The Leaseweb DDoS IP Protection service protects your services against volumetric, protocol-based and in some cases against application layer DDoS attacks that target the IP addresses of Leaseweb services, enabling these services to remain operational during such attacks.
The Standard DDoS IP Protection Service is available with all Leaseweb’s Dedicated Servers in shared racks and dedicated racks, as well as with Colocation Services and Cloud services.
The DDoS IP Protection Advanced is available for Dedicated servers, Colocation services and Cloud services.
The DDoS IP Protection “Customized” solution is available for Single Tenant Private Cloud, Colocation services and Dedicated racks for customers who need enhanced attack protection.
DDoS IP protection “Always-on” solution is available for Dedicated racks and Single Tenant Private Cloud for customers who need fast response time. DDoS IP Protection services provide automatic detection and notification of DDoS attacks and mitigation of such attacks through automated traffic scrubbing and/or null routing.
DDoS IP Protection options
Leaseweb offers 4 DDoS IP Protection options:
Standard | The Standard DDoS IP Protection is implemented as a default at no extra costs and protects IP addresses against DDoS attacks according to standard “Scrubbing Thresholds”, (see table below). In case attacks exceed the Scrubbing Threshold, the IP address is null routed. The typical “time-to-mitigate” is 2 – 3 minutes. |
---|---|
Advanced | The Advanced DDoS IP Protection provides higher Scrubbing Thresholds than the Standard, (see table below). Additionally, It provides a choice of three (3) detection profiles. In case attacks exceed the Scrubbing Threshold, the IP address is null routed. Time to mitigate is 2-3 minutes. |
Customized | The Customized DDoS IP Protection adds increased protection levels (higher Scrubbing Thresholds and more accurate detection through dedicated traffic pattern recognition), as well as protection for Single Tenant Cloud services. |
Always-on | The Always-on DDoS IP Protection is the preferred option for servers in private racks where faster mitigation times are required (actual time-to-mitigate is between 45 and 90 seconds). The solution contains an in-line dedicated detection and scrubbing device and avoids re-routing to shared scrubbing devices. |
Some of the Application or Layer 7 attacks can be mitigated by Always-on DDoS IP Protection services. You can discuss your specific profile requirement with one of our network security engineers.
Protection Option | Scrubbing Thresholds Volumetric Attack (Gbps) | Scrubbing Thresholds Protocol based Attacks (pps x 1000) | Application (Layer 7) a Attacks | DDoS target mitigation time | Security Engineer Support | Reporting |
---|---|---|---|---|---|---|
Standard | 5 Gbps | 2.500 | No | 2-3 min | working hours | No |
Advanced | 10Gbps | 5.000 | No | 2-3 min | working hours | Yes |
Customized | >40 Gbps | >20.000 | No | 2-3 min | 24x7x365 | Yes |
Always-on | n x 10Gbps | n * 6.000 | Yes* | 0-90 sec | 24x7x365 | No |
Information
In addition to these DDoS IP Protection services Leaseweb has deployed a first line of defense against volumetric attacks by rate-limiting the well-known UDP reflection / amplification attacks, like NTP, DNS, Chargen, SSDP, Portmap, before they reach the Leaseweb DDoS scrubbing infrastructure.
Delivery time
Standard | This is included upon delivery of the protected services. |
---|---|
Advanced | Protection is upgraded immediately. Please, note that during DDoS attacks, Advanced protection will be effective immediately after the scrubbing or null routing has stopped. |
Customized | This requires no hardware or physical installation tasks. Time depends on your availability to discuss profiles, and takes approximately 10 working days to complete installation |
Always-on | This requires ordering, delivery and installation of equipment. It takes approximately 10 working days to deliver and install if in stock, else an alternative expected delivery date will be given by your Sales representative. |
How the DDoS IP Protection services work
Incoming Internet traffic enters our network via the “Border Routers”. These Border Routers are connected to “Detectors” that are scanning incoming traffic on irregular patterns or sudden increases in volume. If the Detectors identify a DDoS attack on an IP address, they instruct the Border Routers to reroute incoming traffic to “Scrubbers”- a system that separates the legitimate “clean” traffic from the “attack” (dirty) traffic, and it passes only the clean traffic to the destination IP address.
You are immediately notified about a DDoS attack. If the traffic exceeds the Scrubbing Thresholds set for an IP address, this IP address will be null routed. Upon detection that the attack is over, you will be notified again, and scrubbing or null routing will then be automatically deactivated.
Disabling DDoS IP Protection Standard services
To prevent adverse impact on other customer’s services and our network infrastructure we can neither disable the service nor stop scrubbing or null routing while the IP address is under attack.
Benefits of DDoS IP Protection services
Leaseweb’s DDoS IP Protection services keep you and your business online.
- Are you occasionally attacked, and the attacks size is small?
- Our Standard service should protect you sufficiently.
- Do you need some more cost protection than the Standard can provide?
- Our DDoS IP Protection Advanced is the best fit, as the thresholds are 2x bigger than the Standard.
- Are you frequently attacked by complex attacks specific to your online presence?
