Level 3 Security Solutions
Distributed Denial of Service Product Description
Version 01 03 2012
Level 3 Security Solutions Product Description
Version 01 03 2013
Table of Contents
....................................................................................................... 1
LEVEL 3 SECURITY SOLUTIONS .................................................................................................................. 1
DISTRIBUTED DENIAL OF SERVICE ............................................................................................................. 3
1.1. DDoS Overview.............................................................................................................................. 3
1.1.1. Routed Solution ......................................................................................................................... 3
1.1.2. Proxy Solution ........................................................................................................................... 4
1.1.3. Connect Solution ....................................................................................................................... 6
1.1.4. Flow based monitoring ............................................................................................................. 6
1.1.5. Application based monitoring ................................................................................................. 7
1.1.6. Summary of Value Proposition ................................................................................................ 7
Page 2 of 8
Proprietary & Confidential
Level 3 Security Solutions Product Description
Version 01 03 2013
Distributed Denial of Service
1.1.
DDoS Overview
Level 3 offers a Managed DDoS detection and mitigation service that monitors a customer’s connection
for Distributed Denial of Service attack related activity. This service is provided in partnership with
Prolexic. When a DDoS attack is detected, Level 3 routes the attack traffic into a designated "scrubbing
center" where the attack traffic is analyzed and removed. Clean, legitimate traffic is then passed to the
customer. Level 3 DDoS mitigation service is available in three different options based on the type and
amout of clean traffic: Proxy Solution, Routed Solution and Connect Solution. In all of these mitigations
options, traffic is rerouted through on of our 4 scrubbing centers , attack traffic is filtered and the good
traffic is sent back to its intended destination. In Proxy solution, we make a DNS record change to Prolexic
IP and traffic flows through the Prolexic Proxy server, in the Routed Solution, we use GRE tunnels over
the internet and in Connect, we have a dedicated circuit between the customer’s data center and our
mitigation centers. Proxy service is typically used when the customer is under attack, routed offering is
used for protection of large number of IP addresses, and connect is for typically for 1G or higher clean
traffic at a given site.
1.1.1. Routed Solution
The Routed Solution provides the the maximum protection against the broadest range of DDoS attacks
and can protect a clean bandwidth upto 500 Mbps. This is offered as an on-demand service that enables
Level 3 customers to easily activate protection for an entire subnet by redirecting Interent traffic to the
Level 3 mitigation infrastructure during a DDoS attack and routing directly through Customer’s Internet
connection during non-attack periods.
The Routed solution is best suited in the following situations:





Customer needs protection for a large number of destination IP addresses
Customer needs a simpler way to activate DDoS protection for an entire subnet
Customer uses BGP at the interent edge
Customer requires a flexible solution that facilitates making changes to entire subnets
Customer needs to protect multiple service types and protocols, not just HTTP and HTTPS.
With Routed solution, Level 3 on-ramps customer incoming traffic and inspects it for anomalies. Outgoing
traffic is not inspected, but is allowed to take its normal path. The Routed solution uses the GRE protocol
to construct connections between the customer’s router and our routers in the mitigation platform. The
BGP protocol is used to communicate network advertisements from the customer’s network to ours.
Traffic is cleansed and forwarded over the GRE tunnels to the customer’s routers. Outgoing traffic from
the customers servers to the Internet is always forwarded as normal to the customer’s ISP.
The benefits of the Routed solution are




Increased resiliency as route advertisements are propogated from all scrubbing centers.
Rapid and easy activation/deactivation via simple routing changes that enables customer to
manage traffic routing.
Improved visibility and it is not required to “white list” the Level 3 proxy due to source IP visibility.
Protection of a large number of destination IPs.
The on-boarding of this service requires the following shared responsibilities:
Page 3 of 8
Proprietary & Confidential
Level 3 Security Solutions Product Description
Version 01 03 2013
Level 3 Responsibilities







Level 3 will be responsible for providing all necessary IP allocations to build and terminate the
new service to the mitigation platform.
Update Routing Registries.
Assigning the /30 IP allocations.
All router and mitigation device configurations.
Ensure that all access-list (ACL) are updated with any relevant information contained in the
Customer provisioning form.
Level 3 will notify Customer point of contact when configurations have been completed.
Forwarding all necessary IP information to allow Customer to configure their equipment for
tunnel/direct circuit termination.
Customer Responsibilities





