DDoS Protection Service - Swisscom€¦ · Document White Paper DDoS Version 3.1 File...

Effective protection of your

infrastructure against attacks

off the Internet – highly

available Internet access

White Paper

DDoS Protection Service Distributed Denial of Service (DDoS)

Technical Product Information

Version 3.1

DDoS Protection Service

(Distributed Denial of Service)

Swisscom (Switzerland) Ltd.

Corporate Business

P.O. Box

CH - 3050 Bern

Free phone 0800 800 900

Free fax 0800 800 905

E-mail [email protected]

Internet http://en.swisscom.ch/corporatebusiness

Document White Paper DDoS

Version 3.1

File BIS_IPP_WP_DDoS_mm03104-en.doc

Date 01/03/2016 /18

Contents

1 DDoS Attacks – a really existing risk ..................................................................................................................... 3

2 Problem description ................................................................................................................................................... 3

2.1 Background ............................................................................................................................................................... 3

2.1.1 Intentions of the attacker and kinds of attacks ............................................................................................ 3

2.1.2 Development of DoS attacks ............................................................................................................................. 3

2.1.3 DDoS attacks from a regular IP address ......................................................................................................... 4

2.1.4 Motivation for DDoS attacks ............................................................................................................................. 4

2.2 Prerequisite for a DDoS attack ............................................................................................................................. 5

2.3 The sequence of a DDoS attack ............................................................................................................................ 5

2.3.1 General sequence of a (malicious) attack ...................................................................................................... 5

2.3.2 Preparation and sequence of a (malicious) attack ....................................................................................... 6

2.4 Developments and the effects of DDoS attacks .............................................................................................. 7

3 Protective measures against DDoS attacks ....................................................................................................... 10

3.1 Blackhole defence .................................................................................................................................................. 10

3.2 Current protective measures with the DDoS Protection Service ............................................................... 11

3.2.1 General features ................................................................................................................................................. 11

3.2.2 Traffic anomaly detection ................................................................................................................................ 12

3.2.3 Threat Management System........................................................................................................................... 12

4 DDoS Protection Service from Swisscom ............................................................................................................ 13

4.1 Filtering process of an DDoS attack .................................................................................................................. 13

4.2 Option DDoS Protection enhanced ................................................................................................................... 15

5 Summary ..................................................................................................................................................................... 16

5.1 Solution alternatives............................................................................................................................................. 16

5.2 Danger and damage potentials ......................................................................................................................... 17

5.3 Managed Service .................................................................................................................................................... 17

6 Glossary ....................................................................................................................................................................... 18

This White Paper was created on the basis of currently known parameters. The technical solution may still be subject to last-minute

changes during the implementation. We are available for questions or comments about this White Paper.




Corporate Business

P.O. Box

CH - 3050 Bern

Free phone 0800 800 900

Free fax 0800 800 905




Version 3.1


Date 01/03/2016 /18

1 DDoS Attacks – a really existing risk

The risk management of an enterprise lies in the responsibility of the top management. It has to check

potential security risks regularly and preventatively. Especially in fully cross-linked IT environments

threatening situations really do exist which are continuously change taking new forms over and over again.

DDoS attacks (Distributed Denial of Service) belong to these risks. This White Paper takes these security risks

in detail into consideration and describes effective defence mechanisms.

DDoS attacks have to flow into the risk analysis of an enterprise like any other threat (location and access to

the building, fire protection, electrical power supply, access to internal documents etc.). Due to the

enormous potential of threat and damage they have to be treated equally. Current risk analysis and

recommendations can be found at the web page of the registration and analysis office

“Informationssicherung” at http://www.melani.admin.ch/dokumentation.

2 Problem description

2.1 Background

Since the early days of the Internet, "denial-of-service" (DoS) attacks have been a fact of life. The goal of

these attacks is to restrict on a grand scale the availability of certain online systems and/or services or to

deny service completely. Usually, in this type of attack, an attempt is made to cause the attacked systems to

crash by exploiting vulnerabilities in operating systems, programs and services or basic design flaws in the

network protocols in use via the Internet.

2.1.1 Intentions of the attacker and kinds of attacks

The online systems can also be overloaded to an extent that they no longer work properly. The goal of pure

DoS attacks is therefore not to steal confidential data or circumvent user authentication mechanisms but to

disrupt or immobilise the service platforms of online provider such as E-shops, content providers, financial

service providers (e.g. e-Banking), government agencies (e.g. e-Government) etc. severely. The web sites

and/or services that are attacked may then not be available for a period of a few minutes or up to a few

days.

