NAVAMS
= Attack Mitigation Services =
Protection against cyber attacks
Cyber attacks have become a common problem nowadays. At the same time, stopping them has become a trivial process, but not every ISP manages to implement an efficient detection and mitigation system.
Often the chosen solution is "blackholing", which essentially means blocking traffic to the attacked IP address to protect the customer's other resources. This method raises several problems, the most important being the scenario where multiple (often all) of the customer's IP addresses are attacked simultaneously. In that case the only solution would be to restrict traffic to all attacked addresses, thereby fulfilling the attacker's goal: DoS (Denial of Service).
Another issue is detection time. Most systems use methods based on statistics and variable changes relative to the average — not peaks — using NetFlow or sFlow for data collection. This implementation is inefficient for detecting most low-volume attacks and usually requires a large data volume to make a decision, leading to very long intervals, sometimes on the order of tens of minutes from the start of the attack to its blocking. The only advantage of such a system is its low implementation cost.
Providing 99.99% uptime is not only about ensuring connectivity. When a business depends on the internet connection, a congested link is as detrimental as a broken one. Also, a small-scale "application flood" attack can selectively affect certain company resources, sometimes in an undetectable way. These attacks usually do not aim to interrupt the service but to abusively use resources, which can lead to material losses.
We developed and implemented the NAVAMS system to solve all these problems.
Given the TCP protocol's features, this means avoiding packet loss during an attack. To prevent service interruption, the concept of "scrubbing" was introduced into the mitigation process. When an attack is detected, traffic to the targeted IP address is redirected to a high-capacity firewall farm that blocks malicious traffic and allows only legitimate traffic to reach the destination.
There are of course extreme cases where the attack reaches very high values and the "blackholing" decision is taken. What makes the AMS system different from those implemented by other providers is intelligent traffic blocking — meaning transit to the affected destination is never blocked on upstream links where there is no malicious traffic or where the capacity needed to avoid congestion is available.
All these features contribute to delivering a top-quality service without interruptions and without worry.
Attack detection is performed using the TAP method, meaning all traffic entering the network is analyzed in real time and transparently.
Statistics are computed at intervals of only 2 seconds, leading to a detection and mitigation time of at most 3 seconds.
Total mitigation time: 3 seconds
The time elapsed from the start of the attack to its blocking.
Detection time: 2s
Blocking time: 1s
Reprobing interval: 1m*
* the interval at which it is checked whether the attack has ended / deactivation of filters.
Maximum scrubbing capacity:
140 Gbps / 20 Mpps
Mitigated attack types:
High pps / bw rate
TCP, UDP, ICMP, SYN flood, fragmentation, application flood.
Introduced latency: < 100μ (microseconds)
Simultaneous victims: 100,000
Simultaneous TCP connections: 128M (millions)
NAVAMS
The NAVAMS system – traffic analysis
The NAVAMS system – in action
