LINK11 GmbH
Hanauer Landstraße 291a 60314 Frankfurt am Main Germany Phone: +49 (0) 69-264929777 E-Mail: info@link11.de Web: www.link11.de CONTACT
Excellent DDoS Protection
MADE IN GERMANY
Risk potential of DDoS attacks
DDoS ATTACKS 02 / LINK11
As opposed to a simple denial-of-service attack (DoS), distributed denial of service attacks (DDoS) do not come from a single computer, but instead simultaneously from many computers, sometimes tens of thousands.
A DDoS Attack often starts when an attacker infects several computers with malware. The attacker then links these computers into a botnet; some botnets already control several tens of thousands of computers.
In addition to the immense impact of such DDoS attacks, the wide distribution of attacking computers also makes it nearly impossible to determine the source of the attack manually. Conventional DDoS protective mechanisms do not provide
Sony under attack
At Christmas 2014, the hacker group Lizard Squad took down the Sony Playstation Network (PSN) with a DDoS attack. Millions of gamers could not use their PlayStation over the Christmas holidays. As a compensation, Sony offered them a one-time 10 % discount off a total cart purchase in the PlayStation Store. This PSN outage was the second attack on the Sony Group within one month. Already in late November 2014 Sony Pictures Entertain-ment was hacked by a group calling itself the Guardians of Peace. The hackers stole over 100 Terabytes of sensitive data (films, internal files) and published them on the internet. Already in 2011, attackers hacked into the Play-Station Network and stole more than 75 million customer records. The attack was disguised by a DDoS attack. The total loss was estimated to be at least $ 172 million, including the costs for expanding the security infrastructure and compensation of damage to customers.
Forrester Research, 2014: “Only 57 percent of respondents [enterprises] reported that they currently had a DDoS response plan in place, and 53 percent indicated difficulties when attempting to detect and mitigate DDoS and DNS threats against multiple systems and ISP links.”
sufficient defense against the increasing level of threat, since the attack patterns are often quite variable and attackers switch between volume and application attacks or combinations of the two. Victims of such attacks find their access link, firewall resources and web and da-tabase servers overloaded. DDoS attacks inflict tremendous damage to the busines-ses affected. Compared to external filter services affordable on Premise solutions can only handle a small number of connec-tions and have no influence when, due to a high bandwidth attack, your access link is saturated.
In addition to substantial revenue losses, many companies experience a loss of reputation among customers and in the
Distribution of DDoS attack methods
Average bandwidth of DDoS attacks
Application Attacks
120 Mbps
1420 Mbps
7600 Mbps 18300 Mbps
Amplification Attacks TCP Floods UDP Floods
Which features are expected of
DDoS protection nowadays?
Effective DDoS protection must beintelli-gent, adaptable, orchestrated and power-ful so that it can run reliably in the face of ever increasing bandwidth, a steady flow of new attack patterns and expanding botnets.
The hardware solutions that were often the only remaining defense in recent years were also always associated with high acquisition and maintenance costs. In addition, these solutions quickly reach their limits in the face of current attacks, because they are too rigid and not power-ful enough considering their very high ac-quisition costs. A reliable DDoS protection must have high enough bandwidth to be able to respond to volume attacks as well as being able to handle complex applica-tion attacks, and even be prepared against combinations of both forms of attack. As a rule, a purely signature-based pro-tection system lags behind the evolving
Link11-protected network in the event of an attack
INNOVATIVE DDoS PROTECTION SOLUTION 03 / LINK11
attacks, since it only recognizes known forms of attack.
Intelligent DDoS protection, however, is also able to analyze and orchestrate rapid response to attack patterns not yet known, since it adapts to each applicati-on reducing false positive rates. A DDoS protection with built-in redundancy should offer 24/7 expert support, low latency, an alarm system and meaningful reports. Ideally, the blocking mechanism will dynamically adapt due to the permanent monitoring of the system load and the protective system will only intervene in attack or stress situations.
Crawler compatibility, compliance with the company‘s privacy policy, geo-blocking and protection of internal services such as email, VPN gateways and databases are important particularly for companies operating on a global scale.
