Anti-DDoS Dedicated Infrastructure Protection

Get free, 24/7 protection against any kind of attack, of any size or duration

Anti DDoS

Any attack, regardless of form, endangers the availability of your infrastructure, resulting in disrupted or failed service to users and customers. Our free Anti-DDoS protection ensures your infrastructure remains accessible 24/7 through a network capacity of 14 Tbps and a combination of mitigation techniques, including packet analysis, packet mitigation, and server traffic vacuuming. Read on to learn more about our VAC technology based mitigation solution.


Free Anti-DDoS protection

Anti-DDoS GAME

Free Anti-DDoS protection

Anti-DDoS GAME

Related products

Hosted Private Cloud, Dedicated Servers

Dedicated Game Servers

Number of attacks per month

Unlimited

Unlimited

Gbps limit of attack

Unlimited

Unlimited

Duration of attacks per month

Unlimited

Unlimited

Type of attack

All

All

Detection and Auto-Mitigation

Multi-point Mitigation

Europe (RBX, GRA, SBG, WAW, LIM, ERI) North America (WAS, BHS(BHS) Asia (SGP, SYD)

Europe (RBX, GRA, SBG, WAW, LIM, ERI) North America (WAS, BHS(BHS) Asia (SGP, SYD)

Permanent mitigation

Two-way mitigation

 - 

✔ (L3/L4/L7)

12 Tbps of additional network

Firewall Network

Configurable

Configurable

Shield

Armor

Customizable

API v6

Manager v6

Support

Mailing list

Mailing list


Understanding DDoS

What is a DDoS attack?

Businesses of all sizes, in any industry are vulnerable to distributed denial of service (DDoS) targeting unless they leverage the right applications to secure against attack.
 

A DDoS attack aims to render a server, service, or an infrastructure unavailable by overloading the server's bandwidth or monopolizing its resources to the point of depletion. During a DDoS attack, a multitude of requests are sent simultaneously from multiple points across the internet. The intensity of this "crossfire" renders the service unstable, or even worse, unavailable.

DDoS Attack

There are three major ways DDoS attacks make your site, server, or infrastructure unavailable:
 

Bandwidth: this type of attack consists of saturating the server's network capacity, rendering it unreachable.


Resources: this type of attack consists of depleting the machine's system resources, which prevents it from responding to legitimate requests.
 

Exploitation of Software Fault: also called "exploit", this type of attack targets a particular software fault either to make the machine unavailable or to take control of it.

Name of Attack

Type of Attack

OSI level

Explanation of attack principle

Name of Attack

Type of Attack

OSI level

Explanation of attack principle

SMURF

Bandwidth

L3 

ICMP broadcast attack usurping the source address to redirect multiple responses to the victim 

TCP SYN ACK Reflection Flood 

Bandwidth

L4

Mass sending of TCP connections requests to a large number of machines, usurping the victim's source address. The bandwidth of the victim will be saturated by the responses to these requests

UDP Flood 

Bandwidth

L4

Mass sending of UDP packets (not requiring a previously-established connection) 

Distributed DNS Amplification Attack

Bandwidth 

L7

Mass sending of DNS requests usurping the source address of the victim, to a large number of legitimate servers. As the response is more voluminous than the question, an amplification of the attack follows 

ICMP Echo Request Flood 

Resource

L3

Also called "Ping Flood, mass sending of packets including the response of the victim, which has the same content as the original packet

IP Packet Fragment Attack 

Resource

L3

Sending of IP packets that voluntarily reference other packets that will never be sent, which saturates the victim’s memory

IGMP Flood 

Resource

L3

Mass sending of IGMP packets (multi-cast management protocol) 

TCP SYN Flood 

Resource

L4

Mass sending of TCP connections requests 

TCP Spoofed SYN Flood 

Resource

L4

Mass sending of TCP connections requests to usurp the source address 

TCP ACK Flood 

Resource

L4

Mass sending of TCP segment delivery receipts 

TCP Fragmented Attack 

Resource

L4

Sending of TCP segments that voluntarily reference other segments that will never be sent, which saturates the victim's memory 

UDP Fragment Flood 

Resource

L4

Sending of UDP datagrams that voluntarily reference other datagrams that will never be sent, which saturates the victim's memory 

DNS Flood 

Resource

L7

Attack of a DNS server by mass sending of requests 

HTTP(S) GET/POST Flood 

Resource

L7

Attack of a web server by mass sending of requests 

Ping of Death 

Exploit 

L3

Sending of ICMP packets which exploit an implementation bug in certain operating systems 


Managing DDoS attacks

No Attack

Stage 1: The server is operational – no attack

Internet-based services are used without any problem. The traffic passes through the backbone of our network then arrives at the data center. Finally, it is handled by the server that sends back the responses over the internet.

