DoS protection is critical security to defend against loss of service and is vital for enterprises, small businesses, game servers, and hosting companies. DoS assaults cannot be defeated with traditional Internet gateway security solutions such as firewalls.
In May 2020, we deployed a Corero Smartwall to provide DoS attack protection to our customers. We chose Corero protection because it delivers the best layer 3 to layer 7 DoS mitigation in seconds before disruption of any Oplink.net service.
The Corero Smartwall real-time packet inspection and mitigation solution for Oplink.net protects against assaults measuring up to 100 Gbps. The Corero Smartwall deployment is inline to the front edge of our 100Gbps uplink to minimize latency, flexibly defend all attacks in real time, and maximize security. It’s always on and provides an incredibly fast and accurate system to keep your server online and protected. We have 3 different levels of protection. Protection is sold on a per IP address basis.
With the Corero Smartwall, Oplink.net protects against large network-based DoS attacks including floods, reflective amplified spoof attacks, as well as attacks that are typically too small to be detected by out of band solutions. Patented mechanisms designed with big data analytics automatically detect and stop volumetric and state exhaustion DoS attacks while passing through legitimate traffic. Attack protection algorithms are continually enhanced based on Corero’s real-world experience of thousands of customers.
Some providers use a cloud-based DoS scrubbing center method that requires all Internet traffic to be relayed by unknown servers on uncertain uplinks in unknown places. This strategy cannot achieve the fastest real-time mitigation without increased latency.
Management and control of our own routers, switches, and servers in house is our priority, and this principle applies to our choice for DoS Protection. Oplink.net engineers directly manage the Corero Smartwall in our data center to apply customized and latest filtering technology.
Here’s a diagram of how the defense system works:
The Oplink.net DDos Defense system offers many smart and flexible filtering technologies. Here are some of the filtering methods now in use:
• TCP/UDP port-based attacks
• Berkeley Packet Filter (BPF)
• Smart-Rules – Patented high-performance heuristicsbased engine that automatically detects & blocks volumetric DoS attacks, including zero-day
• Botnet protection
• Volumetric DoS (TCP/UDP/SYN/ICMP) Floods
• Reflective Amplification DoS
• NTP Monlist Response Amplification
• SSDP/UPnP Responses
• SNMP Inbound Responses
• Chargen Responses
• Connectionless LDAP (CLDAP)
• Resource Exhaustion
• Malformed and Truncated Packets (e.g. UDP Bombs)
• IP Fragmentation/Segmentation AETs
• Invalid TCP Segment IDs
• Bad checksums and illegal flags in TCP/UDP frames
• Invalid TCP/UDP port numbers