Anti-DDoS >

DDoS Mitigation

DDoS Attack Mitigation

Block the attack, let legitimate traffic through

Mitigation is a term employed to design the means and measures in place that reduce the negative effects of a DDoS attack. Mitigation consists of filtering illegitmate traffic and hoovering it up with the VAC, while letting legitmate packets pass.

The VAC consists of multiple devices, each with a specific function to block one or more types of attack (DDoS, Flood, etc.). Depending on the attack, one or more defense strategies may be put in place on each VAC device.

Components of the VAC


Actions carried out on the Pre-Firewall :

  • Fragment UDP
  • Size of packets
  • Authorisation of TCP, UDP, ICMP, GRE protocols
  • Blocking all other protocols

Actions carried out on the Firewall Network :

  • Authorise/block an IP or a sub-network of IPs
  • Authorise/block a protocol:
    • IP (all protocols)
    • TCP
    • UDP
    • ICMP
    • GRE
  • Authorise/block a port or TCP/UDP port interval
  • Authorise/block SYN/TCPs
  • Autorise/block all packets except SYN/TCPs

Actions carried out on the Tilera :

  • Malformed IP header
  • Incorrect IP checksum
  • Incorrect UDP checksum;
  • ICMP limitation
  • Malformed UDP datagram
  • DNS amp

Actions carried out on the Arbor :

  • Malformed IP header
  • Incomplete fragment
  • Incorrect IP checksum
  • Duplicated fragment
  • Fragment too long
  • IP/TCP/UDP/ICMP packet too long
  • Incorrect TCP/UDP checksum
  • Invalid TCP flags
  • Invalid sequence number
  • Zombie detection
  • TCP SYN authentication
  • DNS authentication
  • Badly formed DNS request
  • DNS limitation