amatis announces a serious upgrade in transit due to massive increase in business.
amatis Networks has just signed a deal with TeliaSonera to add them to the list of tier-1 transit providers amatis utilises to ensure global reachability.. As you can see from the infographic above TeliaSonera rank 2 in the world for transit and are consistently getting even better.
In addition amatis has increased by a factor of 10 it’s peering capacity with LINX. This is necessary to take account of the planned increase in traffic on the core and to ensure complete capacity resilience in the event of the failure of other peering points.
Mitigation of DDOS attacks
Use Kentik to analyse and detect the destination IP on our network that is being attacked
Trend analysis of 1 in 64 packets passing across our border enabling us to detect and react to scanning activity before it becomes impacting.
As part of our standard DDOS protection, we identify the IP under attack and route to a Null interface with a ‘666’ tag – effectively black holing the traffic
This tagged route is then advertised across the amatis Core to all P (Provider) and PE (Provider Edge) devices
All devices that receive the route and blackhole the traffic locally
We then match this 666 route on our PE (Provider Edge) devices and translate the tag with a blackhole BGP community dependent upon the upstream transit provider
They then match this route that has the blackhole community applied, announce it across their network and block the traffic
This ensures that our transit upstreams are not congested with traffic towards the IP address that is under attack
RTBH – Remotely-Triggered Black Hole
First option is the radical one: Blackhole (stop traffic) for the IP getting attacked. Downside: The IP being targeted is no longer reachable. Benefit: The rest of your network stays up. Packetlife has a nice explanation on how it work and how to do it. The second option builds on the first one:
Source-Based RTBH
RTBH can also be used (in certain configurations) to block traffic coming from specific IPs (in a real DDoS that wouldn’t help much as traffic would come in from thousands of IPs). Again, Packetlife has an explanation.
In your case you could get all prefixes for the AS from a Routing Database like RADB and block these with Source-Based RTBH. Traffic would still hit your network at the border though.
When you use “simple” RTBH the advantage is that you can send these RTBH routes to your Upstream ISP (if they support it) who could then block the traffic in their network already so you don’t have to handle it.
The post amatis upgrades Internet Breakout appeared first on Amatis Networks.