DIY DDoS Protection: operational development and implementation of the service in the National Research Computer Network of Russia

Nowadays, the protection of digital infrastructures of organizations and end users from constantly growing in number and becoming more sophisticated cybersecurity threats is receiving increased attention at various levels. An extremely important task is to ensure reliable and effective protection of critical infrastructures of large telecommunications companies. One of the most common types of cybersecurity threats is Distributed Denial of Service (DDoS) performed at different levels of network interaction, from infrastructure to applications, and aimed at different resources and services. This paper provides an overview of modern methods and technologies to prevent and mitigate DDoS attacks with an emphasis on protecting the networks of telecom operators and their users. It also discusses such methods as BGP Blackhole and BGP FlowSpec based on dynamic routing mechanisms and protocols, as well as the methods based on network traffic intelligent analysis and filtering by specialized cleaning systems. The main technical requirements, quality criteria and some quantitative characteristics of DDoS protection solutions are outlined. There are examples of commercial and freely distributed systems. A separate section of the paper is devoted to a detailed description of a relatively simple service for protecting against DDoS attacks. The service is developed and put into operation by specialists of the National Research Computer Network of Russia (NIKS) based on real-time processing and analysis of NetFlow data collected from boundary routers and on the BGP FlowSpec protocol. The is also general information about the hardware and software complex, architecture and main components of the service, involved software packages and technologies along with some statistical data on the results of detecting DDoS attacks in the NIKS network infrastructure.