Flood Shield Feature List

Last update:2022-04-14 08:28:04

Flood Shield Feature List

Flood Shield is a comprehensive cloud-based DDoS mitigation solution, which protects web sites and network infrastructures against all known types of Denial Of Service attacks. Flood Shield is deployed on CDNetworks’huge global infrastructure, in the USA, Europe, Asia and mainland China. With over 12 global DDoS scrubbing centers and 15Tbps of total capacity, it is designed to deflect even the largest, deadliest attacks, which is one of the reasons Flood Shield is used by large n gaming sites, streaming sites and other verticals, which are exposed to such attacks.

How It Works

Flood Shield DDoS deflection technology is deployed on CDNetworks’ distributed Points-of-Presence (PoPs). It is a cloud-based “always on” solution with virtually unlimited capacity. It does not require sophisticated deployments and changes to customers’ network and provides automated transparent scaling. Flood Shield is provided either via a simple DNS change, typically to protect web sites and HTTP/S trafc, or through a BGP announcement in order to protect entire network infrastructures, including multiple domains, servers and protocols. With the customer trafc routed through CDNetworks’ PoPs, DDoS attacks hit the CDNetworks infrastructure rather than the customers servers and networks. CDNetworks’ PoPs detect and deflect both application-layer attacks (L7) and all known types of network-layer attacks (L3/L4), including Ack and Syn floods, UDP floods, ICMP floods, CC attacks and more.

Key Features and Benefts

Feature Description Benefit
Application Layer Defense Protect against HTTP/S floods,Low and slow attacks and other layer 7 based DDoS attacks with advanced rate limitations and transparent challenges. Keep your sites and apps up and running, protected against sophisticated distributed attacks that imitate real human users.
Network Layer Defense 15Tbps+ overall attack absorbing capacity to deflect even the largest attacks on the edge of the network Keep your network infrastructure safe and available with network surges being pushed away to the edge, and with dirty trafc fltered and cleansed far away from your network.
Customized Policies Customize access policies and rate limitations to avoid attack and abuse of resources in advance. Filter unwanted trafc and gain control over who can access your resources and at which rate.
Layer 7 Logs,Dashboard and Alerts Full real-time visibility into application layer attacks through a log fle and an investigation tool. Immediately know when an attack takes place, view full attack details and easily take effective actions, if required
Layer 3/4 Logs and Dashboard Full real-time visibility into network layer attacks through a log fle and an investigation tool. Unlike the majority of cloud DDoS solutions, CDNetworks provides alerts,logs and dashboard also for Network based attacks.
DNS / CDN Provisioning Route traffic to CDNetworks’PoPs through a DNS confguration. Protect HTTP/S trafc easily and immediately thorugh a simple DNS CName change. Accelerate your sites and apps with a CDN.
Provisioning via BGP Announcements Route your entire network traffic(AS), including all its servers,services and protocols through a BGP announcement (CDNetworks announces your IP space) Protect entire network infrastructures and multiple protocols with a virtually unlimited “always-on” solution, without on-premise equipment deployments.

Flood Shield Features Introduction

Network Layer (L3/L4) Attack Mitigation

Feature Description
SYN Flood Protection Flood Shield takes over three handshake (like proxy) and use syn cookies to protected
UDP Flood Protection (1)Deny UDP packets for web applications. (2) Deep packet inspection, use patterns and threshold limits for UDP applications
ICMP Flood Protection Threshold based defense
ACK Flood Protection Based on the connection table and TCP cookies
LAND Attack Protection Drop directly
Amplification Attack (DNS,SSDP,NTP,SNMP etc.) Protection Block specific port
Connection Flood Protection Connection pooling based defense, via proxy
TCP Data Flood Protection (1) Deep packet inspection and use pattern. (2) IP rate limit

Access Control

Feature Description
Black List and White List Supports setting blacklists and whitelists by IP, URL, User-agent.
Rate limitation (1) Rate limit requests by IP. (2)Identify client identities by IP + UA or IP + cookie, rate-limited when accessing a specific URL(URL supports regular match

Application layer (L7) attack mitigation

Feature Description
Policy based defense Custom policies(such as IP blacklist/whitelist, access frequency control for IP addresses) are configured to defend against attacks
Client validation based defense Provides JS validation, META tag validation, 302 redirecting, verification codes and other behavior-based verification methods to effectively block attacks and ensure high availability
Low and slow header attack deflection Identify unfinished or lengthy HTTP headers and slow packet release and reset TCP connection
Low and slow POST attack deflection Identify lengthy HTTP with slow packet release and reset TCP connection