Unlike other attacks, the perpetrator does usually not infiltrate the computer networks and therefore does

not need any passwords (or similar information). However, a DoS attack can be part of an attack on a

system. For example, one online system is rendered inoperable by a DoS attack to cover up the actual attack

on one of the customer’s other systems. The IT staff tasked with administration is distracted by the increase

in data traffic, allowing the actual attempted attack to go unnoticed.

2.1.2 Development of DoS attacks

The DoS attacks are increasingly honed and therefore for ordinary persons difficult to recognise. E.g. since

more than 10 years, instead of single PCs a multitude of different PCs are used for large-scale co-ordinated

attacks of single online systems or networks. The individual PC user whose PC is part of a so-called botnet

normally doesn’t notice any loss of performance when working or surfing the Internet while an attack is

underway. The number of PCs involved in an attack can range from several hundred to several hundred

thousand PCs attacking at any one time. The PCs involved in an attack can be linked nationally,

internationally or inter-continentally on the global Internet. Within such a "Distributed Denial-of-Service"

http://www.melani.admin.ch/dokumentation




Corporate Business

P.O. Box

CH - 3050 Bern

Free phone 0800 800 900

Free fax 0800 800 905




Version 3.1


Date 01/03/2016 /18

(DDoS) attack the attacker takes advantage of the capacity of several PCs. Thus, even sites with high-

performance online systems with broadband network connections can be successfully disrupted. And it is

ironically the broadband networks themselves that supply the necessary bandwidth.

2.1.3 DDoS attacks from a regular IP address

One special type is the “Distributed Reflected Denial of Service” (DRDoS) attack. In this type of attack, the

attacker does not address his data packets directly to the victim of the attack but to Internet services.

However, he enters the IP address of the victim as the sender. Using this method, it is practically impossible

to determine the origin of the attack. These types of forged connection requests are also referred to as “IP

spoofing”. The respond to these requests and the resulting system overload represent the actual DoS attack

for the victim.

2.1.4 Motivation for DDoS attacks

The origin of and the motives for these types of attacks vary widely. They range from computer geeks

without monetary interests over revenge or protest against a particular company or organisation up to

professional hacker organisations. They can be retained to run a DDoS attack by everyone via online portal

with payment via credit card. For little money managed attacks are offered e.g. as a 24-hour stress test.

Quite often iniquitous menaces are placed or attempts at extorting protection money are made.

Professionally active organisations carry them out with a clear intention for their own self-interest or on

behalf of a third-party.

Figure 1: Motivations for DDoS attacks (© ARBOR Networks)




Corporate Business

P.O. Box

CH - 3050 Bern

Free phone 0800 800 900

Free fax 0800 800 905




Version 3.1


Date 01/03/2016 /18

2.2 Prerequisite for a DDoS attack

DDoS attacks as a means to extortion are usually initiated via so-called bot networks. They comprise from

several dozen up to several hundred thousand computers infected with Trojan horses or worms. The fact

that most computers connected via broadband networks have a fixed IP address and are usually online

makes DDoS attacks even easier. Therefore, the user doesn’t usually notice that the computer is infected or

has become a part of a bot network because most computers connected to the Internet have inadequate or

non-existent protective measures. The owners of these computers don’t even recognise that they are part of

a bot network. The performance of a PC involved in a DDoS attack and the connection bandwidth are

generally not affected in any perceptible way for the user. These bot networks are made up of several

hundred to several thousand infected PCs. These PCs can be time-activated arbitrarily for attacks by the bot

network administrator/controller. There has also been a noticeable increase in the misuse of networked

computers now that TCP/IP protocols are very widespread and have become practically common knowledge.

Figure 2: Globally active botnet sources (http://atlas.arbor.net/worldmap/index)

2.3 The sequence of a DDoS attack

2.3.1 General sequence of a (malicious) attack

Up to now, the following attack models have been subject to discussion in Internet blogs or forums:

Model 1

A company with an Internet presence receives an extortion letter demanding the payment of a specific

sum to be paid by a set deadline. If the deadline passes without payment, the attacks threatened in the

extortion letter are immediately initiated. The web servers are then attacked by an enormous number of

requests as a result. Depending on the bandwidth, it takes very little time for the web site and its e-

services (e-shop, e-banking…) to become inaccessible.

http://atlas.arbor.net/worldmap/index




Corporate Business

P.O. Box

CH - 3050 Bern

Free phone 0800 800 900

Free fax 0800 800 905




Version 3.1


Date 01/03/2016 /18

Model 2

A company’s online presence is blocked without warning by a DDoS attack for unknown reasons. During

the attack, the attacked party receives a letter claiming responsibility, e.g. by e-mail (e.g. via alternative

Internet access) or fax demanding either payment to an account by a certain deadline or another

condition that must be met. If this deadline passes without payment, the attacks are continued.

