DDOS IP Protection


The Leaseweb DDoS IP Protection service protects your services against volumetric,  protocol-based and in some cases against application layer DDoS attacks that target the IP addresses of Leaseweb services, enabling these services to remain operational during such attacks. The Standard DDoS IP Protection Service is available with all Leaseweb’s Dedicated Servers in shared racks and private racks, as well as with Colocation Services and Cloud services. The DDoS IP Protection Advanced is available for Dedicated servers, Colocation services and Single Tenant Cloud services. "Customized" and "Always-on" solutions are available for Single Tenant Private Cloud and Colocation services, as well as for customers who need enhanced response times or attack protection. DDoS IP Protection services provide automatic detection and notification of DDoS attacks and mitigation of such attacks through automated traffic scrubbing and/or null-routing.

Contents

DDoS IP Protection options

Leaseweb offers 4 DDoS IP Protection options:

Standard

The Standard DDoS IP Protection is implemented as a default at no extra costs and protects IP addresses against DDoS attacks according to standard “Scrubbing Thresholds”, (see table below). In case attacks exceed the Scrubbing Threshold, the IP address is null-routed. The typical "time-to-mitigate" is 2 - 3 minutes.

Advanced

The Advanced DDoS IP Protection provides higher Scrubbing Thresholds than the Standard, (see table below). Additionally, It provides a choice of three (3) detection profiles. In case attacks exceed the Scrubbing Threshold, the IP address is null-roured. Time to mitigate is 2-3 minutes.

Customized

The Customized DDoS IP Protection adds increased protection levels (higher Scrubbing Thresholds and more accurate detection through dedicated traffic pattern recognition), as well as protection for Single Tenant Cloud services.

Always-on

The Always-on DDoS IP Protection is the preferred option for servers in private racks where faster mitigation times are required (actual time-to-mitigate is between 45 and 90 seconds). The solution contains an in-line dedicated detection and scrubbing device and avoids re-routing to shared scrubbing devices.

Application or Layer 7 attacks can be mitigated by the Customized or Always-on DDoS IP Protection services. You can discuss your specific profile requirement with one of our network security engineers.


To protect your domains against all types of Cybersecurity threats, you will need Leaseweb Web Application Firewall (WAF) services.

Protection Option 

Scrubbing

Thresholds

Volumetric

Attack  (Gbps)

Scrubbing

Thresholds

Protocol based

Attacks (pps x 1000)

Application

(Layer 7) a

Attacks

DDoS

target

mitigation

time 

Security

Engineer

Support

Standard 

5 Gbps 

2.500 

No

2-3 min 

working hours

Advanced

10Gbps

5.000

No

2-3 min

working hours

Customized   

>40 Gbps 

>20.000 

Yes*

2-3 min 

24x7x365

Always-on 

n x 10Gbps 

n * 6.000 

Yes*

0-90 sec 

24x7x365

*Yes, done during the provisioning process while setting up your profile

In addition to these DDoS IP Protection services Leaseweb has deployed a first line of defence against volumetric attacks by rate-limiting the well-known UDP reflection / amplification attacks, like NTP, DNS, Chargen, SSDP, Portmap, before they reach the Leaseweb DDoS scrubbing infrastructure.

Delivery time

Standard

This is included upon delivery of the protected services.

Advanced

Protection is upgraded immediately. Please, note that during DDoS attacks, Advanced protection will be effective immediately after the scrubbing or null-routing has stopped.

Customized

This requires no hardware or physical installation tasks. Time depends on your availability to discuss profiles, and takes approximately 10 working days to complete installation

Always-on

 This requires ordering, delivery and installation of equipment. It takes approximately 10 working days to deliver and install if in stock, else an alternative expected delivery date will be given by your Sales representative.


How the DDoS IP Protection services work

Incoming Internet traffic enters our network via the "Border Routers”. These Border Routers are connected to “Detectors” that are scanning incoming traffic on irregular patterns or sudden increases in volume. If the Detectors identify a DDoS attack on an IP address, they instruct the Border Routers to reroute incoming traffic to “Scrubbers”- a system that separates the legitimate “clean” traffic from the “attack” (dirty) traffic, and it passes only the clean traffic to the destination IP address. You are immediately notified about a DDoS attack. If the traffic exceeds the Scrubbing Thresholds set for an IP address, this IP address will be null-routed. Upon detection that the attack is over, you will be notified again and scrubbing or null-routing will then be automatically deactivated.

Disabling DDoS IP Protection Standard services

To prevent adverse impact on other customer’s services and our network infrastructure we can neither disable the service nor stop scrubbing or null-routing while the IP address is under attack.

Benefits of DDoS IP Protection services

Leaseweb’s DDoS IP Protection services keep you and your business online. Are you occasionally attacked and the attacks size is small? Our Standard service should protect you sufficiently. Do you need some more cost protection than the Standard can provide? Our DDoS IP Protection Advanced is the best fit, as the thresholds are 2x bigger than the Standard. Are you frequently attacked by complex attacks specific to your online presence? Our Customized service should close the door from every angle. Must your online presence always be online, with immediate reaction to an attack? Our Always-on service should keep you on-line at all times, with typically up to 90 seconds for “detection and scrubbing”.

Notification of an attack per email is enabled by default, and if is not desired, you can deactivate this from the Customer Portal (see below).

With Leaseweb DDoS IP Protection Services, you will not need to work with multiple providers to lease and secure your hosting environment to protect against DDoS attacks targeted at your IP’s. That way we make it easy for you by taking tasks out of your hand to deal with multiple providers and thus saving time, effort and money.

Pricing transparency: you will know exactly what you get for the price  and no surcharges related to bursting DDoS attack traffic.
Dedicated experienced security engineer will setup your specific profiles and deliver a fully tested solution to protect against volumetric, protocol based and application layer attacks. 

