Network

DDoS Mitigation

graphic image

DDoS Mitigation helps Public Peering members to significantly limit the negative effect on their networks in case of large DDoS attacks against them.

Our technical solution is focused on delivering the useful traffic to the member even if their port is overloaded as a result of a massive DDoS attack and packet loss is inevitable. In this way, members do not need to use higher speed ports just to be sure that their connection to BIX.BG will not be overloaded in case of a large DDoS attack against them.
graphic image

Types of DDoS attacks:

  • Low and slow DDoS – a small amount of traffic with very specific packets targeting hosting services at the protocol/application layer. These attacks are various and we currently do not have a working solution to help members against them;
  • Volumetric DDoS – a large number of packets are sent from a lot of hosts (usually to a single host), and the aim of the attack is to disable the entire network of the member, or at least a segment of it.
    If no measures are taken, the negative effect of such an attack will depend not only on the volume of the attack, but also on the throughput of the network (including links to upstream providers and peers).

Patterns of Volumetric DDoS:

  • In order to generate huge amount of traffic, the attacking party often uses the so-called Amplification mechanisms, which allow them, with relatively little traffic sent by them, to cause many times more traffic to the attacked network. BIX.BG recognizes these packets and marks them as potential DDoS.
  • DDoS attacks usually occur suddenly, reach their maximum capacity within 1-2 minutes and also stop suddenly. This makes any protective mechanisms involving human intervention completely inapplicable. Even variants with automatic rerouting through the Scrubbing center will not be particularly effective in short-term attacks.

Implementation:

  • On input: Each incoming packet is analyzed through a series of rules and, in case it looks like a potential DDoS, is marked in a certain way. These rules are constantly being updated so that more and more types of DDoS attacks can be recognized.
  • On output: Packets marked as potential DDoS are served with the lowest priority. If a port becomes overloaded the marked packets will be dropped first so that the useful packets can be delivered successfully. This protects not only the members' ports, but also the entire BIX.BG network regardless of the scale of the attack.

Activation:

DDoS Mitigation is active for all Public Peering members at no additional cost.

Recommendations to members:

  • Not to filter all traffic marked as potential DDoS, because useful traffic may be lost;
  • Received packets from BIX.BG, which are marked with Priority Code Point (PCP) = 1, to be served with the lowest priority. Thus, in case of a large DDoS attack and network overloads, the member will drop exactly these packets to preserve the useful traffic;
  • In case the connectivity between BIX.BG's network and that of the member is through a third party and has a lower speed than that of the port, it is recommended that the third party also serve the packets marked with PCP = 1 with the lowest priority;
  • During an attack, instead of using BGP Blackholing, which blocks all traffic to the attacked host, the member can enable low rate limiting only on packets marked with PCP = 1 and destination IP of the attacked host. This will limit the attack without blocking the host's connectivity to the network. In order to avoid overloads inside the member's network, it is recommended to setup the rule on the device that is directly connected to the BIX.BG network.

Advantages:

  • DDoS Mitigation works permanently, so it is completely effective even in extremely short attacks;
  • BIX.BG marks potential DDoS according to IEEE P802.1p with PCP = 1, so members could relatively easily implement specific restrictions on this traffic in their networks;
  • Real-time statistics are available at my.BIX.BG.

Possible inconveniences:

There is a minimal probability that useful traffic will be classified as a potential DDoS, but this is irrelevant if the member's port is not overloaded;

Not all possible DDoS attacks are recognized, and this mainly applies to new types of attacks (Zero-day DDoS Attack).