X4B Announces 100G Anycast based protection

[splitice]

Hi all,

We at X4B.Net are pleased to announce the public availability of Anycast based remote protection services with a 100 Gbps/140 Mpps protection limit. It took us a bit longer than expected, but its finally ready for public consumption

Available with backend delivery in Chicago, Denver and L.A* locations with these three networks forming the current Anycast PoPs and distributed filtering locations.

Pricing starts at $30.00 (with discount) more details and the discount coupon in

100Gbps should be available for all attacks given the capacity available on individual links (reasonable assurity). This is provided by a multi-homed network with transit from Zayo, Cogent, Comcast and Tinet providing us with access to a hell of a lot of bandwidth

There is still much more planned for the future, including: 

 - Optional delivery to your own servers based on the Anycast PoP doing the filtering. As opposed to our network backhauling to a single location.

 - Automated Partial Null-routes: Currently null-routes affect all routes to an IP across all PoPs, we hope to automate partial nullrouting to help you stay mostly online with attacks with a sum greater than 100Gbps.

 - More filtering Points of Presence are planned. But sssh, more at a later date

I hope you enjoy

* L.A stock should be available for purchase later this week.

 

[splitice]

For those curious the kinds of real world attacks we have mitigated (with testers or early adopters) in the last couple of days. These readings have been taken at time of initial detection.

 

Attack #1 - NTP & DNS Amplification against a TS3 server

Filter PoP #1:

Incoming Bandwidth rate: 24548 Mbps

Incoming packet rate: 3320 Kpps

Protocol: udp

 

Filter PoP #2:

Incoming Bandwidth rate: 13073 Mbps

Incoming packet rate: 1778 Kpps

Protocol: udp

 

Filter PoP #3:

Incoming Bandwidth rate: 2948 Mbps

Incoming packet rate: 404 Kpps

Protocol: udp

 

Attack #2 - SNMP & DNS Amplification (+ some fragmentation)

Filter PoP #1:

Incoming Bandwidth rate: 9630 Mbps

Incoming packet rate: 1289 Kpps

Protocol: udp

 

Filter PoP #2:

Incoming Bandwidth rate: 6698 Mbps

Incoming packet rate: 884 Kpps

Protocol: udp

 

Filter PoP #3:

Incoming Bandwidth rate: 893 Mbps

Incoming packet rate: 113 Kpps

Protocol: udp

 

Attack #3 - Spoofed UDP Frag

Filter PoP #1:

Incoming Bandwidth rate: 7620 Mbps

Incoming packet rate: 1022 Kpps

Protocol: udp

 

Filter PoP #2:

Incoming Bandwidth rate: 1065 Mbps

Incoming packet rate: 142 Kpps

Protocol: udp

 

Filter PoP #3:

Incoming Bandwidth rate: 6833 Mbps

Incoming packet rate: 906 Kpps

Protocol: udp

 

[drmike]

Alright, I am interested. 

Tell me more.

How will this fit into things... like with this, how do I tie into existing server / front side those?

Will this work for inbound and outbound traffic?

Somewhere earlier, someone thought they'd be cute and slapped 200k PPS at a VPN box.  Chewed up 165gigabyes of data in quick order.  It was NTP amplification reflection.

Doesn't phase me.  I'll just light up other stuff and take my nomadic circus on the road.

Have some info / literature for the new offer available?

 

[splitice]

@drmike

There isn't much literature on the Anycast nature of the services offered yet, I am holding off on writing too much as some of the planned features aren't too far from implementation Once we sit down and work out timeframes on the next stages I'll know my priorities a bit better. In its current state it behaves [exactly] like all our existing services, all the complexities of Anycast and Distributed mitigation are assumed by us. If you have any specific questions, feel free ask away.

As for how to set it up, its usable via GRE/IP-in-IP tunnel (Windows, Linux, BSD and some routers), Reverse Proxy or VPN (IPSec+L2TP). The simplest way if you are on a Linux / BSD server is usually to just run the tunnel start up script generated in the control panel and use it via GRE or IP-in-IP.

You are welcome to push outgoing traffic over the tunnel or VPN methods if you like, some of our VPN users it for playing games (I admit I am not too familiar with the use case though). It is included in the "Clean Traffic" limits the same as incoming traffic. I am interested to hear your use case for this though, feel free to PM/ticket me

NTP Amp can pack a bit of a bite. Most of attack #1 is NTP Amp (the incident is actually still going!). There is not much point in sending NTP our way now days given its ACL'ed at the edge for our ranges, providing its under the thresholds of course. Although, I do wonder.... it must take a lot of bandwidth to run a public NTP server now days....

 

[Steven F]

Can you provide more information on your filtering (is it in-house, Arbor, or what)?

Edit:

Looks like Voxility, thanks!

 

[splitice]

No Voxility in the network at this stage, I don't think they have PoPs with filtering in Chicago or Denver either. From Layer 7 to Network level mitigation, the mitigation systems used all all levels for the 100G services are in-house. I don't think it would be possible to offer reasonable prices at this volume using COTS appliances given my experiences with the cost of Rioreys.

 

[Kruno]

What is your ASN / anycasted IP range?

How do you handle L7? Got Europe POP?

 

[splitice]

IP addresses are announced under our providers ASN (AS46844).

Layer 7 is handled via an in-house solution (signatures, reasonable limits & optional: dynamic patterns and passive or active client verifications). No Europe in this network at this stage, the three PoP's are those listed.

---

An update for anyone interested, we have a new winner for largest attack mitigated on the network since launch (~92G) -

Type: TCP Invalid Packet (bad hdr length 0 - too short, < 20)

L.A - [sun Nov 23 22:27:06 PST 2014] Network usage: 3097 Kpps, 47686 Mbps

Chicago - [sun Nov 23 22:27:10 PST 2014] Network usage: 3818 Kpps, 26346 Mbps

Denver - [sun Nov 23 22:27:03 PST 2014] Network usage: 2165 Kpps, 19464 Mbps