Protect remote (and not only) with Netflow

4 min


Any resource can be subjected to a DDoS attack. Most often, attacks are targeted – attackers may try to put a site with some information (various types of media and sites with TV broadcasts have encountered this, and more than once). Trade enterprises and banks also suffer from this, for them a simple system is quite critical, people are used to entering a bank or online store application and transferring money or buying goods in a couple of clicks. Therefore, there are both obvious financial losses and a decrease in customer loyalty immediately.

If every DDoS looked like this. But no
If every DDoS looked like this. But no

Even if you have a medium-sized business, and not a store with thousands of products, DDoS is still not a very pleasant thing that would be good to prevent. Besides DDoS, the overall level of information security is worth maintaining. Especially now, when many companies have switched to telecommuting, and some employees work not only from corporate laptops, but also from personal ones.

We are at Beeline. Business begins to provide a service called “NetFlow DDoS Attack Protection”. In this post, we will explain what it is and how it works.

We decided to make protection not only of high quality, but also affordable. In 2018 (remember there was a time when there were spectators on football?), The solution to provide our DDoS protection during the World Cup was built on the network analysis and anomaly detection platform from Genie Networks. Today, de facto, almost all of Asia uses Genie.

Now we provide this solution for the rest.

As the name implies, we collect data on client traffic at the network level using the NetFlow protocol. The basic architecture of NetFLow is described by the following scheme (Wikipedia).

In short, the service works like this:

  1. The client connects to us, the system collects and analyzes in detail data about his traffic using the NetFlow protocol.

  2. NetFlow has an analyzer (here’s that lovely PC icon in the picture above). Based on its analysis, a message is generated to our Cleaning Center – an attack has been detected. Immediately after that, the router receives a command to switch client traffic to the Cleaning Center (we have our own center at Radware, it is the world leader in information security). Not later than 18 seconds after this, the attack begins to be deflected.

  3. Just repelling the attack is not enough. Therefore, after that, we form a traffic policy for a specific client, all this, too, based on data from the Cleaning Center.

  4. It happens that at the previous stage, for some reason, it is not possible to determine the traffic profile in automatic mode. In this case, our technology partners in the field of information security (“ECON Technologies”) configure this profile manually, and, if necessary, switch the client’s traffic to our Cleaning Center also manually.

  5. After passing through the Cleaning Center, the correct traffic is directed to the client’s resources, already without DDoS elements.

Let’s say a DDoS attack is launched on a client’s resources. If its value is approximately 80-95% of the client’s network bandwidth, then yes, the equipment we installed will cope with the protection. But if the evil dooser decide to strain themselves and clog almost the entire client bandwidth, more than 80-95%, then here we automatically transfer the client’s traffic to our Cleaning Center.

And now for more details.

What is inside

We built the protection system using Genie Networks equipment, they have excellent statistics both in terms of false positives and missed threats: both there and there are no more than 1%. And, as we wrote just above, such a bundle proved to be excellent during the 2018 FIFA World Cup. Using the Genie Network as a traffic analyzer, and Radware for the operation of the cleaning center itself, allows us to make the solution significantly more affordable, without losing protection.

Beeline’s own Cleaning Center operates on two DefensePro.

Cisco 3750 is responsible for distributing more-specific routes of client networks – a BGP session is configured between it and the Route-Reflector, into which Cisco gives more-specific prefixes. These prefixes are the basis on which client traffic is redirected to the Cleanup Center and then to the ASR9010, where more-specific is prohibited from the Cisco 3750. The ASR9010 then puts the cleaned client traffic into MPLS and sends it to DDoS-PE, where the client is terminated.

How NetFlow DDoS Protection Will Help

At a minimum, deal with the following list of troubles:

  • Memcached Attack

  • Sentinel Amplification Attack

  • RIPV1 Amplification Attack

  • Microsoft SQL Resolution Service Amplification

  • Portmapper amplification

  • Steam Amplification

  • Quake Network Protocol

  • QOTD Amplification

  • NetBIOS Amplification

  • TFTP Amplification

  • SNMP Amplification

  • Chargen Amplification

  • HTTP Flooding

  • XMAS- DDoS

  • SSDP Amplification Attack

  • NTP Amplification

  • TCP FIN Flooding

  • TCP SYN-RST Flooding

  • TCP SYN-FIN Flooding

  • Garbage mail

  • Trojan.Heloag

  • DNS Amplification

  • TCP Port Scan

  • Host TCP Traffic

  • IPv4 Dark IP

You can also set up a quick alert – the responsible specialist will immediately receive a notification of a DDoS attack that has begun via email, SMS or phone call.

The analysis of the attack level takes half a minute: the specifics of Radware’s work is that the equipment updates statistics every 15 seconds, therefore, in order to accurately detect the excess of the channel bandwidth, two such responses are needed.

In addition to the main connection method, there are others: after all, one client can supply equipment at his place, while the other, for a number of reasons, cannot.

How can you connect

There are 4 options for connecting this service, depending on what functions you need:

1. The client purchases or leases traffic cleaning equipment from us. If you choose this option, only the traffic is cleaned itself, without repelling DDoS attacks. The formation of the necessary security policies and control of training are carried out by our specialists.

2. The same as in the first option, but additionally – with DDoS protection, in the event of an attack, the client’s traffic will be switched to our traffic cleaning center.

3. Traffic is cleaned using equipment that the client already has. If suddenly there is DDoS, then we switch traffic to our cleaning center. Important: in this case, the formation of security policies and control of training is the client’s task and area of ​​responsibility.

4. Detection of attacks using Netflow analysis. Here the traffic does not go 24 * 7 through the cleaning equipment, it switches only based on the Netflow analysis. When traffic is switched to the cleaning center, attacks are detected and reflected at all layers of the OSI model, including attacks at the application level. The only exceptions are attacks within the IPSEC, SSSL / TLS and the like.

Where to connect

We provide this solution not only to current customers who already have an Internet connection from Beeline, but also to those who prefer to use the services of another telecom operator.

You can read more and connect at product page


0 Comments

Leave a Reply