Link11 DDoS protection offers:
1. Intelligent behavior analysis and adaptation to new attack scenarios in addition to signature-based detection
2. High bandwidth protection in the maximum security data center
3. Protection of fundamental business applica-tions
4. Broad bandwidths and low latency 5. 24/7 customer support provided by the Link11 Security Operations Center (SOC)
6. Re-adjustable and customized filtering mecha-nisms and individual reports
7. CAPEX offer excellent value for money in relati-on to the acquisitirelati-on of the hardware
8. Geo-blocking and on-demand protection in the event of an attack
9. Support for all major crawlers
10. Compliance with German and international privacy and compliance policies
LINK11 DDOS PROTECTION C L U S T E R Client Infected Client Infected Client Internet
Provider Service ProviderDatacenter Link11
DDoS Protection Cloud
INTERNET BACKBONE SERVICE PROVIDERDATACENTER CUSTOMER DATACENTER
Switch Firewall IDS Loadbalancer
Server Server Server
DDoS protection via DNS forwarding
DNS protection is a cost-effective solutionto protect a company‘s web-based applica-tions.
Link11 DNS protection does not require an upgrade of the server infrastructure, additional bandwidth, or new router tech-nology. The DNS protection is available for as few as one IP address and protects domain-named based applications against DDoS attacks on layers 3–7. To this end, the DNS A-record entries in the affected application are adapted, rerouting the data transfer to the Link11 Filter Center. The DDoS Protection Cloud has two components: (1) a DDoS filter that blocks volume attacks based on their signature and on customized filter settings and (2) a protocol analyzer using a signature based technology in conjunction with intelligence statistically driven modeling and behavior analysis that reliably allows the cloud to
The infected clients query the DNS servers for their IP address and, as a result of the DNS switch, receive the IP address of the Link11 Filter Center, thus preventing the attack from being sent to the original server.
Necessity of a Site Shield
DDoS PROTECTION via DNS 04 / LINK11
detect and prevent complex attacks, even those that are unknown or develop in the future.
The Link11 DDoS protection is immediately active after the switch in the DNS server has been completed.
Site Shield
To prevent attackers from directly atta-cking the original server IP address, a site shield is established at the DNS protection. The router/firewall configuration is adjus-ted so as to permit only access from Link11 DDoS filters. Client Infected Client Infected Client Internet
Provider InternetproviderDatacenter
Datacenter Link11
DDoS PROTECTION via DNS 05 / LINK11
Since the attacker knows the IP address of the target server, the attack is now no longer sent to the domain; rather the ISP sends it directly to the IP of the server.
A site shield is implemented where the ISP can black hole the target IP address for access from the outside to its IP filter list, which means that the data traffic it receives will go nowhere (the „black hole“).
Client Infected Client Infected Client Internet
Provider InternetproviderDatacenter
Link11 DDoS protection
via Border Gateway Protocol
Our BGP protection solution offers aprehensive protection of the entire com-pany network to protect all basic business applications, such as email, VPN, database servers, etc.
The BGP-DDoS protection can be used in a hot standby version to maintain the nor-mal data flow as long as there is no attack. The data will be rerouted via the Link11 Filter Center in the case of an attack. The clean data packets are transferred back to the customer‘s network via a protected tunnel (VPN, IP-sec., GRE). After success-fully blocking the DDoS attack, the data transfer is then returned to its original routing.
DDoS PROTECTION via BGP 06 / LINK11
Link11 monitoring:
The Link11 monitoring system serves to perma-nently monitor the status of the network and potential DDoS threats are reported. In additi-on, the Link11 monitoring system monitors the availability of applications and reports other incidents. The monitoring system is integrated as a remote service or a local installation.
Network announcement:
In the event of an attack, the network announ-cement reroutes the entire traffic via the Link11 protection for analysis.
It is also possible to announce smaller parts of the network affected by the attack. For example, announce only a /24 network from an existing /16 network to be forwarded to the Link11 protection.
After a successfully blocked attack, the network is then routed directly back to the customer via a second announcement.
A secure IP tunnel is established between the DDoS protection solution and the data center.
Client
Client Client
Internet
Provider InternetproviderDatacenter
Datacenter Link11
DDoS Protection Cloud
GRE TUNNEL
DDoS PROTECTION via BGP 07 / LINK11
Once a DDoS attack has been detected, the routing is switched to Link11 and the protection is activated.
IP ANNOUNCEMENT Client Infected Client Infected Client Internet
Provider InternetproviderDatacenter
Datacenter GRE TUNNEL
Link11 DDoS Protection
Cloud
Data traffic is routed and filtered through Link11. The customer can specify here which IPs should be forwarded unchanged and which should be monitored.