- Our Customized service should close the door from every angle.
- Must your online presence always be online, with immediate reaction to an attack?
- Our Always-on service should keep you on-line at all times, with typically up to 90 seconds for “detection and scrubbing”.
Notification of an attack per email is enabled by default, and if is not desired, you can deactivate this from the Customer Portal (see below).
With Leaseweb DDoS IP Protection Services, you will not need to work with multiple providers to lease and secure your hosting environment to protect against DDoS attacks targeted at your IP’s. That way we make it easy for you by taking tasks out of your hand to deal with multiple providers and thus saving time, effort and money.
Pricing transparency: you will know exactly what you get for the price and no surcharges related to bursting DDoS attack traffic.
Dedicated experienced security engineer will setup your specific profiles and deliver a fully tested solution to protect against volumetric, protocol based and application layer attacks.
Enabling/disabling DDoS attack notifications
In the Customer Portal, you can enable or disable email notification of DDoS attacks.
Perform the following steps to enable (or disable) notifications:
- Log in to the Leaseweb Customer Portal.
- Select the service for which you want to enable/disable receiving DDoS attack notifications. In this case a dedicated server.
- Navigate to the Details menu and select IP Addresses.
- At the right side of the page there is a DDoS IP Protection Email Notification section. It gives an overview for which actions notifications are enabled or disabled.
- Click the Edit link.
- In the Change email notification settings pop-up window, select Yes or No for the particular action, and click the Save button.
For customers with Cloud products, enabling/disabling notifications, unfortunately is not yet live. In case that you do not want any email notifications, please contact our Customer Care department customercare@leaseweb.com.
How to order DDoS IP Protection Advanced
DDoS IP Protection Advanced can be ordered through our website while choosing products from our portfolio like Dedicated Servers, Colocation or Private Racks.
During the configuration phase we give the option to choose between Standard (free) or Advanced (paid) version of DDoS IP Protection. Below, we show an example for Dedicated Server order.
How to upgrade to DDoS IP Protection Advanced
Using our Customer Portal, the DDoS IP Protection type can be upgraded from Standard to Advanced per IP address which is assigned to a product. In this example that is a dedicated server.
Perform the following steps to upgrade the protection and detection profile type:
- Log in to the Leaseweb Customer Portal.
- Under Compute, select Dedicated Server.
- Once you’ve selected the desired dedicated server, under Details menu and select IP Addresses.
- Here you will get a list of IP addresses assigned to your dedicated server and the DDoS protection type that is currently active for the IP. Our automation supports two types: Standard and Advanced.
- To upgrade to Advanced, click on the upper arrow icon (as shown in the screenshot), and you will be prompted to confirm it.
The hyperlink in the form will send you to this knowledge base article. - Once you confirm, the upgrade process takes place immediately resulting in a contract change. After few minutes, you should see the protection type being changed to Advanced.
- After upgrading the protection type, it is also possible to change the Detection Profile from Default to Low UDP or Medium UDP. Click on the Default (edit) profile as shown in the screenshot above.
The hyperlink in the form will send you to this knowledge base article where we elaborate a bit more on the detection profile types. - The detection profile update is reflected immediately and doesn’t require contract changes.
- Beside the user interface i.e Customer Portal, it is also possible to change the detection profile using our API. Follow this link for more detailsThe Leaseweb DDoS IP Protection service
Managing DDoS IP Protection
In the Leaseweb Customer Portal, you can view all IPs which are upgraded to Advanced in the DDoS IP Protection page. You can also Change DDoS profile and Download latest report from this page.
DDoS IP Protection Advanced Detection profiles
A detection profile is a set of thresholds associated with an IP address. When these thresholds are exceeded, our detection platform identifies the event as an ‘anomaly’ and triggers mitigation actions.
The objective of a detection profile is to minimize the time to mitigation and prevent false positives caused by legitimate traffic; if a threshold is too high, mitigation might be delayed, while if the threshold is too low, mitigation may be triggered by legitimate traffic.
All detection profiles are directly proportional to the host/rack uplink bandwidth/capacity.
‘Default’ profile
The default detection profile is designed to trigger when the bandwidth/capacity of the host/rack is exceeded.
While this will protect the service, mitigation will only be triggered after a link is already congested, resulting in some brief, initial impact.
Example: if a server with a 1Gbps uplink is under attack, mitigation will only start after total traffic to that host exceeds 1Gbps.
‘Low’ and ‘Medium’ UDP profiles
As the most common amplification attacks use UDP as a vector, we offer the options to select a detection profile with lower values for UDP if the expected UDP traffic from your applications is low or medium.
These are designed to provide faster mitigation response times in the event of a DDoS attack using UDP as a vector (i.e. DNS/NTP amplification).
The UDP profiles are:
- ‘Medium UDP profile’ – triggers mitigation when UDP traffic equal to 50% of the uplink capacity is detected.
- ‘Low UDP profile’- triggers mitigation when UDP traffic equal to 25% of the uplink capacity is detected.
This will generally trigger mitigation before a link is actually congested, potentially reducing impact.