= Attack Mitigation Services =

Protection against cyber attacks

Cyber attacks have become a common problem nowadays. At the same time, their stoppage has become a trivial process, but not every ISP is successful in implementing an effective detection and mitigation system.

Often, the solution chosen is "blackholing", which essentially means blocking traffic to the attacked IP address in order to protect other client resources. This method raises several issues, but the most important one is given by the scenario in which multiple (often all) client IP addresses are simultaneously attacked. In this case, the only solution would be to restrict traffic to all attacked addresses and implicitly to achieve the attacker's purpose: DoS (Denial of Service).

Another problem is that of detection time. Most systems use statistics-based and variable-to-average changes rather than peaks using NetFlow or sFlow to collect data. This deployment is inefficient in detecting the majority of small-scale attacks and typically requires a large amount of data to make a decision, resulting in very long intervals, sometimes in the order of ten minutes from the start of the attack to block it. The only advantage of such a system is the low implementation cost.

Providing a 99.99% uptime is not just about ensuring connectivity. When a business depends on the internet connection, a congested link is just as detrimental as an interrupted one. Also, a small-scale "application flood" attack can selectively affect certain company resources in an undetectable way. These attacks typically do not have the goal of interrupting the service but of abusive use of resources that can lead to material loss.

We have developed and implemented the system NAVAMS with the intention of solving all these problems.

Taking into account the facilities of the TCP protocol, this means avoiding packet loss in the event of an attack. To avoid interruption of services, the term "scrubbing" has been introduced in the process of mitigation. When an attack is detected, the traffic to the target IP address is redirected to a high-capacity firewall farm that blocks malicious traffic by allowing only legitimate traffic to reach its destination.

There are, of course, extreme cases in which the attack reaches very high values and the decision is made of "blackholing". What makes the AMS system different from those implemented by other providers is blocking traffic intelligently in the sense that it will never block transit to the affected destination on upstream links where there is no malware traffic or there is the ability to avoid congestion.

All these facilities help deliver the highest quality service without interruption and worry.

Detection of attacks is done using the TAP method, which means that all the traffic entering the network is analyzed in real time and in a transparent way.

Statistics are made at only 2 seconds, resulting in a detection and mitigation time of up to 3 seconds.

Total time of mitigation: 3 seconds

The time elapsed between the start of the attack and the lockout.

Detection time: 2s

Block time: 1s

Reprobing interval: 1m*

* the interval at which the attack stops / deactivates the filters.

Maximum scrubbing capacity:
140Gbps / 20Mpps

Types of mitigated attacks:
High pps / bw rate
TCP, UDP, ICMP, SYN Flood, Fragmentation, Application Flood.

Latency introduced: < 100μ (micro seconds)

Simultaneous victims: 100,000

Simultaneous TCP connections: 128M (millions)


System NAVAMS - Traffic analysis

navAMS - analizarea traficului

System NAVAMS - in action

navAMS - in actiune

If you have questions about the system NAVAMS do not hesitate to contact us!

This site uses cookies. Continue browsing involves their acceptance. More information here.OK