DDoS Prevention & Protection FAQs

 

What is Neustar SiteProtect NG?

Neustar SiteProtect NG is the largest, dedicated cloud-based, on-demand DDoS mitigation service in the world with a data scrubbing capacity of 10+Tbps, with plans for further expansion. When activated, SiteProtect NG scrubs malicious Internet traffic, allowing clean, legitimate traffic to flow to your infrastructure. By defending your website, SiteProtect NG shields your online revenues, customer satisfaction and brand reputation.

What is a DDoS attack?

A DDoS (distributed denial of service) attack is an attempt to make a computer resource unavailable for its intended users. For example, a DDoS attack may flood website servers with bogus traffic, causing a website outage. People launch these attacks for many reasons—to extort money, seek revenge, gain a competitive edge, destabilize a government or stage a social or political protest.

SiteProtect NG is an on-demand DDoS prevention service. How do I activate it and redirect traffic to your cloud?

When attacked, you can redirect traffic in two ways:

How does redirecting traffic via DNS work?

It’s easy. Simply switch the DNS A records for any hosts under DDoS attack to your assigned SiteProtect NG IPs.

Traffic will start flowing through the SiteProtect NG mitigation cloud, where it’s cleaned and forwarded to your infrastructure. Once a DDoS attack subsides, just switch your DNS A records back to your original IPs.

Why is a low TTL important for DNS redirection?

With a low TTL, your DNS changes will take effect faster throughout the Internet. The TTL determines how long recursive servers cache your records. The lower the TTL, the sooner these servers seek new answers from your authoritative DNS server. Generally, the TTL default is 86400 seconds—24 hours, way too long when you’re under a DDoS attack.

Neustar recommends that you set your TTL for DNS A records to 300 seconds (five minutes). Your changes will happen more quickly, ensuring you can redirect and protect your traffic.

Do I have to use Neustar UltraDNS with Neustar SiteProtect NG?

No. You can use any  DNS solution. Just be sure your solution lets you set a low TTL (time to live) for each record, so you can quickly redirect your traffic to SiteProtect NG. With Neustar UltraDNS, you can set a lower TTL at both the domain and record levels.

Does Neustar SiteProtect NG support forwarding to CNAMEs?

Yes, our DNS redirection service can forward traffic to DNS CNAME records. This is important if you want to place Neustar's DDoS prevention service in front of your CDN service.

How does BGP redirection work?

When you’re hit with a DDoS attack, we’ll work with you to redirect traffic to the SiteProtect NG mitigation cloud.

For affected prefixes, you’ll withdraw BGP announcements from your routers.

Our Security Operations Center will initiate BGP announcements from the SiteProtect NG network.

Within minutes, SiteProtect NG will start to absorb the attack. Security Operations will oversee DDoS prevention, sending clean traffic to your infrastructure via GRE tunnels.

When the DDoS attack is over, we’ll help you re-establish BGP announcements on your routers for affected prefixes.

Are there requirements for BGP redirection?

To use BGP redirection you must have:

  • A /24 prefix, at a minimum.
  • A BGP (Border Gateway Protocol) and GRE (Generic Routing Encapsulation) capable router.
  • IP address space to terminate GRE tunnels that lies outside of the prefixes that you need defended.

Why choose DNS redirection over BGP or vice-versa?

Both DNS and BGP are efficient ways to route your traffic to SiteProtect NG. Most customers choose DNS redirection because it’s easier to deploy and maintain. If you have a more complex Internet infrastructure, with many hosts and IPs to defend, you may want to opt for BGP routing. Note: BGP routing requires one or more /24 prefixes, along with BGP/GRE-capable routers. Any router that can handle BGP and GRE (Generic Routing Encapsulation) tunnels should be compatible.

Does Neustar SiteProtect NG have an always-on option?

Yes. As an alternative to our on-demand DDoS prevention service, we offer an always-on option which works 24/7/365. In partnership with Arbor Networks™, the leader in DDoS mitigation hardware, we place equipment in your data centers to detect and repel attacks. Besides on-premise hardware, you get the expertise of Neustar’s 24/7 Security Operations Center. Moreover, should an extremely large DDoS attack overwhelm your hardware you can fail over to the SiteProtect NG cloud (additional fees apply).

How do you determine your clean traffic?

Clean traffic is defined as the total amount of traffic to be protected going in and out of your network to the Internet in Mbps (Megabits/Second), at the 95th percentile. If multiple services (e.g., email, Web, etc.) are to be protected, each service must be measured and added to the total.

