In general, DDoS attacks can be categorized into two major types:
- Bandwidth Exhaustion: It concentrates on flooding your uplink above the maximum capacity, hence legitimate traffic has no more available bandwidth.
- Server Resource Exhaustion: It is primarily targeted at your server resources, usually not that great in volume but high in packet count.
We store all traffic metadata (in and out) via NetFlow and can assist you in determining the targeted IP and type of attack. NetFlow data can be provided through a request to our Support department free of charge, in case the request concerns a DDoS attack detected by Leaseweb.
Netflow requests in any other case will be provided at an hourly support cost rate.
Mitigation Actions by Leaseweb
If our system detects that the incoming traffic for a server exceeds a given threshold, it will assume that there is an ongoing attack on this server. At this moment, we offer the following different thresholds of protection
- Volume: The IP address is nulled if the traffic exceeds 5 Gbit/s
- Premium: The IP address is nulled if the traffic exceeds 5 Gbit/s
If the traffic is still manageable, which means that it doesn’t exceed the limit belonging to your protection level, the system will evaluate the incoming requests based on a set of rules to filter out the requests that seem to be part of the attack, and let the legitimate requests trough. This is called scrubbing.
If the traffic exceeds the capabilities of the interface, the IP address of the server will be nulled to prevent physical damage to the device. If the IP address is nulled, you will be able to see this in the network tab of the server management page. During this process you are not able to manually un-null the IP address. The level of incoming traffic will continue to be monitored to detect when the traffic levels have returned to normal so the IP address will be automatically un-nulled again.
If your server has multiple IP addresses, and if one of them is null-routed, your server can still be reached via the other IP addresses.
When we perform a null-route action, we always keep you informed and explain the reason behind it. If an IP address is null-routed by Leaseweb, you cannot remove the null-route to the IP address from the Leaseweb Customer Portal. You must contact Support (support@Leaseweb.com) and request the removal of the null-route to the IP address, or wait for the null-route expiration time.
In order to resist a DDoS attack we recommend using the Leaseweb CDN services as it will distribute the load over the CDN platform.
We also recommend Leaseweb Cybersecurity Services, which gives you sophisticated and comprehensive protection for a lot less than you might expect. Please follow this link for more information: Leaseweb Cybersecurity Services
Although the DDoS mitigation response by Leaseweb is automatic, you can put your own measures in place if you would like more control over the mitigation process. You can for example choose a lower data traffic threshold to detect DDoS attacks in an earlier stage.
If the incoming attack is not saturating your server's uplink, you can try to filter/block the traffic with a host-based firewall (iptables, pfsense). For further information, please refer to Windows firewall management.
Hardware firewalls (low to medium-end models) are generally not a solution to protect against DDoS attacks. In most cases, the attacker can increase the intensity(Mbps/PPS) until it exhausts your hardware firewall resources.
You can add and remove null-routes to your IP addresses via the Leaseweb Customer Portal. If you null-route your IP address manually before our system takes that action, you will be responsible for removing that null-route later.
It may take up to 8 minutes for null-route or removal of null-route to an IP address (done via the Leaseweb Customer Portal or by Leaseweb) to be effective across the network.
If an attack is detected on one of your servers, our system will send notifications to let you know what actions we are taking to mitigate the risk. At this moment the system will send the following notifications to the technical contact:
- When the system starts scrubbing the incoming traffic
- When the system stops scrubbing the incoming traffic
- When the system starts nulling the IP address of the server
- When the system stops nulling the IP address of the server
Receiving these notifications is enabled by default and can be toggled on and off on the management page of your server, private rack or colocation pack in the customer portal. At this moment the notifications are sent to the technical contact email address of the customer.
Both incoming and outgoing traffic towards your host is recorded. Please note that DDoS traffic, even if malicious, is intended for your host. This means that the recorded traffic that occurs before the scrubbing and null routing will be billed.