Providers that protect against DDoS attacks

AWS Shield

The Amazon Web Services (AWS) Shield [8] provides protection against DDoS attacks (Figure 1). The Standard protection is available to any AWS customer. The product includes detection of network flow data and automatic mitigation of DDoS attacks against SYN flooding or UDP reflection attacks. However, you do not receive information about a successful defense. If you choose the AWS Shield Advanced product, you receive the following additional features for around $3,025 per month plus charges for data transfer:

  • In addition to connection data at the network level, Amazon collects and analyzes transaction logs at the application level.
  • Access to advanced scrubbing capacities.
  • Notification of attacks on ISO Layers 3 and 4, as well as data about the type of attack.
  • Reports for ISO Layers 3, 4, and 7.
  • Incident management by the Amazon DDoS response team.
  • If necessary, manual mitigation.
  • Manual analysis after the attack.
  • Reimbursement for costs incurred by the attack associated with CloudFront, Route 53, and ELB services.
Figure 1: Amazon protects customers against DDoS attacks – to an extent. For more protection, you will have to dig very deeply into your pockets.

Of import is that Amazon only protects what runs on Amazon. Although it is possible to protect data traffic on your own servers using services such as CloudFront or a reverse proxy and to protect your own network connection in another way, you cannot fight off targeted attacks.

Arbor Appliance

Arbor [9] produces DDoS detection and defense systems with its own hardware. The company provides traffic scrubbing systems in data centers in the US, Europe, and Asia. The service only defends against attacks detected by the customer.

Licensing depends on the bandwidth of clean traffic. If a customer has a 1Gbps line, they pay for the 1Gb package. Additionally, Arbor offers packages for a monthly fee or for defense against 12 attacks per year. The packages each include the protection of a /24 network, including five DNS names, and are expandable. Arbor lets you link triggering of the defenses to your appliance. If an attack is detected, the Cloud defense is triggered and provides reports for the attacks.


Link11 [10] also offers protection by BGP, by DNS redirection, and by connecting directly to host service provider data centers. The licensing differs in the DNS and BGP versions, but both define clean traffic as a 95th percentile of normal traffic (without attacks).

On DNS, Link11 counts how many IP addresses it protects on the original systems, with clean traffic speed levels of 25, 50, 100, 150, and 250Mbps. In the case of BGP, the size, in terms of a netmask, counts as a parameter, and the count starts with a /24 network as the first. The second is again the protected bandwidth (Link11 differentiates between symmetric and asymmetric routing); the scales are 250, 500, and 1,000Mbps.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • DDos Attack Map Charts Denial of Service

    A new web application helps users visualize distributed denial-of-service attacks.

  • ARP Spoofing

    Any user on a LAN can sniff and manipulate local traffic. ARP spoofing and poisoning techniques give an attacker an easy way in.

  • Backdoors

    Backdoors give attackers unrestricted access to a zombie system. If you plan to stop the bad guys from settling in, you’ll be interested in this analysis of the tools they might use for building a private entrance.

  • Honeynet

    Security-conscious admins can use a honeynet to monitor, log, and analyze intrusion techniques.

  • TCP Hijacking

    It is quite easy to take a TCP connection down using a RST attack, and this risk increases with applications that need long-term connections, such as VPNs, DNS zone transfers, and BGP. We’ll describe how a TCP attack can happen, and we’ll show you some simple techniques for protecting your network.

comments powered by Disqus