How to preapre for any anti-DDoS protection deployment

If you are considering any anti-DDoS solution, I would like to share a few key points that are first to consider regarding the use of only an actual form of protection - which is DDoS Filtering. Of course, most of us think of the main DDoS action as RTBH (Remotely Triggered Black Hole routing), but it is only a simple form of cutting off traffic to an attacked IP.This type of action is considered to have the same effect as an attack. The endpoint IP is cut off from the Internet, or the traffic and Your services are impacted. In this case, the desired outcome of the attacker is met anyway.

So RTBH is mainly a form of saving the rest of the network at the cost of one or more IPs to preserve other services and communication.

So, back to the solution and the outcome Your customers need the most, which is DDoS traffic filtering and preserving all communication without delays or disruptions.Most of our ISP and data center customers already have some anti-DDoS freeware protection, but most of the time, it is used with some scripts or triggered by the hand of the administrators.
This is time-consuming and takes a toll on the networking team until they are ready to seek traffic filtering. This is where they find ITORO and WanGuard - a viable automatic protection with time-saving features.

Before deploying such protection, key points are :?
1. Network and routing ability to divide the routing table to avoid the routing loop.
2. Gathering traffic for WanGuard (port mirror, sFlow, NetFlow/IPFIX).
3. Servers used for Console and Sensors with Filters

With those in mind, we can move to the most challenging part of deployment: the network and routing. This is most complex when not used with routers that have BGP FlowSpec. The following section will explain the most problematic routing with VRFs (Virtual Routing and Forwarding) or GRE tunnels used to redirect traffic.

If you have a router with FlowSpec or plan to buy one, you can skip the next section and read how it is easier to deploy WanGuard having Flowspec and save a lot on server costs and complex routing.

-- Division of filtering traffic with VRFs --

The need to use VRF(Virtual Routing and Forwarding), which is used to separate routing tables :

1. BGP edge routing table. This is where we get all BGP prefixes from our upstream providers.
2. Filter Input routing table - This is where VRF points with the default route towards the filtering server.
3. The rest of Your network (subnets, etc.) without BGP (world) prefixes visible in point 1.

Those three separated routing tables are necessary to avoid a routing loop, which will happen if we get a BGP Update on our router to redirect traffic to the filtering server. This traffic will return to the routing table (1) and see the same routing redirection to the filter server.
The following graphic diagram should visualize it better.

Such separation is needed in all cases to avoid such a routing loop.

Network change for this type of routing is a challenging task and is very complex to perform on a live and working network with many services.

So, most of the time, customers decide to buy a new router with BGP FlowSpec, which takes care of two main problems:
1. Routing loop and the need for VRFs
2. Filtering server - that is unnecessary as all of the filtering will happen on the new router with interface speeds in hardware (10/40/100 GE doesn't matter).

FlowSpec is the easiest and preferred way to start with DDoS traffic filtering. With the help of this extension to BGP, we can solve the loop problem without any changes to the routing. Also, FlowSpec allows the filter traffic directly on the interface with the full speed of any interface without any impact on router traffic or its CPU.

This saves us a lot of problems like time and the server cost. Regarding FlowSpec, the most critical upside is the time needed to start the WanGuard installation and integration.

Any WanGuard installation requires a thorough setup, mainly focusing on traffic patterns and DDoS thresholds. Most initial settings will be changed over time to reflect proper and abnormal levels of traffic that WanGuard should inspect.

In a few cases where customers had a massive outbreak of attacks and were invisible on the Internet, with the help of FlowSpec, we prepared working protection with traffic filtering in less than 48 hours.
The most time-consuming part of this process is to have the server ready, port mirror, or other method of collecting traffic ready and connected.

The last part is to give us access to the server to prepare the following:

1. Install WanGuard components - GUI, Sensors and Filters. Configure the BGP session between the WanConsole server and Your routers with ExaBGP.
2. Create all subnets that should be monitored and create proper threshold templates for each type of environment ( end customers, servers, services, etc.).
3. Sometimes, we must exclude some IPs or networks from protection to preserve 100% uptime or SLA that might be disturbed. Sometimes, we must exclude Google Cache servers or other proxy servers that exchange data with high rates over the closed or peered link that is secure enough for such exclusion.

With all that in mind - You and ITORO work closely together to establish all critical points for seamless integration without any false positives in traffic to avoid triggering WanGuard's RTBH or filtering in such cases.

Below, You can see the diagram of how much FlowSpec simplifies the whole process.

As I mentioned, most customers can save time and effort and start thinking about hardware routers with FlowSpec capability to save on everything, especially time and security. 
Since we wait almost 90% of the time for them to be ready for any deployment - this matter is the most important. So, if You are reading this blog entry and considering WanGuard as Your affordable or high-speed and responsive anti-DDoS solution - this would be the first step, as we will cover this in our first Zoom meeting - as we do with everyone.
With that post, I hope that most networks will think about hardware-based routers if they consider any network protection. Especially BGP FlowSpec routers like Arista, Cisco, Huawei, Juniper, or Nokia that support this great feature.