Introduction

aurologic DDoS-Protection offers the ability to mitigate and filter network as well as application targed attacks. To sufficiently do so, aurologic has deployed DDoS-Protection equipment across it's network points of presence, offering the same or higher capacity than available peering and upstream connectivity.

The aurologic DDoS-Protection stack consists of four core components:

• flowAnalyzer
• flowShield
• flowProxy
• flowTrack

flowAnalyzer

Constantly watches the network traffic, detecting attacks from flow samples generated by edge and core routers. flowAnalyzer performs mathematical, including statistical, calculations against ingress network traffic. When it matches traffic patterns of unusual behavior, customer defined rules (flowrules) or thresholds, flowShield gets engaged to clean the ingress network traffic from unwanted DDoS traffic.

flowShield

Every ip-prefix routed over flowShield traverses it's packet filtering pipeline, starting with packet parsing handing over to flexrule processing. As latest stage, application and protocol specific filters are applied in order to surgically remove malicious packets.

Customers can programmatically modify flowShield based DDoS-Protection by setting up flexrules, matching packet meta-data as well as payload contents. flexrules are a powerful tool to discard, accept, ratelimit and apply custom application filters based on several packet criteria. Modifications can be done using the aurologic customer area as well as REST API.

flowProxy

flowProxy serves as stack of application aware proxies, allowing to route ingress traffic over flowProxy servers. Similar to flowShield, flowProxy nodes are distributed across the aurologic network. It's feature-set include the ability to challenge response, analyze and block or accept application specific requests in real-time. Due to it's design, it's not meant to deal with high bandwidth attacks such as flowShield is able to. Instead it serves as second DDoS-Protection component in conjunction with flowShield to remove even very sophisticated DDoS traffic.

flowProxy is based on a multitude of microservices dealing with different application types. These include Website DDoS-Protection as well as TCP Proxy, application specific code such as FiveM and Minecraft. Early stage XDP filtering with flowProxy includes TCP SYN-Cookies, ratelimiting, thwarting attacks such as TLS Handshake floods, repeatedly abusive source IP-Ban as well as geo blocking.

flowTrack

Receives network traffic from aurologic routers, duplicating specific traffic through SPAN to flowTrack nodes. It allows to carry out session synchronization, service discovery as well as traffic profiling and machine learning. flowTrack receives real-time traffic, creates tcp/udp sessions and broadcasts those to flowShield nodes.

flowTrack only works with synchronous traffic. This means, customers are required to send their return traffic towards the internet over the aurologic infrastructure. For now, flowTrack requires manual activation by aurologic.