Model 3

The online platform of a company is under attack without any warning. The company should be

damaged sustainably whereat the attack can run between a few minutes up to several weeks.

2.3.2 Preparation and sequence of a (malicious) attack

As already mentioned, several computer systems are involved in a DDoS attack. The complex attack

sequence or the network of attackers could be described as follows:

An attacker (also called a client) commissions…

…one or more masters (also called handlers). They control…

…several daemons (also called agents). These then attack…

…a victim.

Analysis

The attacker communicates via an Internet connection (often from an illegally used IP address) with the

distributed masters. He then uses scanning tools to find out their IP address and/or which TCP or UDP ports

are open. Potential targets of attacks and their vulnerabilities are identified with the help of Internet

security scanners. The attacker also uses this same channel to get at the root rights on the server systems

and simultaneously checks which services and ports are active (and therefore “open”) on the systems.

Script creation

Once the security weaknesses have been revealed, the attacker generates a script (= a program that runs

automatically) and places it in the stolen accounts. He uses the scripts to attack precisely these security

weaknesses later on. Incidentally, existing toolkits are often used to create the script files, making them

much easier in their application. Now the attacker defines his subsequent daemon and master systems.

Other storage locations are used to store the pre-compiled binaries of the daemons on the master systems.

Then the attacker creates a script that uses the list of computers that have been “taken possession of” and

creates another script which automatically performs the installation in the background.




Corporate Business

P.O. Box

CH - 3050 Bern

Free phone 0800 800 900

Free fax 0800 800 905




Version 3.1


Date 01/03/2016 /18

Script installation

Because this process is automated, a widespread denial-of-service network can be created without the

knowledge of the actual system owners. The master programs which play a key role in the attacker’s

network are then installed with extreme care. Optionally, a root kit (an “administrator kit”) that conceals the

presence of the programs, files and network connections may also be installed. The master programs are

installed, preferably on so-called “primary name server hosts”. Because they are designed for an extremely

high volume of network traffic, a large number of network connections run on these types of server systems.

This has two key advantages for the attacker. On the one hand, the basic load (processors and network)

camouflages the additional network traffic on the master very well. On the other hand, such server systems

are not prematurely disconnected from the network even if a DDoS is suspected because the role they play

in the company’s network is too great

Start of the attack

At a later time, the attacker sends the attack command including the data of the victim (IP address, port

number, type of attack, start- and stop time) to the masters. During the attack, this is the only outgoing

traffic. Once the attack got started, its continued control and coordination lies under the complete

responsibility of the masters (= computers acting as servers), which control a set number of daemons

(daemons are processes running in the background). To ensure that not all daemons are rendered

immediately unusable when a master is discovered by a network sniffer, the attackers distribute the

masters into functional sub-areas. The daemons in turn run on other computers and can be globally

dispersed in the network. Only the daemon systems carry out the actual attack when instructed by the

master. This can be, for example, a SYN flood attack where the attacker sends a packet to the victim system

to establish a TCP connection (SYS packets). This reserves a port and sends back what is known as a SYN-ACK

packet. However, because the attacker has spoofed his own IP address (i.e. he’s not using his own IP

address), the sender does not receive any confirmation. The victim system tries again and finally rejects the

reserved connection after a set time period that can last several minutes depending on the operating

system. If not just one request is sent to establish this connection but many in parallel, the computer

becomes overloaded with answering the requests, blocking it for all practical purposes.

2.4 Developments and the effects of DDoS attacks

Ongoing investigation by ARBOR Networks since 2002 in collaboration with the most important Internet

Service Provider (ISPs) show a significant increase of the bandwidth intensity of DDoS attacks at a

continuously high occurrence. Primary attacking targets are commercial Internet and network services (e.g.

Domain Name Server, DNS). Most commonly used are UDP flood (sending a large quantity of UDP packets to

randomly selected ports until they become inaccessible) and TCP SYNC (delay of the handshake procedure

when establishing a TCP connection) while other known vulnerabilities in the application protocols also

support the attack. The number and intensity of DDoS attacks are continuously rising since then.




