SeFlow Хостинг

1 читатель, 14 топиков

4,7 Tbps Network Security is now live. Best place to keep your data safe

SeFlow Is Building a More Secure Network; First Global Content Provider to extend BGP Flowspec Capability for all customers for free MILAN, Sept. 12,2016 — SeFlow is happy to announce the deployment Border Gateway Protocol (BGP) Flowspec on its global backbone and whole Level 3 Network. The capability is one of the largest deployments in the industry, leveraging SeFlow and Level 3's more than 43 terabits of backbone capacity and protecting its peering points. BGP Flowspec allows for rapid threat mitigation across the Level 3 backbone, shutting down volumetric attacks and providing a more secure network for its customers.

This enhancement to SeFlow's suite of security solutions better provides responsive service capabilities for customers while at the same time helping to create a safer internet ecosystem. Enterprises need a DDoS mitigation service provider with the tools and expertise to fight these large-scale, potentially expensive attacks.

DDoS and threat detection is now immediate on the scrubbing points and will be mitigated before reaching SeFlow Milan location. This will ensure a free DDoS Mitigation on amplification attacks for all customers. In addition the Milan filters will be underloaded ensuring more powerfull layer 7 protection.

This new solution increase the mitigation capacity for flood attacks to 4,7Tbps ingestion capacity (prior was 4.2Tbps only for amplifications). Most of the attacks are now filtered from scrubbing point closest to the origin ensuring protection for most amplifications and know floods for all server inside SeFlow. DDoS Protected Customers will not see anymore amplification and flood attacks in their SeGuard Portal because we will ensure protection using the geo scrubbing point. For example if an attack will start from brazil, only south america customers will pass trought active filters leaving other customers to be free to reach your server evoiding too restrictive f ilters.

Milan location is now converted into full layer 7 protection ensuring more mitigation capacity on application attacks.

How It Works the Flowspecs feature:
  • BGP is the protocol all internet routers use to talk to each other.
  • BGP Flowspec uses the BGP protocol to distribute flow specification filters to network routers – if a threat is identified, the SeFlow DDoS infrastructure inputs a rule to block or deny traffic related to the threat by its source, destination and a number of other characteristics.
  • The malicious traffic is systematically and temporarily filtered off the network, blocking threats globally before they have time to form fully or scale and affect a customer.

Key Facts:
  • SeFlow has both the network architecture and skilled professionals in place to leverage this threat-fighting tool.
  • As a global network services provider, SeFlow has an expansive view of worldwide internet traffic and a broad view of threats
  • In an industry with so few qualified resources, SeFlow has security operations center professionals in five global locations trained to use this powerful tool.
  • BGP Flowspec is built into SeFlow and Level 3's Network for all customers in addition to existing worldwide anycast DDoS Mitigation Protection.

SeFlow Network Security is already active for all SeFlow Customers. Existing DDoS protection customers should see lower attacks rate reporting because SeFlow Network Security work silently avoiding any engagement mitigation time. This will ensure that, for most know attack, for latency sensible service, you will not have any interruption.

DDoS Mitigation prices still unchanged and new features are already in place without any additional configuration on customer services.

Feel free to contact us for details trought our ticket system to SOC department manage.seflow.it/index.php?/tickets/new/

All our service now include SeFlow Network Security service, check out our Dedicated server list seflow.net/2/index.php/en/services/baremetalserver/browseservers

new layer 7 DDOS Protection and AlwaysOn mode avaiable

We are proud to advertise that we're the first company with 4,2Tbps Volumetric Attacks mitigation capacity and we are now able to mitigate 200Gbps of layer 7 attacks. Our layer 7 protection is a Cloud with dedicated 600Ghz CPU Clock that is able to inspect packets payload up to 200Gbps.

In this first stage we're upgrading our filters to perform basic layer 7 mitigation protection on ALL DDoS protected services and we will release advanced layer 7 protection and WAF firewall very soon.

Our actual DDoS Protection (Sensor mode) can detect every attacks within 5 seconds. This is great for websites, voip and most games. With latest upgrade customers can now be able to add AlwaysON protection that detected and filter attacks instantly. This solution is perfect for Teamspeak and latency sensitive games and application and can be ordered, for every VPSPro and Dedicated Server plans from your customer area. Price for that solution is only 18€ each IP.

All orders form are updated and you can now order

Both Protection now included basic layer 7 protection and are daily updated.