Using the right unit of measurement is critical. Neustar SiteProtect NG packages use the Mbps (Megabits/Second) standard. Other formats such as MBps or MB/Sec (megabytes per second), KB/Sec (kilobytes per second) or Kbps (kilobits per second) should be converted to Mbps for accurate measurement.

To determine your clean traffic, your technical team should look at Netflow data on your routers, MRTG or CACTI graphs. You can also take a look at your Apache or IIS web logs.

What’s the maximum clean traffic limit for BGP and DNS?

Neustar SiteProtect NG packages are available for up to 2 Gbps of clean traffic.

What options are available if you exceed the clean traffic limit?

For clean traffic beyond 2 Gbps, please contact our sales team at +1-855-727-1209 to find the right solution for your infrastructure.

How long does it take to mitigate a DDoS attack?

Once traffic starts flowing through Neustar SiteProtect NG,  DDoS protection procedures are initiated immediately and our Neustar Security Operations Staff tunes mitigation strategies appropriately.

Can I sign onto the service if I am currently under a DDoS attack?

Absolutely. The Neustar team can provision you during a DDoS attack (additional fee applies). Before we start, set your TTL for each DNS record as low as you can. By following this best practice, you’ll accelerate your DNS changes across the Internet, helping to stop the DDoS attack faster and reduce website downtime.

What’s involved in provisioning SiteProtect NG via DNS redirection? How long does it take?

When you sign up for SiteProtect NG, we ask you to supply details on the infrastructure you want protected. After we receive these, we schedule a call to review your infrastructure in depth. Our Security Operations Center then provisions you, sending all instructions required to mitigate DDoS attacks.

Typically, this process takes 72 hours. If you’re under attack, however, we’ll work closely with your team to provision you in minutes.

What is involved in provisioning SiteProtect NG via BGP Redirection and how long does it take to get provisioned?

When you sign up for SiteProtect NG, we ask you to supply details on the infrastructure you want protected. After we receive these, we’ll schedule a call to review your infrastructure in depth.

Our Security Operations Center will then provision you, sending you detailed instructions on setting up GRE tunnels. The SOC will also schedule a time to test your tunnels’ functionality with you.

If you need emergency provisioning, we’ll initially set you up via DNS redirection, so we can mitigate the attack as we proceed with BGP provisioning.

Is Neustar SiteProtect NG carrier neutral?

Yes. If you have network connectivity from diverse carriers, SiteProtect NG can be your one DDoS protection service. It’s much easier and less expensive than having all your carriers supply their own protection.

Can Neustar SiteProtect NG handle my HTTPS traffic?

Yes, both our BGP and DNS redirection services can handle HTTPS traffic. If you choose DNS redirection and need to know end-user source IPs, you can opt to give us an SSL cert to serve; this way, we can pass along source IPs in an X-Forwarded-For header field.

Is Neustar SiteProtect NG an IPS/IDS (Intrusion Prevention/Detection) service?

No. Neustar SiteProtect NG is a DDoS mitigation service and doesn’t protect you against attempted intrusions like SQL injection attacks or cross-site scripting attacks. During a DDoS attack, we recommend that you turn off your IPS/IDS because it may actually block legitimate traffic. Should you see particular strings you want to filter out, we’ll work with you to do so.

Is there latency when routing traffic through the cloud?

Deployed strategically across the world, Neustar SiteProtect NG scrubbing centers use the same Anycast technology as Neustar UltraDNS. To minimize latency, we route traffic to the closest available scrubbing center. We can also cache static content to ensure faster replies. While routing traffic through additional hops will add some latency, it’s a matter of milliseconds. Visitors to your site won’t notice any difference. To reduce latency to an absolute minimum, we offer the Neustar NetProtect™ service as a complement to SiteProtect NG.

What is Neustar NetProtect?

Neustar NetProtect augments SiteProtect NG with a direct connection into each of our strategically located data scrubbing centers around the world to deal with denial of service attacks. Designed for highly complex, enterprise-level systems, it addresses and mitigates, or entirely avoids, the concerns of latency, complexity and other anomalies that are commonly associated with legacy Generic Routing Encapsulation (GRE) and Virtual Private Network (VPN) tunnel systems.

Do You Offer More Options to Pair with SiteProtect NG?

Yes we do. We also have Neustar WAF. This web application firewall can be used in combination with SiteProtect NG to provide a cloud-based, always-on solution that protects against threats to application layers 3-7. Cloud-provider, hardware and CDN agnostic, Neustar WAF is compatible anywhere your applications are hosted.