Combined with Web Application Firewall (WAF) -  a Domain name protection service, a full portfolio of Cybersecurity services is offered to protect both customers IP addresses and customers' domains against all type of attacks.

Enabling/disabling DDoS attack notifications

In the Customer Portal, you can enable or disable email notification of DDoS attacks.

Perform the following steps to enable (or disable) notifications:

  1. Log in to the Leaseweb Customer Portal.
  2. Select the service for which you want to enable/disable receiving DDoS attack notifications. In this case a dedicated server. 
    1. Navigate to the Details menu and select Network Details.
    2. At the bottom of the page there is a DDoS IP Protection section. It gives an overview for which actions notifications are enabled or disabled.
  3. Click the Edit link.


  4. In the Change email notification settings pop-up window, select Yes or No for the particular action, and click the Save button.

     

For customers with Cloud products, enabling/disabling notifications, unfortunately is not yet live. In case that you do not want any email notifications, please contact our Customer Care department customercare@leaseweb.com

How to order DDoS IP Protection Advanced

DDoS IP Protection Advanced can be ordered through our website while choosing products from our portfolio like Dedicated Servers, Colocation or Private Racks.

During the configuration phase we give the option to choose between Standard (free) or Advanced (paid) version of DDoS IP Protection. Below, we show an example for Dedicated Server order.

How to upgrade to DDoS IP Protection Advanced

Using our Customer Portal, the DDoS IP Protection type can be upgraded from Standard to Advanced per IP address which is assigned to a product. In this example that is a dedicated server.

Perform the following steps to upgrade the protection and detection profile type:

  1. Log in to the Leaseweb Customer Portal.
  2. Under Compute, select Dedicated Server.
  3. Once you’ve selected the desired dedicated server, under Details menu and select IP Addresses


  4. Here you will get a list of IP addresses assigned to your dedicated server and the DDoS protection type that is currently active for the IP. Our automation supports two types: Standard and Advanced. 
  5. To upgrade to Advanced, click on the upper arrow icon (as shown in the screenshot), and you will be prompted to confirm it.



    The hyperlink in the form will send you to this knowledge base article.

  6. Once you confirm, the upgrade process takes place immediately resulting in a contract change. After few minutes, you should see the protection type being changed to Advanced.



  7. After upgrading the protection type, it is also possible to change the Detection Profile from Default to Low UDP or Medium UDP. Click on the Default (edit) profile as shown in the screenshot above.

    The hyperlink in the form will send you to this knowledge base article where we elaborate a bit more on the detection profile types.



  8. The detection profile update is reflected immediately and doesn't require contract changes.


  9. Beside the user interface i.e Customer Portal, it is also possible to change the detection profile using our API. Follow this link for more details

DDoS IP Protection Advanced Detection profiles

A detection profile is a set of thresholds associated with an IP address. When these thresholds are exceeded, our detection platform identifies the event as an 'anomaly' and triggers mitigation actions.
The objective of a detection profile is to minimize the time to mitigation and prevent false positives caused by legitimate traffic; if a threshold is too high, mitigation might be delayed, while if the threshold is too low, mitigation may be triggered by legitimate traffic.

All detection profiles are directly proportional to the host/rack uplink bandwidth/capacity.

'Default' profile.
The default detection profile is designed to trigger when the bandwidth/capacity of the host/rack is exceeded.
While this will protect the service, mitigation will only be triggered after a link is already congested, resulting in some brief, initial impact.
Example: if a server with a 1Gbps uplink is under attack, mitigation will only start after total traffic to that host exceeds 1Gbps.

'Low' and 'Medium' UDP  profiles.
As the most common amplification attacks use UDP as a vector, we offer the options to select a detection profile with lower values for UDP if the expected UDP traffic from your applications is low or medium.
These are designed to provide faster mitigation response times in the event of a DDoS attack using UDP as a vector (i.e. DNS/NTP amplification).
The UDP profiles are:

  • 'Medium UDP profile' - triggers mitigation when UDP traffic equal to 50% of the uplink capacity is detected.
  • 'Low UDP profile'- triggers mitigation when UDP traffic equal to 25% of the uplink capacity is detected.
    This will generally trigger mitigation before a link is actually congested, potentially reducing impact.

Frequently Asked Questions about DDoS IP Protection

FAQ: The cost of standard IP protection?

The Standard DDoS IP Protection is implemented as a default at no extra costs and protects IP addresses against DDoS attacks according to standard “Scrubbing Thresholds”. In case attacks exceed the Scrubbing Threshold, the IP address is null-routed. The typical "time-to-mitigate" is 2 - 3 minutes.

FAQ: In case of DDos attack, how traffic will calculate?

Both incoming and outgoing traffic towards your host is recorded. Please note that DDoS traffic, even if malicious, is intended for your host. This means that the recorded traffic that occurs before the scrubbing and null routing will be billed.

FAQ: Can you explain what you do (as Leaseweb) to secure against DDoS?

Incoming Internet traffic enters our network via the "Border Routers”. These Border Routers are connected to “Detectors” that are scanning incoming traffic on irregular patterns or sudden increases in volume. If the Detectors identify a DDoS attack on an IP address, they instruct the Border Routers to reroute incoming traffic to “Scrubbers”- a system that separates the legitimate “clean” traffic from the “attack” (dirty) traffic, and it passes only the clean traffic to the destination IP address. You are immediately notified about a DDoS attack. If the traffic exceeds the Scrubbing Thresholds set for an IP address, this IP address will be null-routed. Upon detection that the attack is over, you will be notified again and scrubbing or null-routing will then be automatically deactivated.