We are in the process of migrating this forum. A new space will be available soon. We are sorry for the inconvenience.

URGENT AND IMPORTANT DNS resolve and DNS AMP Part 2


oles@ovh.net
06-25-2013, 11:56 AM
Hello,

As a web infrastructure supplier, OVH has always been faced with DDoS cyber attacks, which affect our infrastructure as much as the services of our customers. Since the Wikileaks affair in late 2010, DDoS attacks have been making the headlines, and with DNS AMP becoming widespread since the beginning of this year, any kid can basically launch a DDoS attack of several dozen Gbps and implement a childish activity.

On our side, we have developed the protection tool over time with one simple aim: that the anti-DDoS protection service cannot be optional. On your side, customers must use this service by default.

For 3-4 months we've been working on a new type of infrastructure for protection against DDoS attacks, which we named "VAC". (VAC as in vacuum cleaner
So let's be artistic here - the idea is passing a vacuum cleaner over incoming traffic from the internet to your services, extracting the bad packets but leaving the good packets intact.

VAC1, (currently in Alpha phase), has been installed in Roubaix. It's now working well enough for us to explain what OVH is going to
to offer, in terms of protection against DDoS attacks.

We are planning to launch the Beta version this week. On July 16th, we will explain the VAC service on our website and a new contract will be issued to provide the framework of this service. The objective is to be as transparent as possible and to provide you
with the highest guarantees.

Hardware
--------
VAC is a mitigation unit capable of cleaning up to 160Gbps/160Gbps traffic.
It consists of 2 routers: a CISCO ASR 9001 and a Cisco Nexus 7009. Overall, a VAC has 114 10G ports, or 1.14Tbps switching/routing capacity. For traffic cleaning we use 2 types of hardware: 4 Tilera each with 20Gbps (80Gbps) and 1 TMS 4000 of 30Gbps.

Software development on the Tileras is ensured by our internal team. It consists of low level C/C++ code, queue management and
algorithms that determine whether a packet is good or bad. TMS 4000 is a package with the algorithms developed by Arbor.
The traffic gets 'hoovered' up up on entry to a datacentre, cleaned then directed towards the routers of the rooms.
In the case of VAC1, traffic is sucked up at the level of 2 main Roubaix routers, then subjected to 5 cleaning phases. Each
phase intelligently cleans up one type of attack, with the aim of significantly reducing the size of the attack, before passing the remainder onto the next phase. And so on and so forth.

Thanks to these 5 stages, we are capable of treating up to 160Gbps of attacks, whereas our competitors
buy an Arbor TMS 4000 package with 1 10G card and are only able to filter 10G max, which is basically nothing. If you receive
attacks exceeding this, the contract is breached and you have to find yourself a new hosting provider - this is where we step in, as we have no limits in terms of the size of attacks that we can manage.

Functionalities
---------------
A VAC enables us to provide you with the following services:
- a firewall network
- mitigation of DDoS attacks
- choice of mitigation type
- permanent mitigation
- detection of an attack and activation of the mitigation
- support to assist you in the event of an attack

A VAC also takes care of hoovering up any attacks that our network may generate. Sometimes customers are in fact hacked and their servers are then used to launch the attacks. When we detect these attacks, we suck them up with the VAC and then clean it, while waiting to determine which servers have been hacked so we can put them in rescue mode.

A VAC also participates in the fight against spam. The VAC will actually suck up and duplicate "the outgoing email traffic" of a datcentre (DC) in order to analyse it with anti-spam and antivirus programmes. We will be able to calculate the statistics on the amount of spam per SRC IP in our DCs, and then block an IP's SMTP traffic, when we believe that it is acting as a spammer.

A VAC is not for storage, it is a traffic analyzer and thus it does not store emails. It simply analyses samples of the emails
leaving our DCs in real time.

In addition to vacuuming, the VAC also does the ironing ...nah, just kidding!

Redundancy
----------
The redundancy of a VAC is guaranteed by another VAC. By the end of August, we will be installing 3 VAC mitigation units in
3 locations:
- Strasbourg, France (SBG)
- Roubaix, France (RBX)
- Beauharnois, Canada (BHS)

The 3 VACs will function in parallel and each VAC will suck up the traffic nearest to it, in order to clean it, then it will inject it into the
internal network that we have set up between all the DCs. So an attack coming from Miami, FL will pass through BHS, where the VAC3 will clean it, then the traffic will enter the internal network. From BHS it will pass through GRA, through RBX to arrive, for example, in SBG at the server that is the victim of a DDoS attack.