Client Infected Client Infected Client Internet
Provider InternetproviderDatacenter
Datacenter Link11
Link11 monitoring
The Link11 monitoring system continuous-ly monitors the status of the network and reports potential DDoS threats. In addition, the monitoring system monitors the availability of applications and reports other potential incidents. The monitoring system can be integrated as a remote service or a local installation.Remote Monitoring System
The Link11 Remote Monitoring System uses the Link11 DDoS protection system to perform automatic, real-time monito-ring of server linking via DNS forwarding. It analyzes the applications, the server behavior and the incoming and outgoing data transfer and constantly monitors the
MONITORING AND EVALUATION 08 / LINK11
response times. This makes it possible to detect and fend off attacks in advance. Local monitoring system for BGP protec-tion
For local monitoring systems, a monitoring server is installed on the local network. The monitoring system evaluates the flow data of the router and issues an alert as soon as attack patterns are detected. The system is constantly monitored by the Link11 Security Operation Center (SOC). To allow for permanent communication bet-ween the monitoring system and the SOC, the monitoring system is equipped with an out-of-band connection.
Link11 Security Operation Center:
Link11 WebGUI
Link11 offers its customers a web-based, graphical user interface to monitor the server functions.The interface provides insight into the real-time traffic analysis, shows blocked DDoS attacks, server availability and pro-vides metrics on current server response times.
Graphical Timelines can be displayed and analyzed as desired. In addition, the nature of the attacks and the respective places of origin are clearly presented. In addition to user management (with in-dividual read or write rights), the WebGUI makes it possible, for example, to block entire countries with the geo-blocking function.
MONITORING AND EVALUATION 09 / LINK11
Features at a glance
The Diagnostic Dashboard offers general DDoS information and hints on current threats.
In addition, a DDoS warning system and DDoS traffic indicator offer a quick over-view on the current security status. In the settings area, the granularity of the intelligent DDoS prevention can be set and customized blocking can be used to adjust settings for authorized and unauthorized access.
The customizable controls can be used to set up permanent authorized access for systems that deviate too far from that of a normal user. For example, desirable
Dashboard view of the Link11 Dashboard
automated scripts such as crawlers can be identified, ensuring compatibility with standard search engines, desirable adverti-sing bots and administrators.
Reporting makes it possible to gene-rate individual and routine reports in a management overview. The reports can be transmitted on a regular and automatic basis. Any settings made by administra-tors in the user interface can be traced and edited ad hoc.
Link11 DDoS protection is based on two methods of protection where signa-ture-based detection is supplemented by statistical behavior analysis.
On the first level, all types of unauthorized traffic, for example, UDP or ICMP are fil-tered according to customer needs. These packets are not used for the operation of the web pages, but are often used as a traffic-intensive flooding method. On the second level, the Protocol Analyzer is based on an intelligent statistical mode-ling and behavioral analysis to provide re-liable detection and prevention of complex attacks, even those currently unknown and those that will come in the future. The users are compared with the regular user behavior patterns in the network and classified with a scoring model. The higher the degree of deviation from the default connection, the more scoring points that are assigned to the connection.
DISTINCTION OF DATA PACKETS 10 / LINK11
A decision matrix is used to compare the score to the current system load for each connection and potentially to filter out the requested connection. As the system load increases, the score required for blocking is adjusted and integrated accordingly into the decision matrix.
As a secondary defense our signature-ba-sed detection uses more than 100 charac-teristics to review a connection against known Layer 2 and Layer 3 attacks. The Protocol Analyzer‘s intelligent analysis and the continuous analysis is almost deception-proof compared to rigid, on-pre-mise DDoS protection solutions, providing optimal complementary protection against attacks against Layers 4–7.
How does Link11
prevention technology work?