Confirm suitability of client routing equipment – all hardware must accept termination of GRE in
hardware.
Customer is responsible for constructing all router and firewall configurations.
Customer to notify Level 3/ Prolexic when the configurations are completed and provide a
suitable date and time to test and optimize the connection.
Customer to confirm that local ISP connections are not configured to uRPF strict mode.
Configure four GRE tunnels per customer router, with each tunnel terminating to a different
Prolexic Scrubbing Centre.
Notes


Level 3 only supports termination of GRE tunnels to a router.
Level 3 will not support termination of GRE tunnels to dedicated Firewalls or LINUX
devices.
Pricing
The Routed Solution is priced based on Bandwidth and number of sites that are to be protected.
There are 3 tiers of Routed solution; 1 – 20 Mbps , 21 – 250 Mbps and 251 – 500 Mpbs.
1.1.2. Proxy Solution
The Proxy Solution is designed to provide rapid mitigation for customers that are currently under
sustained DDoS attacks or Customers who only want protection against HTTP or HTTPS based
DDoS attacks. The proxy solution can restore accessibility to a website brought down by DDoS in
just a few minutes after traffic gets routed through our global scrubbing centers. This service only
protects HTTP and HTTPs traffic.
Proxy is best suited under the following circumstances:



Customer that is currently under attack and needs emergency mitigation services
Customer that is not under attack, but wants to build a first layer of DDoS defense
Customer that requires a mitigation solution that is simple and fast to deploy
This service enables our customers to easily activate protection per domain and redirect internet
traffic to the Level 3/Prolexic network during a DDoS attack and then switch traffic back to their
network during non-attack periods.
Page 4 of 8
Proprietary & Confidential
Level 3 Security Solutions Product Description
Version 01 03 2013
Virtual IP addresses (VIPs) are advertised from each of Level 3’s scrubbing centers. This
configuration enables clean and malicious traffic to be automatically routed to the nearest
scrubbing centers.
The benefits of the Proxy solution are






Resiliency via proxies that are anycast to all of our scrubbing centers.
Quick and easy activation/deactivation via DNS changes that enables customer to manage
its routing.
Simplified deployment that requires minimal changes to the customer’s network.
The Proxy solution can be easily migrated to the Routed Solution for enhancing protection
against a wide-range of DDoS attacks
Rapid deployment that enables mitigation of DDoS attacks in just minutes.
It has minimal impact with redirection of the domain under attack as opposed to the
redirection of the entire subnet.
For the implemention of Proxy service, Level 3 and the customer will have the following shared
responsibilities:
Level 3 Responsibilities

Level 3 will be responsible for providing all necessary Virtual IP (VIP) allocations to build and
terminate the new service to the DDoS mitigation platform. This entails assigning the /32
VIP allocation for DNS redirection and forwarding all necessary VIP information to allow the
customer to configure their DNS and firewall systems for the circuit termination

Ensure that all access-lists (ACLs) are updated with any relevant information contained in
the Customer provisioning form.

Upon completion of all configurations, Level 3 will test the DDoS service with the Clients
web traffic. Level 3’s team will monitor the customer traffic over the Level 3/Prolexic network
and confirm functionality and network performance to Client.
Customer Responsibilities

Customer is responsible for constructing all web-server and firewall configurations for the
proxied connections.

Customer is responsible for restricting connection to their web-server to allow only
connections made by the Prolexic systems.

Upon the completion of all configurations, customer will point their DNS to their assigned
Level 3 VIPs. This will be tested as a part of provisioning. The customer will also liaise with
the Level 3/Prolexic SOC (to ensure that all normal services are functioning as expected).

Ensure that all protected Client web-services are functioning as expected over the Prolexic
network.
.
Pricing
Page 5 of 8
Proprietary & Confidential
Level 3 Security Solutions Product Description
Version 01 03 2013
The Proxy solution is priced based on Bandwidth and web servers to be protected. The protected
web servers correspond to Level 3 Virtual IP Addresses (per block of 5) It is available in the
following tiers;
Bandwith Tiers for Proxy
Solution
Upto 20 Mbps
21 – 250 Mpbs
251 – 500 Mbps
501 – 1.0 Gbps
1.1.3. Connect Solution
The Connect Solution delivers DDoS mitigation services over a direct physical connection
from the customer’s network to the mitigation platform. Just like the routed service, this
connection enables a customer to activate protection for an entire subnet, enabling
redirection of the Internet traffic to the Level 3 network during a DDoS attack and away
from the Level 3 netwrk during non-attack periods.
The Connect solution is best suited in the following situation:



