If we talk about ddos protection, there are several requirements to spend attention to. In general, you need to take care about two relevant sorts of ddos attacks – network level and application level attacks.
Network level attacks target the network connection and stack of your server. Most network level attacks reach a few hundred kpps, taking down easily most unprotected servers.
Application level attacks aim to overhelm the capabilities of a application or the resources of unprotected servers. Application level attacks mostly generate a high volume of “real looking” requests, for example a few thousand HTTP GET / POST requests towards a webserver.
We have implemented complex mitigation techniques against both attack types, fully protecting every server within our network by default.
The old setup
Our network level protection works by routing all traffic for a specific ip-address towards a set of high performing servers running our flowShield application, which validates every arriving packet against static rules and dynamic logic. In order to increase processing performance, we offload all traffic from the kernel into the userspace using netmap.
In order to filter out application level attacks, we operate a separate set of filters which used to forward all tcp traffic on Port 80, 443 and 8443 to a local application which does humanity checks by interacting with the client.
The whole bunch of filters consumes a lot of rackspace, power and maintenance work. At some point, we had a challenging idea which increased the efficiency of the whole environment.
We’ve virtualized our ddos filters
Nowadays it’s even possible to run resource consuming games in virtual machines, by using pci passthrough on gpu level. Some experimental test brought us to the idea, of involving virtualization in our anti-ddos infrastructure.
As PCI Passthrough provides nearly the same performance as physical hardware, we just got everything done in two very high performing servers, each equipped with Dual 10-Core E5, 192GB of memory and a bunch of PCIe 3.0 Slots, loaded with Quadport 10GbE network adapters.
Every box runs kvm virtual machines with cpu: host, pci passthrough of the network adapters. This allows us to provide 120Gbit of line-rate mitigation capacity per network level filter and around 250.000 requests per second of application level filtration.
The virtualisation of our ddos filters allows us to save a large amount of rackspace, power and to get done changes more flexible.