Multi Ten Gigabit Aggregation B og on F ilt er in g IP R epu ta tion F ilt er in g P ro to col V er ifi ca tion St at ef ul T CP Con ne ct ion F ilt er in g IP R at e L im it in g St ati sti ca l A pp lic ati on P ro to co l F ilt er in g Customer Gateway 24x7 Network monitoring
Statistical Modeling and Response Orchestration
24x7 Filter monitoring
FUNCTIONALITY FILTER TECHNOLOGY 11 / LINK11
Fragment-Screener: checks the fragments and
blocks bogus queries
Syntax-Screener
TCP-SYN-Proxying: only successful TCP SYN
requests are forwarded
Signature-based prevention
Firewalling: prevents UDP by default and only
allows certain UDP services such as DNS, SIP, as defined individually by the customer
Firewalling: prevents ICMP echo / batches by
default and/or allows only a few MB/s per pro-tocol, as defined individually by the customer
Firewalling: prevents by default SNMP
connec-tions on the web server and allows only SNMP for certain IPs, as defined individually by the customer
Protocol analysis: protocol-specific
analy-sis (e.g. of the HTTP traffic) for mechanistic behavior in combination with algorithm-based, statistical user data
Rate limiting: prevents by default all queries
from a certain number, as defined individually by the customer
Geofilter
Sufficient capacity of the backend server
• Ping of Death • Nestea / Nestea 2 • Teardrop / Newtear • Bonk / Boink • Syndrop
• Jolt / Jolt 2 / SSPING / sPING / Icenewk • Rose Fragementation Attack
• Land / La Tierra
• TCP SYN Flooding • TCP Ack Flood / Stream
• WinNuke • Apache Killer
• UDP Floods, z. B. Pepsi • Fraggle
• DNS Reflection
• Echo / Chargen • Smurf
• SNMP-Reflection
• PIH Flooding (PHP Interpreting Host • • Flooding)
• Get Food, Slow Loris, Slow Read • Fake DNS queries
• DNS Reflection
• Botnet
• Spontaneous formation of groups on the internet
PROTECTION METHODS
MITIGATED ATTACKS (e.g.)
LAYER 3-4
Features
The prevention technology developed by Link11 is based on deep packet inspection. Domain requests are examined for each IP address. Conspicuous behavior by users of the IP address is awarded points as part of a points scoring system. A user who rea-ches a predefined score by reason of such behavior is blocked.
Our prevention technology can handle static as well as dynamic web content. Since a legitimate query is not answered by a proxy/cache, but instead by the origi-nal server, no complications occur.
FUNCTIONALITY PERFORMANCE 12 / LINK11
The performance and functionality
of Link11 DDoS protection in detail
Performance characteristics:
The DDoS protection cluster analyzes the data transfer on certain patterns and evaluates them anonymously. The content of data packets is not saved.
The Link11 DNS solution provides good value-for-money to protect your web servers. The Link11 BGP solution is suitable for all customer networks from a minimum size of 256 continuous IP addresses (/24 network or Class C network).
Activation of DDoS protection in the BGP versi-on is performed immediately after the routing was switched in the DNA version, after the modified entries in the DNS server are active. The current capacity of the DDoS protection cluster is about 500 Gbit/s.
FUNCTIONALITY PERFORMANCE 13 / LINK11
The following functions are included in the Link11 DDoS protection
DNS forwarding / BGP announcement The service can be implemented via DNS forwarding, or the data transfer is guided and filtered in the event of an attack via BGP. This makes the DDoS protection is independent of the client server location User / IP Filtering
Link11 observes the behavior of the indivi-dual user and has granular user prevention capabilities
Multi Ten Gigabit aggregation
Several 10GE Tier-1 provider uplinks to the individual scrubbing centers
IP reputation filtering
There is a comparison with the Link11 data-base that contains IP addresses which are part of a botnet, or is otherwise misbeha-ving.
Protocol verification
Verification if the user uses the indicated protocol (e.g. HTTP, POP3, HTTPS, etc.) Stateful TCP Connection Inspection Analysis of the 3-way connection establis-hment of the TCP protocol as well as SYN Flood detection and blocking
IP rate limiting
Analysis of application protocols
(e.g. HTTP) with several statistical models and filtering of malicious requests Statistical application protocol inspection Analysis of application protocols
(e.g. HTTP) with several statistical models and filtering of malicious requests
Crawler detection / identification Identification of authorized or unauthori-zed internet crawlers Compatibility with standard search engines
Flooding attack mitigation (HTTP, SYN, UDP, etc.)
Detection and prevention of volume-based attacks on a website
Rate limiting
Individual limitation of the data rate to the customer
GEO blocking
Connection of users from certain regions (country-specific)
SSL encryption With own certificate
Web application firewall (WAF) filtering An optional additional WAF for applying own firewall rules to protect applications Caching
Statistical HTTP client content is cached in our network
Layer 3 and 4 DDoS mitigation
DDoS protection on protocol layers 3 and 4 Layer 7 DDoS mitigation
Application-specific protection at the level of the application
Individual suspicious user behavior recognition
Statistical procedure for individual detecti-on of cdetecti-onspicuous behavior detecti-on the website
Whitelisting/blacklisting
Customers are able to maintain their own black lists and white lists
Blocking of suspicious users Conspicuous users are blocked as of a defined threshold value. These users have the option to enable their access via a CAPTCHA page.