Attack Begins

Stage 2: The DDoS attack begins

The attack is launched via the internet and on the backbone. Given the surplus capacity of the bandwidth on the backbone, the attack will not cause saturation on any link. The attack reaches the server, which begins to handle the initial attack. At the same time, analysis of the traffic flags that an attack is underway and triggers the mitigation.

Mitigation Of The Attack

Stage 3: Mitigation of the attack

Between 15 and 120 seconds after the attack has begun, mitigation is automatically activated. Incoming server traffic is vacuumed by the 3 VACs, with a total capacity of 480 Gbps (3x 160 Gbps) of mitigation, hosted in three OVH data centers. The attack is blocked with no duration or size limit, regardless of type. Legitimate traffic passes through the VAC and arrives at the server. The server responds directly without going back through the VAC. This process is called auto-mitigation.

End Of The Attack

Stage 4: End of the attack

Generating an attack is costly, and even more so when it is ineffective. After a certain time has passed, the attack will come to an end. Auto-mitigation is maintained for 26 hours after the attack has ended. This means any new attack that occurs within a few minutes, a few hours, or 24 hours will be blocked. After just 26 hours, auto-mitigation is disabled but remains ready to be reactivated upon detection of a new attack.

Anti-DDoS protection

To protect your servers and services from attacks, OVH offers a mitigation solution based on VAC technology - an exclusive combination of techniques to:

  • Analyze all packets at high speed, in real time
  • Vacuum your server's incoming traffic
  • Mitigate by singling out illegitimate IP packets, while allowing legitimate ones to pass through
GAME Protection

Anti-DDoS GAME protection

The gaming/e-sports industries are especially prone to distributed denial-of-service attacks. Protection solutions implemented by hosting providers often have limited capacities when faced with the intensity and frequency of these attacks, especially UDP flood attacks, which exploit the User Datagram Protocol (UDP) - the protocol used by the majority of games and voice servers.
 

To protect these customers, we developed an Anti-DDoS protection specifically adapted to Game servers.
 

List of compatible games and applications:
 

Half-life, Team Fortress Classic, Counter-Strike 1.6, Counter-Strike: Source, Half-life Deathmatch Classic, Half-life 2, Half-life 2: Deathmatch, Day of Defeat, Day of Defeat : Source, Left 4 Dead, Left 4 Dead 2, Team Fortress 2, Counter-Strike : Global Offensive, Garry's Mod, Grand Theft Auto, San Andreas Multiplayer SA:MP, Multi Theft Auto San Andreas MTA:SA, TrackMania (+ TCP protocol), TrackMania 2 (+ TCP protocol), ShootMania Storm (+ TCP protocol), Minecraft pocket edition, Minecraft ARK : Survival Evolved, RUST, Teamspeak, Mumble.

Anti-DDoS protection tailored to your game

To provide the best possible protection against attacks, the OVH engineers analyzed how the most popular gaming platforms (Counter Strike, TeamFortress, Minecraft) and communication modules (TeamSpeak and Mumble) operate. In a lab and by looking at real user tests, they studied the vulnerabilities of these applications and documented the various attack strategies. This reverse engineering enabled them to provide a tailored response to each large game family: for each family, they developed a profile - or a group of predefined rules - that can be deployed by the user in one click to filter illegitimate traffic flowing in and out of the UDP ports.

Two-way mitigation: a filter on entry and exit

For every type of attack, we've built a specific response closely integrated to the servers and directly integrated within the Tilera hardware. The big innovation is a filter that analyzes the incoming and outgoing traffic to better identify legitimate requests. It's capable of distinguishing real clients connecting to the machine from harmful attacks. Anti-DDoS GAME therefore also plays the role of a cache and a filter for TCP/IP and UDP packets.
 

A router located next to the machine analyzes packets. This router treats every hosted game as a special case. For example, the router acts as a cache to relieve the router of useless requests.


