DDoS Prevention & Protection FAQs


What is Neustar SiteProtect?

Neustar SiteProtect is a cloud-based, on-demand DDoS mitigation service. When activated, SiteProtect scrubs malicious Internet traffic, allowing clean, legitimate traffic to flow to your infrastructure. By defending your website, SiteProtect shields your online revenues, customer satisfaction and brand reputation.

What is a DDoS attack?

A DDoS (distributed denial of service) attack is an attempt to make a computer resource unavailable for its intended users. For example, a DDoS attack may flood website servers with bogus traffic, causing a website outage. People launch these attacks for many reasons—to extort money, seek revenge, gain a competitive edge, destabilize a government or stage a social or political protest.

SiteProtect is an on-demand DDoS prevention service. How do I activate it and redirect traffic to your cloud?

When attacked, you can redirect traffic in two ways:

How does redirecting traffic via DNS work?

It’s easy. Simply switch the DNS A records for any hosts under DDoS attack to your assigned SiteProtect IPs.

Traffic will start flowing through the SiteProtect mitigation cloud, where it’s cleaned and forwarded to your infrastructure. Once a DDoS attack subsides, just switch your DNS A records back to your original IPs.

Why is a low TTL important for DNS redirection?

With a low TTL, your DNS changes will take effect faster throughout the Internet. The TTL determines how long recursive servers cache your records. The lower the TTL, the sooner these servers seek new answers from your authoritative DNS server. Generally, the TTL default is 86400 seconds—24 hours, way too long when you’re under a DDoS attack.

Neustar recommends that you set your TTL for DNS A records to 300 seconds (five minutes). Your changes will happen more quickly, ensuring you can redirect and protect your traffic.

Do I have to use Neustar UltraDNS with Neustar SiteProtect?

No. You can use any DNS solution. Just be sure your solution lets you set a low TTL (time to live) for each record, so you can quickly redirect your traffic to SiteProtect. With Neustar UltraDNS, you can set a lower TTL at both the domain and record levels.

Does Neustar SiteProtect support forwarding to CNAMEs?

Yes, our DNS redirection service can forward traffic to DNS CNAME records. This is important if you want to place Neustar's DDoS prevention service in front of your CDN service.

How does BGP redirection work?

When you’re hit with a DDoS attack, we’ll work with you to redirect traffic to the SiteProtect mitigation cloud.

For affected prefixes, you’ll withdraw BGP announcements from your routers.

Our Security Operations Center will initiate BGP announcements from the SiteProtect network.

Within minutes, SiteProtect will start to absorb the attack. Security Operations will oversee DDoS prevention, sending clean traffic to your infrastructure via GRE tunnels.

When the DDoS attack is over, we’ll help you re-establish BGP announcements on your routers for affected prefixes.

Are there requirements for BGP redirection?

To use BGP redirection you must have:

  • A /24 prefix, at a minimum.
  • A BGP (Border Gateway Protocol) and GRE (Generic Routing Encapsulation) capable router.
  • IP address space to terminate GRE tunnels that lies outside of the prefixes that you need defended.

Why choose DNS redirection over BGP or vice-versa?

Both DNS and BGP are efficient ways to route your traffic to SiteProtect. Most customers choose DNS redirection because it’s easier to deploy and maintain. If you have a more complex Internet infrastructure, with many hosts and IPs to defend, you may want to opt for BGP routing. Note: BGP routing requires one or more /24 prefixes, along with BGP/GRE-capable routers. Any router that can handle BGP and GRE (Generic Routing Encapsulation) tunnels should be compatible.

Does Neustar SiteProtect have an always-on option?

Yes. As an alternative to our on-demand DDoS prevention service, we offer an always-on option which works 24/7/365. In partnership with Arbor Networks™, the leader in DDoS mitigation hardware, we place equipment in your data centers to detect and repel attacks. Besides on-premise hardware, you get the expertise of Neustar’s 24/7 Security Operations Center. Moreover, should an extremely large DDoS attack overwhelm your hardware you can fail over to the SiteProtect cloud (additional fees apply).

