Рейтинг
0.00

SeFlow Хостинг

1 читатель, 11 топиков

4,7 Tbps Network Security is now live. Best place to keep your data safe



SeFlow Is Building a More Secure Network; First Global Content Provider to extend BGP Flowspec Capability for all customers for free MILAN, Sept. 12,2016 — SeFlow is happy to announce the deployment Border Gateway Protocol (BGP) Flowspec on its global backbone and whole Level 3 Network. The capability is one of the largest deployments in the industry, leveraging SeFlow and Level 3's more than 43 terabits of backbone capacity and protecting its peering points. BGP Flowspec allows for rapid threat mitigation across the Level 3 backbone, shutting down volumetric attacks and providing a more secure network for its customers.

This enhancement to SeFlow's suite of security solutions better provides responsive service capabilities for customers while at the same time helping to create a safer internet ecosystem. Enterprises need a DDoS mitigation service provider with the tools and expertise to fight these large-scale, potentially expensive attacks.

DDoS and threat detection is now immediate on the scrubbing points and will be mitigated before reaching SeFlow Milan location. This will ensure a free DDoS Mitigation on amplification attacks for all customers. In addition the Milan filters will be underloaded ensuring more powerfull layer 7 protection.

This new solution increase the mitigation capacity for flood attacks to 4,7Tbps ingestion capacity (prior was 4.2Tbps only for amplifications). Most of the attacks are now filtered from scrubbing point closest to the origin ensuring protection for most amplifications and know floods for all server inside SeFlow. DDoS Protected Customers will not see anymore amplification and flood attacks in their SeGuard Portal because we will ensure protection using the geo scrubbing point. For example if an attack will start from brazil, only south america customers will pass trought active filters leaving other customers to be free to reach your server evoiding too restrictive f ilters.

Milan location is now converted into full layer 7 protection ensuring more mitigation capacity on application attacks.

How It Works the Flowspecs feature:
  • BGP is the protocol all internet routers use to talk to each other.
  • BGP Flowspec uses the BGP protocol to distribute flow specification filters to network routers – if a threat is identified, the SeFlow DDoS infrastructure inputs a rule to block or deny traffic related to the threat by its source, destination and a number of other characteristics.
  • The malicious traffic is systematically and temporarily filtered off the network, blocking threats globally before they have time to form fully or scale and affect a customer.

Key Facts:
  • SeFlow has both the network architecture and skilled professionals in place to leverage this threat-fighting tool.
  • As a global network services provider, SeFlow has an expansive view of worldwide internet traffic and a broad view of threats
  • In an industry with so few qualified resources, SeFlow has security operations center professionals in five global locations trained to use this powerful tool.
  • BGP Flowspec is built into SeFlow and Level 3's Network for all customers in addition to existing worldwide anycast DDoS Mitigation Protection.

SeFlow Network Security is already active for all SeFlow Customers. Existing DDoS protection customers should see lower attacks rate reporting because SeFlow Network Security work silently avoiding any engagement mitigation time. This will ensure that, for most know attack, for latency sensible service, you will not have any interruption.

DDoS Mitigation prices still unchanged and new features are already in place without any additional configuration on customer services.

Feel free to contact us for details trought our ticket system to SOC department manage.seflow.it/index.php?/tickets/new/

All our service now include SeFlow Network Security service, check out our Dedicated server list seflow.net/2/index.php/en/services/baremetalserver/browseservers

new layer 7 DDOS Protection and AlwaysOn mode avaiable

We are proud to advertise that we're the first company with 4,2Tbps Volumetric Attacks mitigation capacity and we are now able to mitigate 200Gbps of layer 7 attacks. Our layer 7 protection is a Cloud with dedicated 600Ghz CPU Clock that is able to inspect packets payload up to 200Gbps.

In this first stage we're upgrading our filters to perform basic layer 7 mitigation protection on ALL DDoS protected services and we will release advanced layer 7 protection and WAF firewall very soon.

Our actual DDoS Protection (Sensor mode) can detect every attacks within 5 seconds. This is great for websites, voip and most games. With latest upgrade customers can now be able to add AlwaysON protection that detected and filter attacks instantly. This solution is perfect for Teamspeak and latency sensitive games and application and can be ordered, for every VPSPro and Dedicated Server plans from your customer area. Price for that solution is only 18€ each IP.

All orders form are updated and you can now order

Both Protection now included basic layer 7 protection and are daily updated.

All customers can now see dump of every received attacks. You can now download pcap file or use our online viewer to inspect any packets (payload, ttl, src ip, length and much more.

You can be in touch with every latest DDoS thread subscribing to our security blog avaiable on seflow.net/2/index.php/en/blog

Some recent articles:
  • SYNPROXY Protection (http://seflow.net/2/index.php/en/blog/synproxy-module-protect-yourself-by-syn-flood)
  • Tweak sysctl (http://seflow.net/2/index.php/en/blog/tweak-sysctl-parameters-to-prevent-ddos-and-syn-flood)
  • Pingback wordpress attacks (http://seflow.net/2/index.php/en/blog/pingback-wordpress-involved-in-layer7-ddos)

If you have any enquiries or need information about our updated DDoS Protection please open a ticket to our SOC choosing DDoS SOC department.