Customer desires a high bandwidth connection to the mitigation infrastructure.
Customer has a complex internet edge deployment using many protocols and
site-to-site VPNs.
Have a clean bandwidth that is greater than 1 Gbps per port.
This service entails a direct physical connection from the customer’s location to the
mitigation center The mitigation service identifies legitimate traffic and drops the attack
traffic.
This service also uses the BGP routing protocol to communicate network
advertisements from the customer’s network to Level 3/Prolexic scrubbing
infrastructure. The customer can use these advertisments to activate and deactivate
the service as needed.
Pricing
The Connect solution provides protection of upto 5 Gbps. The Connect solution requires
a CIR (Committed Information Rate). The CIR is calculated for each region (US, EMEA,
APAC), based on each protected client production site, and is to be based upon the
maximum traffic that could be run through the Prolexic network at one time. The CIR
commit for each region is the sum of these peak values for all 'in-region' client production
sites. Note that a minimum 1 Gbps of CIR is required for all Connect projects.
1.1.4. Flow based monitoring
This service is used for the monitoring and analysis of layer 3 and layer 4 DDoS attacks. The
flow-based monitoring service monitors customer’s edge routers and detects anomalies and
changes in volumetric flows. Level 3/Prolexic 24x7 SOC notifies customers of conditions that
Page 6 of 8
Proprietary & Confidential
Level 3 Security Solutions Product Description
Version 01 03 2013
could threaten the networks. The SOC re-routes traffic to our mitigation platforms should it
detect a threat.
This service is able to detect TCP, UDP and ICMP floods. The customer router must be able
export SNMP and Netflow data to Level 3/Prolexic flow monitoring system. Level 3/Prolexic
SOC technicians tune the flow based monitoring system to determine the profile of
customer’s traffic. This profile is then continually updated so that the technicans can learn
about customer’s traffic patterns at any given time. Once they are knowledgable, they can
instantly recognize deviations fom the baseline, begin immediate analysis and provide alerts.
The benefits of the Flow based monitoring solution include:



This service is non-intrusive. It does not require any hardware to be inserted into the
customer’s network.
24X7 monitoring by Level 3/Proelxic SOC. The SOC provides an alert when a DDoS
attack is detected that would require traffic to be routed to the Level 3/Prolexic mitigation
platform.
Improved analytics into user activity and the applications that traverse the network. Ability
to trend on network attributes such as client source IP addresses, ports, protocols etc.,
to pinpoint suscipious behavior.
1.1.5. Application based monitoring
While Flow-based monitoring is used for detection of layer 3 and 4 attacks, there are DDoS
attacks aimed at the Application layer (Layer 7) which need to be mitigated. Application
based monitoring is a subscription service that leverages an on-premise appliance to provide
24/7 visibility into Later 7 attacks.
Through this service, we can pinpoint exactly where the attack is originating from, even as
signatures change in randomized attacks. Our high performance engine decodes up to
50,000 HTTP requests per second and correlates millions of data points per second. This
allows us to do real-time analysis for Layer 7 attacks.
The Application based monitoring solution requires one appliance per protected router. It
allows a maximum of 1 Gbps of protected traffic and a maximum of 10K connection requests
per second, per appliance.
Benefits of the Application monitoring solution are:





Fast alerting with instantaneous correlation can generate alerts in seconds.
Powerful historical correlation across multiple sensors using historical data and IP
reputation.
Corelation model that protects customer data. Correlation is done at two levels, at each
PLXabm appliance and also in the cloud where historical baselines and stateful
evidence are kept.
Analysis is performed on-premise, but mitigation is performed through the mitigation
platform in the cloud.
Ability to detect GET/POST flood and HTTP/HTTPS flood.
1.1.6. Summary of Value Proposition
Page 7 of 8
Proprietary & Confidential
Level 3 Security Solutions Product Description
Version 01 03 2013
•
Carrier agnostic offer
•
Cloud-based solution that allows mitigation of large attacks that are typically in excess
of 40-50G.
•
Multi-layer attack protection (Layer 7 and SSL)
•
4 Global Scrubbing Centers
•
500 Gbps of bandwidth dedicated to mitigating attacks. No one has a larger network to
absorb DDoS attacks.
•
Distributed global network removes botnets close to source
•
Layer 7 attack analysis
•
Faster response time (5-10 Mins): Within minutes after traffic flows through the
scrubbing network
End-of-Document
Page 8 of 8
Proprietary & Confidential