DDoS Mitigation
DDoS Mitigation
DDoS Mitigation enables Public Peering members to greatly reduce the impact of large-scale DDoS attacks on their networks.
Our technical solution ensures that useful traffic reaches the member even when their port is overwhelmed due to a massive DDoS attack and packet loss is unavoidable. This approach eliminates the need for members to upgrade to higher-speed ports solely to safeguard their connection to TurkIX during large-scale DDoS attacks.
Our technical solution ensures that useful traffic reaches the member even when their port is overwhelmed due to a massive DDoS attack and packet loss is unavoidable. This approach eliminates the need for members to upgrade to higher-speed ports solely to safeguard their connection to TurkIX during large-scale DDoS attacks.
Types of DDoS attacks:
Volumetric Attacks
Overwhelm the target's bandwidth with a massive volume of traffic, making the service inaccessible. Examples include UDP Floods and ICMP Floods.
Protocol Attacks Exploit vulnerabilities in network protocols to exhaust server resources, such as SYN Floods and Ping of Death.
Application Layer Attacks Target specific web applications, aiming to disrupt functions like login pages or APIs. Examples include HTTP GET/POST Floods and Slowloris attacks.
Reflection/Amplification Attacks Use misconfigured servers or devices to amplify attack traffic, such as DNS Amplification and NTP Amplification.
Botnet-Based Attacks Involve a network of compromised devices (botnets) generating massive traffic or requests simultaneously.
Protocol Attacks Exploit vulnerabilities in network protocols to exhaust server resources, such as SYN Floods and Ping of Death.
Application Layer Attacks Target specific web applications, aiming to disrupt functions like login pages or APIs. Examples include HTTP GET/POST Floods and Slowloris attacks.
Reflection/Amplification Attacks Use misconfigured servers or devices to amplify attack traffic, such as DNS Amplification and NTP Amplification.
Botnet-Based Attacks Involve a network of compromised devices (botnets) generating massive traffic or requests simultaneously.
Implementation:
Upon receiving a packet, it is evaluated against a set of rules. If it appears to be part of a potential DDoS attack, it is flagged accordingly. These rules are continuously updated to identify an ever-growing range of DDoS attack methods.
On output, packets identified as potential DDoS traffic are assigned the lowest priority. If the port becomes congested, these flagged packets are dropped first, ensuring the delivery of legitimate traffic. This approach safeguards both the members' ports and the entire TurkIX network, regardless of the attack's scale.
On output, packets identified as potential DDoS traffic are assigned the lowest priority. If the port becomes congested, these flagged packets are dropped first, ensuring the delivery of legitimate traffic. This approach safeguards both the members' ports and the entire TurkIX network, regardless of the attack's scale.
Activation:
DDoS Mitigation is active for all Public Peering members at no additional cost.
Recommendations to members:
Packets received from TurkIX and marked with Priority Code Point (PCP) = 1 are processed with the lowest priority. During a large DDoS attack or network congestion, these packets are dropped first, ensuring that legitimate traffic is prioritized and preserved for the member.
If the connection between TurkIX network and the member's network is routed through a third party with lower speed than the port, it is advised that the third party also prioritize packets marked with PCP = 1 at the lowest level.
During an attack, members can opt for low-rate limiting on packets marked with PCP = 1 and destined for the attacked host, instead of using BGP Blackholing, which blocks all traffic to the host. This approach mitigates the attack while maintaining the host's connectivity. To prevent internal network overload, it is recommended to apply this rule on the device directly connected to the TurkIX network.
Advantages:
DDoS Mitigation works permanently, so it is completely effective even in extremely short attacks;TurkIX marks potential DDoS according to IEEE P802.1p with PCP = 1, so members could relatively easily implement specific restrictions on this traffic in their networks;
Real-time statistics are available at my.TurkIX.
Copyright TURKIX © 2024 TurkIX LTD.