How to fight DDoS attacks: Three answers from DE-CIX

Sponsored content

In the past weeks and months, massive DDoS attacks have been congesting networks and compromising Internet services all over the globe. DE-CIX provides three services that clearly mitigate and limit the impact of massive DDoS attacks: First, DE-CIX’s Blackholing service enables networks to drop DDoS traffic before it reaches the attacked host. Second, networks can use Remote Blackholing to get rid of DDoS traffic even closer to the source of origin. Third, DE-CIX DirectCLOUD service enables networks to completely separate traffic destined to Cloud Service Providers such as Amazon AWS or Microsoft Azure from Internet traffic, so that it is not affected by DDoS attacks at all. 

Fighting DDoS attacks locally 

The enormous DDoS attacks we all have observed recently clearly show the need for countermeasures to relieve networks of crippling levels of DDoS traffic. DE-CIX provides the Blackholing service free of charge at each of its Internet Exchanges, which allows network operators to drop DDoS traffic destined for an attacked host before it congests the operator’s network. Traffic flowing to the victim will be dropped on the DE-CIX platform, so that resources are protected against the increased loads caused by the attack. 

Getting rid of DDoS traffic closer to the source of origin – globally

If a host located in a network connected to DE-CIX New York is attacked, for example, the network can use DE-CIX’s Blackholing service in New York to get rid of the DDoS traffic. This is very effective at the Internet Exchange locally. However, sometimes this local Blackholing is not enough. In the case of a DDoS attack, the attack traffic is sent to the attacked host via several backbones and networks. But often, DDoS traffic has already travelled thousands of miles to reach the host under attack, congesting existing backbones and Internet infrastructure. When DDoS attacks get as big as the colossal ones recently observed, solutions that are more sophisticated are needed, which allow traffic to be dropped as close to the source of the DDoS traffic as possible. This is what DE-CIX’s Remote Blackholing is for. 

With this service, networks can announce information about their attacked hosts at other DE-CIX locations (e.g. in Europe or the US). This information triggers the burning of large portions of DDoS traffic already in Europe before it reaches North or South America via IP transit or peering paths - and vice versa. 

This helps to reduce the DDoS traffic volumes and the collateral damage in the home region. Having bigger transit ports and raising network capacity is no longer enough to protect networks against immense DDoS attacks. Being able to get rid of DDoS traffic prior to having it sent via IP transit or peering paths can dramatically reduce the size of an attack. Overall, this reduces the operative burden of mitigating large DDoS attacks and as a result reduces costs.

Separating mission critical cloud traffic from DDoS-prone Internet traffic 

Nowadays, more and more companies rely on cloud service providers for their mission critical business processes. If the networks on the path to these cloud service providers are hit by a massive DDoS attack, the impact can be huge. To limit the impact of these DDoS attacks on mission critical cloud traffic, networks can use DE-CIX´s DirectCLOUD service. This service separates cloud traffic from Internet traffic, making sure that DDoS attacks happening in the Internet do not hit traffic to cloud service providers. 

Three answers, one goal

No matter whether networks fight DDoS attacks locally with Blackholing, get rid of DDoS traffic early with Remote Blackholing, or separate cloud traffic from Internet traffic as a whole, the goal is to unburden networks from DDoS attack traffic to let services run smoothly. 

With the measures described here, the effects of DDoS attacks can be reduced to a point where they become much less threatening.