The total capacity of our 3 VACs is 3 x 160Gbps, which is 480Gbps/480Mpps. It's the biggest known mitigation infrastructure that a
an infrastructure supplier has made available to their customers.

Consequences
-----------
The protection service is not limited in terms of the size, duration, nor the type of the attack. We know how to contain any attack and the objective for us is providing you with a service that will truly protect you on the day you are attacked.

The question is not so much "Do I need it?" but rather "Will it protect me when doomsday comes?"
Just last week, a customer contacted me urgently because their site had been attacked by some discontented kid. 3 clicks later, the attack passed through VAC1 and the site www.prestashop.com was back up again.

Everyday, we receive up to 1200 attacks and we protect 700 of you on average, not really the same everyday...

Service
-------
We will be offering three levels of service:

- By default and included in the price, the aim is to protect our infrastructure and the services of the customer as best we can. In order to properly protect an infrastructure against an attack, it is necessary to know what is running on the server, and then set up the right mitigation configuration. Without having human contact with the customer, we can only do our best. This is the level of service we will provide by default.

- With PRO usage, you will be able to tinker with and adapt the protection using the manager or APIv6. We will offer you
the following tools:
- the firewall network of 480Gbps with the possibility of adding 100 ACL lines by DST IP, which is an OVH innovation.
- the choice of several dozen mitigation types, including web, SMTP, game, teamspeek, streaming etc.
- permanent mitigation or attack detection with automatic VAC activation
- support will be provided via the following mailing-list: ddos@ml.ovh.net

- With VIP Support, you will have 24/7 human assistance with configuration + Someone to talk to in the event of an attack, to help you configure the protection to block the attack quickly and efficiently. The VIP team will ensure that the attack is monitored
24/7 and will adapt the protection if the attack changes.

Price
----
Throughout the Alpha phase, we communicated the fact that protection against DDoS attacks should be a service included in the price of a server, VPS, PCI, dedicated cloud or (available in France only) an ADSL connection.

We were very surprised to read the same question again and again: "How much will it cost?"

This made us think ...a lot.
After this thoughtful reflection process, we had 3 options:

- Doing the same as everyone else, which means offering an considerably expensive mitigation service, while stating that the mitigation capacity depends on the price and that in all cases there is a limit of 10Gbps or 20Gbps (!!), that there's also a limitation in the attack duration (!!), and then you have to pay more if you want more (!!). Basically, an on demand, overpriced and rather limited sevrice. This is standard business model of all our competitors and suppliers of mitigation solutions.

- Offering something cheap/adequate, which means investing in an infrastructure (we're talking €3M) and then not including the mitigation costs in the price of each service - simply offering it but with no figures related to mitigation, no teams to take care of it 24/7 and just hoping that it will be enough come doomsday.

- Sharing the costs of the VAC and the teams with all existing and future customers that we have on our infrastructure - this is the solution that we have chosen. In this scenario we're talking about a mandatory option for all existing dedicated servers, VPS and dedicated clouds. Since there are so many customers, the service price increase is very low as a result:
- VPS: +€0.50/month
- KS: +€1/month
- SP: +€1/month
- EG: +€2/month
- MG: +€2/month
- HG: +€3/month
- Dedicated Cloud: +€5/month
- Colocation (France only): +€10/month

This price increase for all existing and future servers will allow us to continue to invest and improve the infrastructure so that we can handle new attacks.

Prices will increase from September 1st 2013 for all existing servers. However, if you sign up for a whole year, then DDoS protection is included, so the service price does not change.

The increase is between +€0.50 and +€10 per month. It may seem low compared to the anti-DDoS service prices offered by our competitors. You may even say that we won't be able to provide a quality protection service against DDoS attack for such a low price. However, given the number of customers we have and the sharing of costs and investments, we feel totally comfortable with taking up the challenge of become the leading player in the protection against attacks, and of protecting against doomsday

Kind regards,

Octave