Anti-DDoS Solution

The OVH network is capable of absorbing all attacks. With an additional 12 Tbps of capacity maintained in relation to the standard usage of all our customers, the OVH network is able to withstand, vacuum, and mitigate a high number of attacks. During the mitigation process, spread across 7 eight data centers and 3 three continents, the attack vacuuming is reinforced. All our customers' SLAs are balanced and guaranteed in this way, and the service will never be disrupted.

Analyze

We use the netflow sent by the routers and analyzed by our detection solutions to identify attacks. Each router sends a summary of 1/2000 of traffic in real time. Our solution analyzes this summary and compares it to the attack signatures. If the comparison is positive, the mitigation is set up in a matter of seconds.
 

The signatures analyzed are based on the traffic thresholds in "packets per second" (Pps, Kpps, Mpps, Gpps) or "bytes per second" (Bps, Kbps, Mbps, Gbps) on a certain packet type such as:

Solution
  • DNS
  • CMP
  • IP Fragment
  • IP NULL
  • IP Private
  • TCP NULL
  • TCP RST
  • TCP SYN
  • TCP ACK
  • UDP

Traffic Vacuum

The principle of DDoS attacks is to overload services. Sometimes the provider's entire network is incapable of handling the load. Thanks to our 12 Tbps network capacity, OVH infrastructure can absorb a very high quantity of traffic during attacks, much more than the services offered by competitors.
 

When the attack is global, the mitigation services, replicated in eight OVH data centers across three continents, activate simultaneously to combine their power and absorb the traffic. Their total capacity mitigation is more than 2 Tbps. Other customers and services will not be affected at all.

Traffic Vacuum

 

 

Mitigate

By default, all OVH servers are equipped with automatic DDoS attack mitigation that activates in the event of an attack (reactive mitigation). Customers also have access to permanent mitigation (permanent rules) as well as Network Firewall configuration.

Mitigation is a term employed to design the means and measures in place to reduce the negative effects of a DDoS attack. Mitigation At OVH consists of filtering illegitimate traffic and hoovering it up with our the VAC technology, while letting legitimate packets go through.

The VAC consists of multiple devices, each with a specific function to block one or more types of attack (DDoS, Flood, etc.). Depending on the attack, one or more defense strategies may be put in place on each VAC device.

Mitigate

Pre-Firewall

Actions carried out on the Pre-Firewall

  • Fragment UDP
  • Size of packets
  • Authorization of TCP, UDP, ICMP, GRE protocols
  • Blocking all other protocols
Firewall Network

Actions carried out on the Firewall Network

  • Authorize/block an IP or a sub-network of IPs
  • Authorize/block a protocol
    • IP (all protocols)
    • TCP
    • UDP
    • ICMP
    • GRE
  • Authorize/block a port or TCP/UDP port interval
  • Authorise/block SYN/TCPs
  • Autorize/block all packets except SYN/TCPs
Shield

Actions carried out on the Shield

  • Malformed IP header
  • Incorrect IP checksum
  • Incorrect UDP checksum
  • ICMP limitation
  • Incorrectly fragmented UDP datagram
  • DNS amp
Armor

Actions carried out on the Armor

  • Malformed IP header
  • Incomplete fragment
  • Incorrect IP checksum
  • Duplicated fragment
  • Fragment too long
  • IP/TCP/UDP/ICMP packet too long
  • Incorrect TCP/UDP checksum
  • Invalid TCP flags
  • Invalid sequence number
  • Zombie detection
  • TCP SYN authentication
  • DNS authentication
  • Badly formed DNS request
  • DNS limitation

Pre-firewall

The Pre-Firewall is based on Arista 7508R, which is able to connect 288 100 G ports, i.e. 28.8 Tbps of communication capacity. VRF isolation then allows the traffic to be routed within successive stages.

Model

Arista 7508R

Supervision card

2x DCS-7500-SUP2 

Processor

Multicore x86

Frequency

2.13 GHz

RAM

32 GB 

Fabric

DCS-7508R-FM

Service cards

2x 7500R-36CQ

Capacity

28.8 Tbps / 34.5 Bpps 

Total pre-firewall capacity

1.2 Tbps / 1.8 Bpps

Firewall network

The firewall network is composed of vRouters executing OVH-developed code, enabling all traffic to be classified so that rules can be applied (access-lists).

