How Innetra DDoS Protection works

To provide adequate DDoS protection, it requires to ensure each incoming packet/flow verification. Keeping this in mind, we develop our network with vast uplink connections and high-capacity mitigation equipment power to provide a full filtering coverage of all outside channels. That allows us to provide DDoS mitigation service with zero valid packet loss.

Innetra DDoS mitigation system includes several traffic inspection layers. Each layer is represented by an independent stack of equipment, which provides a complex of challenges to identify and block any malicious activity. The inspection layers are relevant to OSI layers: Basic (L3-4) and Advanced (L7) DDoS Mitigation.

Once the protected channel is established, we start to receive and announce customer’s subnets to the Internet. Our uplinks deliver to us packets intended for customer equipment. We receive, analyze, purify, and deliver this traffic to the customer. Our mitigation equipment automatically blocks incoming DDoS attacks. Thus, customer resources stay available for their visitors through the Innetra network.

We strongly recommend using the Innetra network as a primary or singular uplink to prevent overloading and packet loss through other customer’s Internet service provider channels. In addition, we can use information about outgoing flows from protected prefixes to improve incoming traffic scrubbing accuracy.

Basic DDoS Mitigation

Basic DDoS Mitigation includes layers 3-4 OSI traffic analysis and malicious activity blocking. It automatically processes all Innetra dedicated server traffic and doesn’t require any configuration. This protection layer blocks the following kinds of attacks but not limited to:

Volumetric DDoS
  • TCP flood (SYN/SYN-ACK/ACK/RST/FIN/URG-PSH etc.);
  • UDP flood;
  • UDP fragmentation;
  • ICMP flood;
  • other floods.
Amplification
  • Amplification attacks using the following protocols: TCP, UDP, ICMP, DNS, SSDP/UPnP, NTP, RIP, rpcbind, SNMP, SQL RS, Chargen, L2TP, Memcached, and others.
Resource Exhaustion Attacks
  • Malformed and truncated packets attacks;
  • IP Fragmentation/Segmentation AETs (Teardrop, Targa3, Jolt2, Nestea etc.);
  • Invalid TCP Segment IDs;
  • TCP connection flood;
  • “Slow” TCP flood;
  • wrong checksums and illegal flags in TCP/UDP frames;
  • invalid TCP/UDP port numbers;
  • use of reserved IP addresses;
  • type of service (TOS) flood.

Advanced DDoS Mitigation

This service allows protecting customer applications (L7 OSI) from DDoS attacks that exploit protocol vulnerabilities. Our equipment provides deep packet inspection and checks various additional parameters like application packet header, payload, sequence, etc. For checking incoming packets of some applications, we execute a sequence of challenges to reduce the false-positive ratio.

Do you need expert advice?
Send us a request, and we’ll contact you soon.

Ask an expert