navAMS - DoS/DDoS Protection System

The Denial of Service and the Distributed Denial of Service attacks became an increasingly concerning issue within the last few years.
Blocking these attacks is no longer a challenge for the major ISP’s, however when considering small to mid-sized networks these attacks still pose a major problem.
In the absence of an intelligent filterning mechanism, these networks mitigate these attacks by “blackholing” the destination client IP address in an effort to protect the other client’s IP addresses. But sometimes the attack is targeting all of the user’s IP addresses and the blackholing applies to all the destination IP addresses.
In both situation, the attacker fulfills its purpose, to disrupt the targeted service. Some might say that the blackholing’s single purpose is to protect the rest of the network, nonetheless the target’s service gets disrupted.

Another concern is the detection time. Most of the detection systems are using traffic analysis mechanisms based on certain traffic metrics matching traffic spikes and sudden bursts against the average throughput. This approach is very uneffective because they fail to identifiy small scale but disruptive attacks that would require digesting a large amount of data over a large timespan, sometimes in the range of tens of minutes. Its only pro is the low deployment cost.

Committing to a 99.99% SLA doesn’t only mean providing the upstream internet access. When your business relies on a good internet uplink, a congested connection is just as bad as a disrupted connection. Moreover, small scale “application level” attack can drain your server’s physical resources (CPU, RAM) can render your services unavailable, even though the amount of malitious incoming data is very low. These are the most sophisticated types of attacks and are generally easy to countermeasure but only if your services are managed by highly skilled professionals with advanced experience in network security.

NAV Telecom deployed the advanced =AMS= addressing all these serious problems

The attack detection is performed using the TAP method, meaning that all the inbound traffic is transparently analyzed in real-time.

The traffic sampling is performed in 2 seconds spans, leading to a total detection and mitigation time of only 3 seconds.

Considering the TCP specifics, this means avoding the packet loss during the attack as the the rather limited TCP resiliency helps when fast detection times are involved.
This limited resiliency though would not be effective without another key ingredient - traffic scrubbing. When an attack is detected, the traffic is automatically routed to a farm of dedicated hardware firewalls for further analysis. These firewalls strip down the malitious traffic while allowing the legit one to pass unrestricted.

There are however serious incidents when massive attacks are aiming our network. In those rare situations we must resort to “blackholing” so we can keep the network operational during the extremely aggressive attacks that exceed 20Gbps or 16Mpps. What makes AMS different from other protection systems is that it will never block the upstream access to the providers who aren’t sending malitious inbound traffic to the attacked host or there’s plenty of bandwidth left to avoid a congestion.

* These features allow us to provide our users with a stable, low-latency internet connection.

navAMS at a glance

Total mitigation time: 3s (elapsed the attack start until it’s blocked)
* Detection time: 2s
* Attack block time: 1s

Interval reprobing: 1m (between ongoing attack status checks)

Maximum traffic scrubbing capacity: 140 Gbps or 20 Mpps
Mitigated attack types: High pps/bw (TCP/UDP/ICMP), SYN Flood, Fragmentation, Application Flood
Induced latency: <100us (microseconds)
Simoultaneous sources: 100,000M
Concurrent TCP connections: 128M (milions)