User interface/real-time monitorin Graphical user interface, which permits real-time analysis of the data traffic on the website, provides information on the form of attacks and serves as an administrative interface
Reporting
Individual reports that can be transmitted to defined users
DNS Anycast protection
To ward off attacks on the DNS structure, Link11 offers a DNS Anycast compound system at 25 locations
Network connectivity
The network connectivity of cluster DDoS filter is designed for maximum availability, performance and security. All system-re-levant components are redundant and represent the current state of the art. The Link11 GmbH monitors the degree of capa-city utilization of the network at any time and ensures for adequate capacity. High bandwidths and low latency times are ensured by direct connections to the largest internet carriers (Level3, Global Crossing, Deutsche Telekom, etc.), which are responsible for the majority of data transfers in Europe. In addition, there are direct connections to the largest peering points DE-CIX, AMS-IX and LINX, who are among the world’s three largest internet exchange points.
Cluster locations and security
The main cluster is located in two certified high security data centers of the company Interxion in Frankfurt am Main.
The data centers are built according to the Tier 3 standard. This means that all servers are backed both by an uninter-ruptible power supply, as well as with additional diesel emergency generators. This guarantees an availability of 99.999 % by Interxion.
The data centers are protected by a secu-rity fence and are monitored around the clock by security guards and video came-ras. In addition, there is a unique identifi-cation process where access to each data center building is granted only with an authenticated fingerprint. An additional backup cluster for emergencies is available in Amsterdam.
Service standard/ Service level agreement (SLA)
Link11 GmbH operates according to the highest standards of service. Particularly noteworthy are, among other things, the high availability and redundancy principle. The service standards are defined in total in several units. There are service cate-gories for the reaction times, for trou-bleshooting and for general network and service availability.
Link11 GmbH maintains these service standards as the permanently defined requirements of its customers. In the case of complex requirements, it is possible to enter into individual agreements on service standards. FUNCTIONAL SECURITY 14 / LINK11 AMS 3 AMS 2
Amsterdam, NL
London, UK
FFM 1 DDOS SCRUBBING CENTER FFM 4 FFM 5 FFM 2 FFM 3Frankfurt, DE
LON 1 DDOS SCRUBBING CENTER AMS 1 DDOS SCRUBBING CENTERLINK11 GmbH 15 / LINK11
BITKOM Partner
Link11 is an official BITKOM Partner. BITKOM is the voice of the information technology, telecommunications and new media industry in Germany. BITKOM represents more than 2,100 companies. BITKOM’s members generate an annual turnover of 140 billion Euros in total, expor-ting high-tech goods and services.
bevh
For its members, industry organisation Bundesverband E-Commerce und Versand-handel e.V. (bevh) has selected a team of highly qualified business partners like Link11 chosen for their innovative products, reliability, and experience.
Link11 GmbH
Certified by TÜV SÜD (technical inspection body)
Link11 GmbH uses system resources care-fully and responsibly, including only using green electricity, as certified by TÜV SÜD. Official partner
As an official partner of the TeleTrusT - IT Security Association, Link11 is part of the largest competence network for IT security in Germany and Europe.
Eco Internet Award 2012
In 2012, Link11 was awarded the Internet Award for the most innovative DDoS pro-tection solution by the eco association of the German Internet industry.
Official partner
Link11 is an official partner of the Alliance for Cyber Security. The ACS is a joint initi-ative by the Federal Office for Information Security (BSI) and the Federal Association for Information Technology, Telecommuni-cations and New Media (BITKOM).
Since being founded in 2005, Link11 GmbH has developed into one the leading Ger-man specialist suppliers for DDoS protecti-on solutiprotecti-ons. The high-performance Link11 DDoS Protection Cloud offers intelligent and reliable protection – made in Germany.
Security Insider Award
The readers of „Security Insider“ voted Link11 as the IT-Security Product of the Month in July 2013.
Customers include leading e-commerce, finance and insurance companies. As an official partner of national and interna-tional professional associations and insti-tutions, Link11 is actively engaged in issues related to IT security, internet technology and the e-commerce industry.
For its innovative DDoS protection solu- tion Link11 has been awarded three years in a row. 2014’s “Hosting & Service Provi-der Award” and “ZETA-Award” reflect that the solution is particularly efficient and future-oriented.
Deutscher Rechenzentrumspreis 2014 Link11 DDoS Protection wins in two ca-tegories: data center security and online audience award.
RIPE NCC