Click as well as Captcha. Depending on the complexity of layer7 attacks, the best approach might be Captcha authentication.
SSL Certificates
Customers are supposed to upload their own ssl certificate upfront. Otherwise, the default (invalid) certificate is served. Please check our customer area as well as API docs for further information.
FiveM Game Filter
We have implemented a FiveM specific caching/filtering proxy on Port 30000-32000. The filter is intended to reply with cache content or block malicious HTTP floods targeting the HTTP server of FiveM. The FiveM filter also blocks exploits intended to crash the FiveM server.
On-Premise Appliance
Beside of DDoS-Protected IP-Transit (over GRE/Crossconnect), we offer also the possibility to run your own DDoS-Filters on-premise, for example to implement redundancy scenarios. Our flowShield Appliance is a fully managed DDoS-Protection Stack, using KVM Virtualization coupled with PCI Passthrough, to detect and filter attacks on Layer3-7.
flowShield on-premise appliances are fully managed and 24/7 monitored, such as our own filters. Full management means, you dont need to care about the operation of your appliance. You just provide us with the hardware, we care about all other aspects.
Minimum hardware requirements:
-
Intel Xeon E5 Quadcore with at least +2,5GHz
-
96GB Memory (64GB for l4-filter, 16GB for l7-filter, 8GB for analyzer, 8GB reserved)
-
Netmap supported Intel or Mellanox 10G/40G NICs (per 10G - 2 CPU Cores, one rx + one tx)
-
2x 250GB Disk for OS + Virtual Machines
Please contact our customer support for a pricing quote.
Wednesday, January 20, 2021
English