How do you determine your clean traffic?

Clean traffic is defined as the total amount of traffic to be protected going in and out of your network to the Internet in Mbps (Megabits/Second), at the 95th percentile. If multiple services (e.g., email, Web, etc.) are to be protected, each service must be measured and added to the total.

Using the right unit of measurement is critical. Neustar SiteProtect packages use the Mbps (Megabits/Second) standard. Other formats such as MBps or MB/Sec (megabytes per second), KB/Sec (kilobytes per second) or Kbps (kilobits per second) should be converted to Mbps for accurate measurement.

To determine your clean traffic, your technical team should look at Netflow data on your routers, MRTG or CACTI graphs. You can also take a look at your Apache or IIS web logs.

What’s the maximum clean traffic limit for BGP and DNS?

Neustar SiteProtect packages are available for up to 2 Gbps of clean traffic.

What options are available if you exceed the clean traffic limit?

For clean traffic beyond 2 Gbps, please contact our sales team at +1-855-727-1209 to find the right solution for your infrastructure.

How long does it take to mitigate a DDoS attack?

Once traffic starts flowing through Neustar SiteProtect, DDoS protection procedures are initiated immediately and our Neustar Security Operations Staff tunes mitigation strategies appropriately.

Can I sign onto the service if I am currently under a DDoS attack?

Absolutely. The Neustar team can provision you during a DDoS attack (additional fee applies). Before we start, set your TTL for each DNS record as low as you can. By following this best practice, you’ll accelerate your DNS changes across the Internet, helping to stop the DDoS attack faster and reduce website downtime.

What’s involved in provisioning SiteProtect via DNS redirection? How long does it take?

When you sign up for SiteProtect, we ask you to supply details on the infrastructure you want protected. After we receive these, we schedule a call to review your infrastructure in depth. Our Security Operations Center then provisions you, sending all instructions required to mitigate DDoS attacks.

Typically, this process takes 72 hours. If you’re under attack, however, we’ll work closely with your team to provision you in minutes.

What is involved in provisioning SiteProtect via BGP Redirection and how long does it take to get provisioned?

When you sign up for SiteProtect, we ask you to supply details on the infrastructure you want protected. After we receive these, we’ll schedule a call to review your infrastructure in depth.

Our Security Operations Center will then provision you, sending you detailed instructions on setting up GRE tunnels. The SOC will also schedule a time to test your tunnels’ functionality with you.

If you need emergency provisioning, we’ll initially set you up via DNS redirection, so we can mitigate the attack as we proceed with BGP provisioning.

Is Neustar SiteProtect carrier neutral?

Yes. If you have network connectivity from diverse carriers, SiteProtect can be your one DDoS protection service. It’s much easier and less expensive than having all your carriers supply their own protection.

Can Neustar SiteProtect handle my HTTPS traffic?

Yes, both our BGP and DNS redirection services can handle HTTPS traffic. If you choose DNS redirection and need to know end-user source IPs, you can opt to give us an SSL cert to serve; this way, we can pass along source IPs in an X-Forwarded-For header field.

Is Neustar SiteProtect an IPS/IDS (Intrusion Prevention/Detection) service?

No. Neustar SiteProtect is a DDoS mitigation service and doesn’t protect you against attempted intrusions like SQL injection attacks or cross-site scripting attacks. During a DDoS attack, we recommend that you turn off your IPS/IDS because it may actually block legitimate traffic. Should you see particular strings you want to filter out, we’ll work with you to do so.

Is there latency when routing traffic through the cloud?

Deployed strategically across the world, Neustar SiteProtect scrubbing centers use the same Anycast technology as Neustar UltraDNS. To minimize latency, we route traffic to the closest available scrubbing center. We can also cache static content to ensure faster replies. While routing traffic through additional hops will add some latency, it’s a matter of milliseconds. Visitors to your site won’t notice any difference.