The solution architecture consists of multiple layers of devices and mechanisms managed by specialized highly trained team.






1. Anomaly behavior Analysis: A pattern of traffic behavior is  applied for each protected object including every protocol; this threshold specifies how many packets per second or  overall bandwidth upper limit and the nature of the traffic. Traffic not matching threshold behavior can be a DDoS attack.

2. Anomalies profiling: customer traffic is monitored over a period of time with which a traffic baseline is built. Based on this baseline, if the traffic exceeds a customizable percentage then it can be a DDoS attack.

3. The flow Analyzer monitors the traffic at the IGW routers to detect possible DDoS attacks. Monitoring is done via SNMP, BGP, and traffic flow information received from the IGW routers. It monitors traffic from core/edge routers via netflow/Jflow (for example) to detect possible attacks in the network. It has BGP Peering with selected routers to monitor BGP route updates. It also gets flow and SNMP information from these routers.

4. The Threat Management System: mitigates DDoS traffic by filtering malicious attack traffic and only allowing legitimate traffic to pass to the target destination.

5. Once an attack is detected, the TMS is notified by the Flow Analyzer, where a specific BGP route is injected carrying malicious traffic to the TMS. Only traffic under attack is redirected to TMS to avoid latency and insure maximum security.

6. All other traffic that is not affected is routed as normal. Traffic passing the TMS will be cleaned (“scrubbed”) by applying several countermeasures – this effectively mitigates DDoS traffic, while allowing legitimate (clean) traffic to pass towards the original destination.

7. Scrubbed traffic is diverted through the egress interface of the TMS.

8. The packet that leaves the TMS contains the clean IP packets.

9. Traffic to destination follows best routing path.

10. Security Analytics: gives customers a detailed view of the attacks. It allows security analysts to analyze data in real time. Powerful visualizations display data from multiple perspectives (attacker, target, location or attack type). enabling security analysts to quickly assess the security posture of the organization.

This managed service mitigates the following types of attacks:

• Volumetric stream saturation attacks (flood attacks).
•  State Exhaustion Attacks (protocol attacks).
   

  Sample Flood Attack Types	Attack Vector
  SYN and ICMP floods	Network / State-exhaustion
  UDP Floods	Network / Volumetric
  TCP Null	Network probing
  TCP RST	Connection disruption
  SSL renegotiation	Low-and-slow

  
  
  Availability: The percentage of up time that the mitigation service is available as per contractual terms.
  
  Protocol Attacks: a flood attack occurs when a host sends a flood of packets, often with a fake sender address. Each of these packets are handled like a connection request, causing the server to spawn a half-open connection, by sending back a packet (Acknowledge), and waiting for a packet in response from the sender address (response to the ACK Packet). However, because the sender address is spoofed, the response never comes. These half-open connections saturate the number of available connections the server can make, preventing it from responding to legitimate requests until after the attack ends.
  
  Volumetric Attack (Layer 3 / 4) DDoS attacks
  
  The majority of DDoS attacks focus on targeting the transport and network layers. These types of attacks are usually comprised of volumetric attacks that aim to overwhelm the target bandwidth to congest the links to render the resources to be unavailable. Malicious traffic can use several protocols especially the UDP since that UDP is less compliant with security protocols than TCP.
  
  Time to detect the attack: the time needed to determine if a target is under attack in order to start mitigation process.
  
  Time to initiate the Mitigation: the time needed to initiate mitigation process.