How does Oplink.net DDos Protection work?

Always On Threat Defense System

DDos protection is critical security to defend against loss of service and is vital for enterprises, small businesses, game servers, and hosting companies. DDos assaults cannot be defeated with traditional Internet gateway security solutions such as firewalls.

In May 2020, we deployed a Corero Smartwall to provide DDos attack protection to our customers. We chose Corero protection because it delivers the best layer 3 to layer 7 DDos mitigation in seconds before disruption of any Oplink.net service.

The Corero Smartwall real-time packet inspection and mitigation solution for Oplink.net protects against assaults measuring up to 100 Gbps. The Corero Smartwall deployment is inline to the front edge of our 100Gbps uplink to minimize latency, flexibly defend all attacks in real time, and maximize security. It’s always on and provides an incredibly fast and accurate system to keep your server online and protected.

With the Corero Smartwall, Oplink.net protects against large network-based DDos attacks including floods, reflective amplified spoof attacks, as well as attacks that are typically too small to be detected by out of band solutions. Patented mechanisms designed with big data analytics automatically detect and stop volumetric and state exhaustion DDos attacks while passing through legitimate traffic. Attack protection algorithms are continually enhanced based on Corero’s real-world experience of thousands of customers.

Some providers use a cloud-based DDos scrubbing center method that requires all Internet traffic to be relayed by unknown servers on uncertain uplinks in unknown places. This strategy cannot achieve the fastest real-time mitigation without increased latency.

Management and control of our own routers, switches, and servers in house is our priority, and this principle applies to our choice for DDos Protection. Oplink.net engineers directly manage the Corero Smartwall in our data center to apply customized and latest filtering technology.

Here’s a diagram of how the defense system works:


DDos Defense Security Filters

The Oplink.net DDos Defense system offers many smart and flexible filtering technologies. Here are some of the filtering methods now in use:

• TCP/UDP port-based attacks
• Berkeley Packet Filter (BPF)
• Smart-Rules – Patented high-performance heuristicsbased engine that automatically detects & blocks volumetric DDoS attacks, including zero-day
• Botnet protection
• Volumetric DDoS (TCP/UDP/SYN/ICMP) Floods
• Reflective Amplification DDoS
 • NTP Monlist Response Amplification
 • SSDP/UPnP Responses
 • SNMP Inbound Responses
 • Chargen Responses
 • DNS
 • Connectionless LDAP (CLDAP)
• Resource Exhaustion
 • Malformed and Truncated Packets (e.g. UDP Bombs)
 • IP Fragmentation/Segmentation AETs
 • Invalid TCP Segment IDs
 • Bad checksums and illegal flags in TCP/UDP frames
 • Invalid TCP/UDP port numbers