OVH EU DDoS Mitigation

Jack

Active Member
http://forum.ovh.co.uk/showthread.php?p=46133#post46133

 

URGENT AND IMPORTANT: Anti-DDoS Protection

Hello,

As a web infrastructure supplier, OVH has always been faced with DDoS cyber attacks, which affect our infrastructure as much as the services of our customers. Since the Wikileaks affair in late 2010, DDoS attacks have been making the headlines, and with DNS AMP becoming widespread since the beginning of this year, any kid can basically launch a DDoS attack of several dozen Gbps and implement a childish activity.

On our side, we have developed the protection tool over time with one simple aim: that the anti-DDoS protection service cannot be optional. On your side, customers must use this service by default.

For 3-4 months we've been working on a new type of infrastructure for protection against DDoS attacks, which we named "VAC". (VAC as in vacuum cleaner 

So let's be artistic here - the idea is passing a vacuum cleaner over incoming traffic from the internet to your services, extracting the bad packets but leaving the good packets intact.

VAC1, (currently in Alpha phase), has been installed in Roubaix. It's now working well enough for us to explain what OVH is going to
to offer, in terms of protection against DDoS attacks. 

We are planning to launch the Beta version this week. On July 16th, we will explain the VAC service on our website and a new contract will be issued to provide the framework of this service. The objective is to be as transparent as possible and to provide you
with the highest guarantees.

Hardware
--------
VAC is a mitigation unit capable of cleaning up to 160Gbps/160Gbps traffic.
It consists of 2 routers: a CISCO ASR 9001 and a Cisco Nexus 7009. Overall, a VAC has 114 10G ports, or 1.14Tbps switching/routing capacity. For traffic cleaning we use 2 types of hardware: 4 Tilera each with 20Gbps (80Gbps) and 1 TMS 4000 of 30Gbps.

Software development on the Tileras is ensured by our internal team. It consists of low level C/C++ code, queue management and
algorithms that determine whether a packet is good or bad. TMS 4000 is a package with the algorithms developed by Arbor.
The traffic gets 'hoovered' up up on entry to a datacentre, cleaned then directed towards the routers of the rooms.
In the case of VAC1, traffic is sucked up at the level of 2 main Roubaix routers, then subjected to 5 cleaning phases. Each 
phase intelligently cleans up one type of attack, with the aim of significantly reducing the size of the attack, before passing the remainder onto the next phase. And so on and so forth. 

Thanks to these 5 stages, we are capable of treating up to 160Gbps of attacks, whereas our competitors 
buy an Arbor TMS 4000 package with 1 10G card and are only able to filter 10G max, which is basically nothing. If you receive 
attacks exceeding this, the contract is breached and you have to find yourself a new hosting provider - this is where we step in, as we have no limits in terms of the size of attacks that we can manage. 

Functionalities
---------------
A VAC enables us to provide you with the following services:
- a firewall network
- mitigation of DDoS attacks
- choice of mitigation type
- permanent mitigation
- detection of an attack and activation of the mitigation 
- support to assist you in the event of an attack

A VAC also takes care of hoovering up any attacks that our network may generate. Sometimes customers are in fact hacked and their servers are then used to launch the attacks. When we detect these attacks, we suck them up with the VAC and then clean it, while waiting to determine which servers have been hacked so we can put them in rescue mode.

A VAC also participates in the fight against spam. The VAC will actually suck up and duplicate "the outgoing email traffic" of a datcentre (DC) in order to analyse it with anti-spam and antivirus programmes. We will be able to calculate the statistics on the amount of spam per SRC IP in our DCs, and then block an IP's SMTP traffic, when we believe that it is acting as a spammer.

A VAC is not for storage, it is a traffic analyzer and thus it does not store emails. It simply analyses samples of the emails
leaving our DCs in real time.

In addition to vacuuming, the VAC also does the ironing ...nah, just kidding! 

Redundancy
----------
The redundancy of a VAC is guaranteed by another VAC. By the end of August, we will be installing 3 VAC mitigation units in 
3 locations:
- Strasbourg, France (SBG)
- Roubaix, France (RBX)
- Beauharnois, Canada (BHS)

The 3 VACs will function in parallel and each VAC will suck up the traffic nearest to it, in order to clean it, then it will inject it into the 
internal network that we have set up between all the DCs. So an attack coming from Miami, FL will pass through BHS, where the VAC3 will clean it, then the traffic will enter the internal network. From BHS it will pass through GRA, through RBX to arrive, for example, in SBG at the server that is the victim of a DDoS attack.

The total capacity of our 3 VACs is 3 x 160Gbps, which is 480Gbps/480Mpps. It's the biggest known mitigation infrastructure that a 
an infrastructure supplier has made available to their customers. 

Consequences
-----------
The protection service is not limited in terms of the size, duration, nor the type of the attack. We know how to contain any attack and the objective for us is providing you with a service that will truly protect you on the day you are attacked. 

The question is not so much "Do I need it?" but rather "Will it protect me when doomsday comes?" 
Just last week, a customer contacted me urgently because their site had been attacked by some discontented kid. 3 clicks later, the attack passed through VAC1 and the site www.prestashop.com was back up again. 

Everyday, we receive up to 1200 attacks and we protect 700 of you on average, not really the same everyday...

