DDoS Protection

How do we protect your clients?

When it comes to DDoS mitigation there are essentially two main technologies, scrubbing and RTBH (remote triggered black hole):

Scrubbing filters bad traffic while letting legitimate traffic through. Scrubbing comes in varying levels of granularity, the most blunt being firewall rules on ISP routers (to redirect, rate limit, or drop traffic), and the most fine being DDoS scrubbing appliances which steer traffic to scrubbing appliances (which will in most cases increase latency).

RTBH signals to all global Tier1 and many Tier 2 providers that an IP address is the target of DDoS and that we want them to no longer forward traffic to that address. Whilst this is very effective at preventing DDoS traffic from reaching the intended DDoS target, the DDoS target will be taken offline entirely by the mitigation itself. In practice this protects the ISP but not the DDoS target. This method sacrifices one subscriber for the good of the rest. In this scenario, wherever possible, we will give the subscriber a new IP addresses as fast as possible to get them back online.

In reality, effective DDoS mitigation uses a mix of both of the options listed above, and that’s the approach we have taken.

Our DDoS Strategy and effectiveness

When we select our upstream carriers for Internet connectivity we evaluate what DDoS capabilities they have as part of the selection process. We believe that an effective DDoS strategy starts as close to the source as possible, partnering with companies with DDoS protection located overseas ensures that malicious traffic doesn’t reach NZ/AU shores is a key part of our design.

To date, our strategy has kept any unwanted traffic being scrubbed offshore before reaching our own network. The reports from the scrubbing appliances year to date show DDoS’s of up to 7Gbps are being scrubbed, with the longest DDoS running over 16 hours.

Out-of-path protection

(default for all Lightwire clients)

Our selected partners maintain off shore scrubbing appliances in multiple continents. DDoS attacks are automatically detected in real-time and affected traffic is diverted to the scrubbing appliances if the DDoS surpasses 100Mbit or 10000 packets per second.

The initial automation takes effect in about 2 minutes with automatic firewall rules directing traffic to the scrubbing appliances. If the DDoS attack surpasses the scrubbing appliances threshold, the system automatically switches to RTBH. In which event, Lightwire is notified and will in turn notify any business and offer them the ability to change IP addresses.

For traffic within NZ/AU and exchanges we pair at Lightwire has both RTBH as an option and the ability to steer traffic manually to our partner’s scrubbing appliances.

DDoS Protection by Lightwire
167A0834

Inline scrubbing

(premium service)

We offer an enhanced inline scrubbing service as an optional extra where all of your international traffic will pass through our scrubbing appliances all of the time. Advantages of this are:

  • Fast DDoS protection reaction time – 18 seconds or less compared to approx. 30 – 120 seconds
  • Layer 3 up to Layer 7 deep packet analysis for detection – protects against more attack types
  • Detection of “low and slow” attacks – picks up on attacks that are low volume rather than just high volume “volumetric” attacks

Under this model, you will purchase dedicated bandwidth capacity on our scrubbing appliances and have your clients’ traffic scrubbed 24/7, adding protection for more attack types and lowering protection activation time to 18 seconds or less.

If you’re interested in this option, just get in touch and we can talk pricing and design.

Choose a better way to get your clients connected