Protect yourself by SYN flood

Distributed Denial of Service (DDoS) attacks are becoming increasingly commonplace as business becomes more and more dependent on delivering services over the Internet. One of the most common types of DDoS attacks is the well-known SYN-flood attack. It is a basic end-host resource attack designed to bring your server to its knees. As a result, your server is unable to properly handle any new incoming connection requests.

SYN Protection in the past
In the past, SYN attacks, by major vendor, was mitigated using conntrack filtering on commodity or AICS hardware. With Netfilter’s connection tracking system (conntrack), we can start filtering out false SYN-ACK and ACK packets before they hit the “listen” state lock. The conntrack system actually has a scalability problem (like the “listen” lock) when it comes to creating (or deleting) connections, which the SYN-flood will hit.

Even after fixing the conntrack lock, the SYN packets will still be sent to the socket causing the “listen” socket lock to occur. The normal mitigation technique is to send SYN-cookies and avoid creating any state until the SYN-ACK packet is seen.

Unfortunately, SYN-cookies are sent under the same “listen” state lock, so the mitigation does not solve the scalability issue. How these limitations can be worked around will be discussed later.

SYNPROXY, New Filtering Era
With SYNPROXY we can increase 20x performance then old technique removing the “listen state lock” part catching packets that the connection tracking system has categorized as “INVALID” and not part of a known connection state. The matching against existing conntrack entries is very fast and completely scalable. The conntrack system actually does lockless RCU (read-copy update) lookups for existing connections.

Essentially, this solves all other TCP-flooding packets except SYN-flooding.

But NOW, How we can solve SYN-flooding?
SYNPROXY essentially does parallel SYN-cookies and not create a conntrack entry before the SYN-ACK packet is received thus avoiding the conntrack new connections lock. Once the initial connection is established the normal conntrack system will take over and do all the needed forwarding.

If you have CentOS 7 or any distribution with kernel > 3.13 and iptables 1.4.21 you have this module built-in.

To enable it we need to tweak sysctl.conf. Insert in /etc/sysctl.conf:
#SYN cookies
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog=4096
net.ipv4.tcp_syn_retries=5
net.ipv4.tcp_synack_retries=2

#SYNPROXY REQ
net.netfilter.nf_conntrack_tcp_loose=0
net.netfilter.nf_conntrack_max=2000000
net.ipv4.tcp_timestamps=1

#OPTIMIZE TCP
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.core.netdev_max_backlog = 250000


Now you can configure SYNPROXY using public online script avaiable here
github.com/netoptimizer/network-testing/blob/master/iptables/iptables_synproxy.sh

If you want configure yourself go head with these steps:
Step #1: In the “raw” table, we need to make sure connections that need protection don’t create new conntrack entries for SYN packets.
# iptables -t raw -I PREROUTING -i $DEV -p tcp -m tcp –syn –dport $PORT -j CT –notrack


Step #2: Now we need to catch these packets and direct them to the SYNPROXY target module. To do this, use the following rule to catch UNTRACKED SYN and INVALID packets that contain the ACK from 3WHS (and also others, but they will fall-through).
# iptables -A INPUT -i $DEV -p tcp -m tcp –dport $PORT -m state –state INVALID,UNTRACKED -j SYNPROXY –sack-perm –timestamp –wscale 7 –mss 1460


Step #3: Catch the INVALID state packets that fell-through the SYNPROXY module and drop those. Basically, this will drop SYN-ACK based floods.
# iptables -A INPUT -m state –state INVALID -j DROP

Considerations when using SYNPROXY

Enabling SYNPROXY does comes at a cost. The connection establishment phase is going to be slower due to the extra connection setup needed towards the end-host. When the end-host is localhost, then this extra step is obviously very fast but nonetheless adds latency.

The parameters to the SYNPROXY target module must match TCP options and settings supported by the end-host that the TCP connections are being proxied for. Detecting and setting this up is manually done per rule setting. (A helper tool “nfsynproxy” is part of iptables release 1.4.21). This unfortunately means the module cannot be easily deployed in DHCP-based firewall environments.

New DDoS Protection is now in public beta - 800Gbps full protection

Scrubbing center mitigation techniques alone are not designed to manage today’s highly sophisticated and distributed attacks. You need to deploy a multi-layered security approach backed by extensive threat research to defend against a variety of attack types.
Only network-based DDoS mitigation solutions can provide realistic protection to enterprise resources. SeFlow created a SOC department, pool of security expert team, avaiable 24x7 to keep your data safe and protected.

How SeFlow can protect up to 800Gbps (4.2Tbps on know patterns)?
We're now partner of Level 3 Communications and our network is now protected, for volumetric attack, by the whole Level 3 Networks. Special and dynamics rules was applied on all Level3 router and firewall ensuring 4.2 Tbps DDoS Protection for well know attacks, like DNS, NTP, SNMP, Chargen Amplifications and much more.