Service
-------
We will be offering three levels of service:

- By default and included in the price, the aim is to protect our infrastructure and the services of the customer as best we can. In order to properly protect an infrastructure against an attack, it is necessary to know what is running on the server, and then set up the right mitigation configuration. Without having human contact with the customer, we can only do our best. This is the level of service we will provide by default.

- With PRO usage, you will be able to tinker with and adapt the protection using the manager or APIv6. We will offer you
the following tools: 
- the firewall network of 480Gbps with the possibility of adding 100 ACL lines by DST IP, which is an OVH innovation.
- the choice of several dozen mitigation types, including web, SMTP, game, teamspeek, streaming etc.
- permanent mitigation or attack detection with automatic VAC activation
- support will be provided via the following mailing-list: [email protected]

- With VIP Support, you will have 24/7 human assistance with configuration + Someone to talk to in the event of an attack, to help you configure the protection to block the attack quickly and efficiently. The VIP team will ensure that the attack is monitored 
24/7 and will adapt the protection if the attack changes. 

Price
----
Throughout the Alpha phase, we communicated the fact that protection against DDoS attacks should be a service included in the price of a server, VPS, PCI, dedicated cloud or (available in France only) an ADSL connection.

We were very surprised to read the same question again and again: "How much will it cost?"

This made us think ...a lot.
After this thoughtful reflection process, we had 3 options:

- Doing the same as everyone else, which means offering an considerably expensive mitigation service, while stating that the mitigation capacity depends on the price and that in all cases there is a limit of 10Gbps or 20Gbps (!!), that there's also a limitation in the attack duration (!!), and then you have to pay more if you want more (!!). Basically, an on demand, overpriced and rather limited sevrice. This is standard business model of all our competitors and suppliers of mitigation solutions.

- Offering something cheap/adequate, which means investing in an infrastructure (we're talking €3M) and then not including the mitigation costs in the price of each service - simply offering it but with no figures related to mitigation, no teams to take care of it 24/7 and just hoping that it will be enough come doomsday.

- Sharing the costs of the VAC and the teams with all existing and future customers that we have on our infrastructure - this is the solution that we have chosen. In this scenario we're talking about a mandatory option for all existing dedicated servers, VPS and dedicated clouds. Since there are so many customers, the service price increase is very low as a result:
- VPS: +£0.50/month
- KS: +£1/month
- SP: +£1/month
- EG: +£2/month
- MG: +£2/month
- HG: +£3/month
- Dedicated Cloud: +£5/month
- Colocation (France only): +€10/month

This price increase for all existing and future servers will allow us to continue to invest and improve the infrastructure so that we can handle new attacks.

Prices will increase from September 1st 2013 for all existing servers. However, if you sign up for a whole year, then DDoS protection is included, so the service price does not change.

The increase is between +£0.50 and +£10 per month. It may seem low compared to the anti-DDoS service prices offered by our competitors. You may even say that we won't be able to provide a quality protection service against DDoS attack for such a low price. However, given the number of customers we have and the sharing of costs and investments, we feel totally comfortable with taking up the challenge of become the leading player in the protection against attacks, and of protecting against doomsday

Kind regards,

Octave
 
 

peterw

New Member
I like the idea that all customers pay for a solution that will secure the whole network. A good idea if the vacuum cleaner is working. So in future noone will have to move out of OVH when he was attacked by a DDOS?
 

maounique

Active Member
It is beyond interesting !

I am excited !

Expect every kid to sell a gre tunnel as DDoS protection.

But, if the ddos magnets move over there, the rest of us can only benefit.
 

H4G

New Member
Verified Provider
They are making some good use of $190 M loan, it seems....

:D
 
Last edited by a moderator:
Someone over at WHT made an interesting point:

Maybe, maybe not. First, the cost is spread over all customers - even those who do not want, need or even heard of DDOS attacks. Not all users will understand or accept a unilateral increase of rates for an additional service they do not understand or require.

Second, the solution is developed in-house and while it seems they have a proof of concept, in large scale production it must still prove itself.
Third, the mitigation capacity per location is 'only' 160 Gbps and it seems to be not line rate mitigation, as they declare 160 Gbps / 160 Mpps instead of line rate 160 Gbps / 240 Mpps line rate speeds. While 160 Gbps sounds like a lot of capacity (it is.. in a sense) it must protect a very large amount of servers (100 000+ servers)
Last: 'free'or 'cheap' DDOS mitigation will attract a lot of users that look for protection and get 10 Gbps+ attacks... this could eventually overload even the 160 Gbps mitigation platform with detrimental consequences for all users within the network. It may even give rise to DDOS mitigation 'resellers' that install scrubbing proxy's in the OVH network... 
It may or may not have been a great move, time will tell.
 
Last edited by a moderator:

wlanboy

Content Contributer
Sounds quite big. If I just think about 20 concurrent 10 Gbps attacks their cleaner is blocked. It's all about math.

How likely is it that 20 out of 100.000 servers are ddosed?

Most likely this is marketing. Or they have to change their own policy how they handle ddos victims.
 

MannDude

Just a dude
vpsBoard Founder
Moderator
Curious to see how this works out long term. I know the EU didn't have many affordable options when it came to DDoS protection, so interesting nonetheless.
 

rds100

New Member
Verified Provider
It's actually not 160Gbps but 3x160 = 480Gbps, if the DDoS attacks are eventy distributed over the entry points to their network.

I still wonder about the Mpps though, why is this not full linerate?
 
Top