Limitations

flowShield comes with certain limitations, which can be lifted customer specifically through flexrules. To effectively protect our customers against DDoS, even with the default rule-set, it's important to properly police and accept or discard certain traffic.

ICMP

ICMP Echo Traffic is limited to 100 pps each filter node, with the ability of automatically imposing a global limit injected by aurologic traffic analysis.

ICMP Echo-Reply Traffic is always limited to 100 pps each filter node, which acts as a seperate ratelimit hash bucket, meaning that the ICMP Echo limit wont have effect on the Echo-Reply limit.

Any other ICMP Traffic is discarded.

TCP

TCP is effectively protected against stack attacks such as SYN-Flood as well as out-of-order attacks like ACK-Flood. Generally, TCP is authenticated by sending back a TCP SYN-ACK traffic with a random generated sequence number towards the connecting client. In case the client can reply with an TCP ACK packet onto that SYN-ACK packet sent by flowShield, having a matching sequence number, the connection is considered valid.

TCP SYN-ACK though, works by a register of ratelimiting rules matching certain conditions to mitigate SYN-ACK-Flood. Floods aiming to attack the stack are discarded as out-of-order. Therefore, every valid connection requires a initial 3-way handshake to be successfully completed.

Any other TCP traffic, which isnt authenticated, is discarded.

UDP

For UDP, only certain applications are accepted with the default rule-set. The default rule-set can be changed by the customer though.

Default ranges are listed on flowShield Applications.

DNS Resolving Nameservers are authenticated by matching the characteristica of a valid DNS reply packet in conjunction with a hashbucket based rate-limit.

Any other UDP traffic, which isnt authenticated, is discarded.

Other IP Protocols

By default, other IP Protocols except the listed above, are being discarded. To allow connections, please create a flexrule matching the specific traffic.