X4B Announces 100G Anycast based protection

Discussion in 'Industry News' started by splitice, Nov 23, 2014.

  1. splitice

    splitice Just a little bit crazy... Verified Provider

    550
    252
    Jun 16, 2013
    Hi all,

    We at X4B.Net are pleased to announce the public availability of Anycast based remote protection services with a 100 Gbps/140 Mpps protection limit. It took us a bit longer than expected, but its finally ready for public consumption :)

    Available with backend delivery in Chicago, Denver and L.A* locations with these three networks forming the current Anycast PoPs and distributed filtering locations.

    Pricing starts at $30.00 (with discount) more details and the discount coupon in

    100Gbps should be available for all attacks given the capacity available on individual links (reasonable assurity). This is provided by a multi-homed network with transit from Zayo, Cogent, Comcast and Tinet providing us with access to a hell of a lot of bandwidth :)

    There is still much more planned for the future, including: 

     - Optional delivery to your own servers based on the Anycast PoP doing the filtering. As opposed to our network backhauling to a single location.

     - Automated Partial Null-routes: Currently null-routes affect all routes to an IP across all PoPs, we hope to automate partial nullrouting to help you stay mostly online with attacks with a sum greater than 100Gbps.

     - More filtering Points of Presence are planned. But sssh, more at a later date :p

    I hope you enjoy :)

    * L.A stock should be available for purchase later this week.
     
    Last edited by a moderator: Nov 23, 2014
  2. splitice

    splitice Just a little bit crazy... Verified Provider

    550
    252
    Jun 16, 2013
    For those curious the kinds of real world attacks we have mitigated (with testers or early adopters) in the last couple of days. These readings have been taken at time of initial detection.

     

    Attack #1 - NTP & DNS Amplification against a TS3 server

    Filter PoP #1:

    Incoming Bandwidth rate: 24548 Mbps

    Incoming packet rate: 3320 Kpps

    Protocol: udp

     

    Filter PoP #2:

    Incoming Bandwidth rate: 13073 Mbps

    Incoming packet rate: 1778 Kpps

    Protocol: udp

     

    Filter PoP #3:

    Incoming Bandwidth rate: 2948 Mbps

    Incoming packet rate: 404 Kpps

    Protocol: udp

     

    Attack #2 - SNMP & DNS Amplification (+ some fragmentation)

    Filter PoP #1:

    Incoming Bandwidth rate: 9630 Mbps

    Incoming packet rate: 1289 Kpps

    Protocol: udp

     

    Filter PoP #2:

    Incoming Bandwidth rate: 6698 Mbps

    Incoming packet rate: 884 Kpps

    Protocol: udp

     

    Filter PoP #3:

    Incoming Bandwidth rate: 893 Mbps

    Incoming packet rate: 113 Kpps

    Protocol: udp

     

    Attack #3 - Spoofed UDP Frag

    Filter PoP #1:

    Incoming Bandwidth rate: 7620 Mbps

    Incoming packet rate: 1022 Kpps

    Protocol: udp

     

    Filter PoP #2:

    Incoming Bandwidth rate: 1065 Mbps

    Incoming packet rate: 142 Kpps

    Protocol: udp

     

    Filter PoP #3:

    Incoming Bandwidth rate: 6833 Mbps

    Incoming packet rate: 906 Kpps

    Protocol: udp
     
    Last edited by a moderator: Nov 23, 2014
    HalfEatenPie likes this.
  3. drmike

    drmike 100% Tier-1 Gogent

    8,573
    2,717
    May 13, 2013
    Alright, I am interested. 

    Tell me more.

    How will this fit into things... like with this, how do I tie into existing server / front side those?

    Will this work for inbound and outbound traffic?

    Somewhere earlier, someone thought they'd be cute and slapped 200k PPS at a VPN box.  Chewed up 165gigabyes of data in quick order.  It was NTP amplification reflection.

    Doesn't phase me.  I'll just light up other stuff and take my nomadic circus on the road.

    Have some info / literature for the new offer available?
     
  4. splitice

    splitice Just a little bit crazy... Verified Provider

    550
    252
    Jun 16, 2013
    @drmike

    There isn't much literature on the Anycast nature of the services offered yet, I am holding off on writing too much as some of the planned features aren't too far from implementation :) Once we sit down and work out timeframes on the next stages I'll know my priorities a bit better. In its current state it behaves [exactly] like all our existing services, all the complexities of Anycast and Distributed mitigation are assumed by us. If you have any specific questions, feel free ask away.

    As for how to set it up, its usable via GRE/IP-in-IP tunnel (Windows, Linux, BSD and some routers), Reverse Proxy or VPN (IPSec+L2TP). The simplest way if you are on a Linux / BSD server is usually to just run the tunnel start up script generated in the control panel and use it via GRE or IP-in-IP.

    You are welcome to push outgoing traffic over the tunnel or VPN methods if you like, some of our VPN users it for playing games (I admit I am not too familiar with the use case though). It is included in the "Clean Traffic" limits the same as incoming traffic. I am interested to hear your use case for this though, feel free to PM/ticket me :)

    NTP Amp can pack a bit of a bite. Most of attack #1 is NTP Amp (the incident is actually still going!). There is not much point in sending NTP our way now days given its ACL'ed at the edge for our ranges, providing its under the thresholds of course. Although, I do wonder.... it must take a lot of bandwidth to run a public NTP server now days....
     
    Last edited by a moderator: Nov 23, 2014
    GIANT_CRAB and drmike like this.
  5. Steven F

    Steven F New Member Verified Provider

    475
    147
    Jun 27, 2013
    Can you provide more information on your filtering (is it in-house, Arbor, or what)?

    Edit:

    Looks like Voxility, thanks!
     
    Last edited by a moderator: Nov 23, 2014
  6. splitice

    splitice Just a little bit crazy... Verified Provider

    550
    252
    Jun 16, 2013
    No Voxility in the network at this stage, I don't think they have PoPs with filtering in Chicago or Denver either. From Layer 7 to Network level mitigation, the mitigation systems used all all levels for the 100G services are in-house. I don't think it would be possible to offer reasonable prices at this volume using COTS appliances given my experiences with the cost of Rioreys.
     
  7. Kruno

    Kruno New Member Verified Provider

    90
    15
    Jun 18, 2013
    What is your ASN / anycasted IP range?

    How do you handle L7? Got Europe POP?
     
  8. splitice

    splitice Just a little bit crazy... Verified Provider

    550
    252
    Jun 16, 2013
    IP addresses are announced under our providers ASN (AS46844).

    Layer 7 is handled via an in-house solution (signatures, reasonable limits & optional: dynamic patterns and passive or active client verifications). No Europe in this network at this stage, the three PoP's are those listed.

    ---

    An update for anyone interested, we have a new winner for largest attack mitigated on the network since launch (~92G) -

    Type: TCP Invalid Packet (bad hdr length 0 - too short, < 20)

    L.A - [sun Nov 23 22:27:06 PST 2014] Network usage: 3097 Kpps, 47686 Mbps

    Chicago - [sun Nov 23 22:27:10 PST 2014] Network usage: 3818 Kpps, 26346 Mbps

    Denver - [sun Nov 23 22:27:03 PST 2014] Network usage: 2165 Kpps, 19464 Mbps
     
    Last edited by a moderator: Nov 24, 2014