Processor

2x1697v4

RAM

64 GB DD4 ECC

Network cards

2x ConnectX-4 2x 100 Gbps

Capacity

200 Gbps / 100 Mpps

Number per VAC

3

Shield

Shield is an OVH-developed software solution that runs on vRouters. Its purpose is to mitigate known attacks, mainly those that work via amplification (DNS Amp, NTP Amp)

Processor

2x1697v4

RAM

64 GB DD4 ECC

Network cards

2x ConnectX-4 2x 100 Gbps

Capacity

200 Gbps / 100 Mpps

Number per VAC

3

Armor

Armor is the most advanced VAC software solution, designed to mitigate advanced persistent attacks. It runs on vRouters with FPGA cards in order to reduce the CPU load on part of the processing and obtain the best performance levels on complex algorithms.

Processor

2x1697v4

RAM

64 GB DD4 ECC

Network cards

2x ConnectX-4 2x 100 Gbps

FPGA

XUSP3S with 4x 100 Gbps

Capacity

200 Gbps / 100 Mpps

Number per VAC

3

Learn more about OVH Points of Presence (PoPs)


Anti-DDoS Resources

Recommended forms of protection

Your situation

Our advice

Your situation

Our advice

OVH Network Firewall settings 

Ensure that only authorized and necessary ports are enabled on your server; don't miss any port or service to avoid disconnection due to incorrect settings. Use the Firewall Network interface on your OVH Control Panel or API. 

Configuration of your server settings 

Adjust your server's IP settings by customizing the TCP, UDP values in/proc of your Linux. 

Public and private network 

If your infrastructure consists of several servers, use vRack for all services between your servers. 

Test the permanent mitigation 

You can activate mitigation on your server and thus verify that it's working correctly under the VAC. That way, you won't get any nasty surprises on the day you get attacked. 

In the event of an attack 

Follow the situation via the Control Panel to confirm when it has been restored. By default, the mitigation will stop 26 hrs after the start of the attack. 

Prepare a business contingency plan 

If possible, use our three data centers to duplicate your infrastructure geographically and devise a service continuity plan in advance. 

Customer control panel

Simple Control of Anti-DDoS Security

Simple control of your anti-DDoS security
 

Whether you've opted for standard or a more sophisticated mitigation (as part of the OVH Extended features option), you can take total control of your strategies and firewall settings via the graphical user interface in your Control Panel.

Oversee Attack Monitoring Process

Oversee the attack monitoring process
 

Your Control Panel also allows you to monitor attacks (status and intensity) and to take full control of the actions.

RESTful API

In addition to the Control Panel which enables you to control your mitigation strategies and firewall network on a daily basis, OVH offers customers a comprehensive and secure API that lists all possible actions.
 

A clear and documented RESTful API, ideal for developers.
 

The OVH RESTful API allows you to list all the administration actions on your network security, on one page and by category. Each function has a description, action buttons, and for developers, examples of code for integrating these functions into your scripts. In addition to the quick control of your security services, the OVH RESTful API opens up wide possibilities to automate certain tasks, integrate them into your development, and update the configuration of your app settings and policies.  

API

Click here to access the OVH API

Glossary

Anti-DDoS

Set of computing techniques aimed at protecting online services from DDoS attacks

DDoS

Distributed DoS; The principle is the same as DoS, but with multiple points of attack

DoS

Denial of service; a type of cyber-attack

Mitigation

The act of identifying, selecting the appropriate filtration and isolation, and neutralizing the effects of a cyber-attack

SLA

Service Level Agreement; the obligations of the supplier in terms of quality and availability of services

Synflood or SYN Flood

A cyber-attack carried out on the basis of SYN requests

VAC


FAQ

The Anti-DDoS protection is included for free with all servers, no matter the duration of your contract.

We provide free, 24/7 mitigation to 100% of OVH infrastructures and servers. The only way to protect our customers is to protect all of them. This is why all of our servers must be protected.

If a specific policy has not been selected via the API or the Control Panel, OVH will apply standard mitigation rules for your server. This is done in an automatic and escalating manner (increasingly restrictive until isolation of the results).

All policies have been set up to protect the attacked ports by leaving other ports open. This preserves the SLA of servers on the other ports.

The professional use option allows you to proactively choose which policies will be applied in the event of an active attack (at any time). If the policy selected by the customer is not sufficient, an OVH policy will take over until the attack is stabilized; this allows the customer to decide which is the best solution before OVH decides for them.