All customers can now see dump of every received attacks. You can now download pcap file or use our online viewer to inspect any packets (payload, ttl, src ip, length and much more.

You can be in touch with every latest DDoS thread subscribing to our security blog avaiable on seflow.net/2/index.php/en/blog

Some recent articles:
  • SYNPROXY Protection (http://seflow.net/2/index.php/en/blog/synproxy-module-protect-yourself-by-syn-flood)
  • Tweak sysctl (http://seflow.net/2/index.php/en/blog/tweak-sysctl-parameters-to-prevent-ddos-and-syn-flood)
  • Pingback wordpress attacks (http://seflow.net/2/index.php/en/blog/pingback-wordpress-involved-in-layer7-ddos)

If you have any enquiries or need information about our updated DDoS Protection please open a ticket to our SOC choosing DDoS SOC department.

Protect yourself by SYN flood

Distributed Denial of Service (DDoS) attacks are becoming increasingly commonplace as business becomes more and more dependent on delivering services over the Internet. One of the most common types of DDoS attacks is the well-known SYN-flood attack. It is a basic end-host resource attack designed to bring your server to its knees. As a result, your server is unable to properly handle any new incoming connection requests.

SYN Protection in the past
In the past, SYN attacks, by major vendor, was mitigated using conntrack filtering on commodity or AICS hardware. With Netfilter’s connection tracking system (conntrack), we can start filtering out false SYN-ACK and ACK packets before they hit the “listen” state lock. The conntrack system actually has a scalability problem (like the “listen” lock) when it comes to creating (or deleting) connections, which the SYN-flood will hit.

Even after fixing the conntrack lock, the SYN packets will still be sent to the socket causing the “listen” socket lock to occur. The normal mitigation technique is to send SYN-cookies and avoid creating any state until the SYN-ACK packet is seen.

Unfortunately, SYN-cookies are sent under the same “listen” state lock, so the mitigation does not solve the scalability issue. How these limitations can be worked around will be discussed later.

SYNPROXY, New Filtering Era
With SYNPROXY we can increase 20x performance then old technique removing the “listen state lock” part catching packets that the connection tracking system has categorized as “INVALID” and not part of a known connection state. The matching against existing conntrack entries is very fast and completely scalable. The conntrack system actually does lockless RCU (read-copy update) lookups for existing connections.

Essentially, this solves all other TCP-flooding packets except SYN-flooding.

But NOW, How we can solve SYN-flooding?
SYNPROXY essentially does parallel SYN-cookies and not create a conntrack entry before the SYN-ACK packet is received thus avoiding the conntrack new connections lock. Once the initial connection is established the normal conntrack system will take over and do all the needed forwarding.

If you have CentOS 7 or any distribution with kernel > 3.13 and iptables 1.4.21 you have this module built-in.

To enable it we need to tweak sysctl.conf. Insert in /etc/sysctl.conf:
#SYN cookies
net.ipv4.tcp_syncookies = 1


net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.core.netdev_max_backlog = 250000

Now you can configure SYNPROXY using public online script avaiable here

If you want configure yourself go head with these steps:
Step #1: In the “raw” table, we need to make sure connections that need protection don’t create new conntrack entries for SYN packets.
# iptables -t raw -I PREROUTING -i $DEV -p tcp -m tcp –syn –dport $PORT -j CT –notrack

Step #2: Now we need to catch these packets and direct them to the SYNPROXY target module. To do this, use the following rule to catch UNTRACKED SYN and INVALID packets that contain the ACK from 3WHS (and also others, but they will fall-through).
# iptables -A INPUT -i $DEV -p tcp -m tcp –dport $PORT -m state –state INVALID,UNTRACKED -j SYNPROXY –sack-perm –timestamp –wscale 7 –mss 1460

Step #3: Catch the INVALID state packets that fell-through the SYNPROXY module and drop those. Basically, this will drop SYN-ACK based floods.
# iptables -A INPUT -m state –state INVALID -j DROP

Considerations when using SYNPROXY

Enabling SYNPROXY does comes at a cost. The connection establishment phase is going to be slower due to the extra connection setup needed towards the end-host. When the end-host is localhost, then this extra step is obviously very fast but nonetheless adds latency.

The parameters to the SYNPROXY target module must match TCP options and settings supported by the end-host that the TCP connections are being proxied for. Detecting and setting this up is manually done per rule setting. (A helper tool “nfsynproxy” is part of iptables release 1.4.21). This unfortunately means the module cannot be easily deployed in DHCP-based firewall environments.