As second defense layer we had various sensors that analyze traffic and if an anomalies is found, redirect the IP to our filters. Filters are a cluster that can absorb up to 80Gbps of dirty packets. Traffic will be analyzed, cleaned and injected into the network. Our filters analyze in real-time any attack to guarantee enterprise grade protection in any condition, no matter if attack changes.

Avaiable Plans?
We want ensure that every customer will be able to keep protected and we created new plans.
  • DDoS Protected IP: You can protect single ip address at only €9 /m. You will have access to our SeGuard Anomaly Panel. You will be able to monitor anomaly in real-time or create stats, report and much more. Any existing IP can be converted in DDoS Protected IP without downtime. Just open a ticket to our SOC department and we will do it. No changes needed at yout end.
  • Whole Server: You can protect entire server for only €49 /m, no matter how many ips you have on it. You will be able to monitor anomaly in real-time or create stats, report and much more. Any existing server with free protection can be converted in a DDoS Protected Server without downtime. Just open a ticket to our SOC department and we will do it. No changes needed in yout end.
  • Remote DDoS Protection: Remote DDoS Protection is also available for clients who require mitigation services at their own facility. Using GRE tunnels, we can divert traffic to our network for inspection, analysis and filtering to ensure high availability of your online business or project. Price start from €400 /m with 500Mbps clean pipe.

What's next?
We're moving some DDoS Protected Customers in our new SeGuard system and will start the public beta. After this stage all existing DDoS server will be migrated into this platform and legacy SeGuard will be discontinued. We will launch full service description and ability to buy it online in next days.

For existing or new customers that can't wait we can start protect immediately, please open a trouble ticket to our SOC and you will enjoy the power of our new protection. Everybody will submit any DDoS Protected plan during this stage, will have 20% full discount for life.

Thank you for choosing SeFlow Internet Service, our new SOC department is impatient to show all his experience in Network Protection.

SeFlow.Net Team

New 2016 Skylake servers from 29€/monthly

SeFlow is happy to announce new 2016 Skylake dedicated servers line from 29€ monthly

Skylake is the codename for the 6th Generation Intel® Core™ processor that is the successor to the Broadwell microarchitecture. Skylake is built on Intel’s 14 nm manufacturing process and delivers breakthroughs in performance and power efficiency over previous generation microarchitectures for high performance graphics, stunning high-resolution video playback, great system performance and responsiveness, even longer battery life, and stronger security.

What's New?
  • New 6th Generation CPUs
  • New 480GB SSD and 4TB sATA3 Disks
  • Free DDoS Protection is now up to 2Gbps
  • Added i3 6100 & i7 6700 Processor 64GB RAM Support
  • Ability to choose Server with or without Setup fee. Server with setup fee have lower monthly recurring starting from € 29/m

Check our new server line www.seflow.net/2/index.php/en/services/baremetalserver/browseservers
All servers are high customizable. If you want check addons, please press «Order Now».
2016 Server line is the first SeFlow product «Reseller welcome».

Reseller benefit:
  • No Signup fees
  • Full User API manage.seflow.it/index.php?%2Fuserapi%2F
  • Automatize server avaibility on your website with our reseller API and set custom prices. (if you're a reseller, please submit trouble ticket to ask activation, we will release public docs soon)
  • Customized discount level starting from 3rd server

Questions or need custom quote? Please contact us to seflow.net/2/index.php/it/company-2/contact-2

King Regards and happy new 2016 with SeFlow Family

Nuovo portale emergenze e promozioni 2016. Xeon E3 server da € 35



status.seflow.net

Invitiamo tutti i clienti ad iscriversi al portale, inserendo la propria email per essere aggiornati in tempo reale su manutenzioni programmate e disservizi. Il portale, ospitato su rete esterna, sarà il punto di riferimento, con costanti aggiornamenti, per qualsiasi intervento all' interno della rete SeFlow. In caso di manutenzioni avrete l' esatta tempistica e costanti aggiornamenti sull' avanzamento dei lavori. Indicheremo anche quali prodotti saranno affetti e se causeranno downtime o meno.

Il portale, ospitato su rete esterna, sarà visibile anche in caso di problemi generali al datacenter di Milano, permettendovi di rimanere aggiornati. Il nostro staff invierà costanti aggiornamenti per non lasciarvi soli. Potrete iscrivere la vostra email così da ricevere aggiornamenti senza dover mantenere monitorata la pagina.

Il 2016 sarà anno di grandi novità nella famiglia SeFlow. Il nostro Cloud si sta espandendo in tutto il mondo, raggiungendo 7 locations, tra cui Milano, Strasburgo, Amsterdam, Londra, Dallas, Atlanta e Cologne. Potrete avere una visione completa delle locations e dei relativi prezzi al link www.domflow.it/market.php La pagina verrà presto aggiornata inserendo anche i test ip.

Abbiamo deciso di premiare tutti i clienti SeFlow offrendo una promozione fantastica. Fino a fine gennaio potrete acquistare un nuovo server eon E3 con kvm incluso a partire da 35€. Il prezzo d'acquisto non subità variazioni per tutta la durata del vostro account, che aspetti, visita la nostra pagina manage.seflow.it/index.php?/cart/dedicated-server/

Restiamo a tua disposizione per qualsiasi suggerimento.