Corporate Business

P.O. Box

CH - 3050 Bern

Free phone 0800 800 900

Free fax 0800 800 905




Version 3.1


Date 01/03/2016 /18

Figure 3: Development of DDoS attacks (© ARBOR Networks)

Practical experiences and observations

Unfortunately and despite their enormous threat potential, DDoS attacks

normally are not or only secondarily considered in risk analyses of

enterprises.

Due to the obviously existing threat level DDoS attacks have to be

equalised with the commonly known risks in general risk analyses of

enterprises.




Corporate Business

P.O. Box

CH - 3050 Bern

Free phone 0800 800 900

Free fax 0800 800 905




Version 3.1


Date 01/03/2016 /18

Figure 4: Number of DDoS attacks per month (© ARBOR Networks)

Non-operable e-services can result in huge losses in revenue. In addition, the company’s reputation and

customer confidence in the company that has been attacked are influenced seriously and strongly. This is

particularly the case if the company has a large portion of its business online. Thus, convenient DDoS

protection tools and appropriate services of professional Internet Provider are indispensable to recognise

and stave off DDoS attacks. They represent the fastest and most secure method to sustain the operation of

the own Internet service platform. One the one hand it strengthens the confidence of the own customers

and on the other hand it ensures constant business volumes of the platform.

Figure 5: Average duration for staving off DDoS attacks (© ARBOR Networks)




Corporate Business

P.O. Box

CH - 3050 Bern

Free phone 0800 800 900

Free fax 0800 800 905




Version 3.1


Date 01/03/2016 /18

3 Protective measures against DDoS attacks

3.1 Blackhole defence

Effectively protecting against attacks on the accessibility of both secured and unsecured systems is generally

only possible to a very limited extent using IT resources. Unsecured systems are designed for the express

purpose of allowing for communication with practically any system and responding dynamically to

fluctuations in load. Almost all known measures focus on preventing a company’s own systems and net-

works from being misused for a DDoS attack. There is only a small number of effective protective measures

that can diminish the effects of an attack. The protective measures up to now have made use of black hole

or sinkhole technology to disable the attacked services. The undesirable data streams are completely

rerouted to router ports of the backbone gateways (->Route to Null0) and neutralised.

Figure 6: Principle of blackhole technology

Advantages: Blackhole technology protects the web infrastructure from attacks, but only to a limited

extent.

Disadvantages: All data streams are deleted meaning that the company can no longer receive data from

specific sections and regions of the network. Combating undesired data streams in the

backbone of the ISP on the basis of black hole technology is complex and requires in-depth

routing knowledge.




Corporate Business

P.O. Box

CH - 3050 Bern

Free phone 0800 800 900

Free fax 0800 800 905




Version 3.1


Date 01/03/2016 /18

3.2 Current protective measures with the DDoS Protection Service

3.2.1 General features

The DDoS Protection Service is an option to the IP-Plus Business Internet Service from Swisscom and

features the following characteristics:

Effective protection of the Internet infrastructure from DDoS attacks (can currently be filtered up to 40 Gbit/s)

Pro-active alert system when DDoS attacks occur via e-mail, SMS, SNMP Traps and Syslog

Access for “friendly users” permitted during DDoS attacks

Full access to the management platform including monitoring and reporting during DDoS attacks

Direct defence against DDoS attacks via management platform by the security or network administrator

Dynamic identification and blocking of DDoS attacks

7x24h helpdesk/support by the DDoS experts team

No hardware installation at the customer’s site required

Figure 7: Function of the DDoS Protection Service (option to the IP-Plus Business Internet Service)

Advantages: The traffic streams in the backbone are continuously monitored based on the DDoS

Protection Service. If a deviation from the baseline (= bandwidth development continuously

recorded over 24 hours) occurs, a low, medium or high alert depending on the type of

deviation is proactively sent right to the individual responsible for the system via e-mail,

SMS, SNMP Traps or Syslog. Based on the alert information, the customer can

systematically fight the DDoS attacks either himself or with 2nd or 3rd level support from

the Swisscom helpdesk.

Disadvantage: In-depth knowledge is required to assess traffic anomalies. If this knowledge is not present,

specialists are available around-the-clock.




Corporate Business

P.O. Box

CH - 3050 Bern

Free phone 0800 800 900

Free fax 0800 800 905




Version 3.1


Date 01/03/2016 /18

3.2.2 Traffic anomaly detection

What is known as traffic anomaly detection is based on several Arbor Peakflow systems. With the help of

these systems, the data stream is recorded in the Internet backbone of IP Plus and analysed for anomalies.

The baseline data is continuously and dynamically recorded with the Peakflow systems. The day of the week,

the time and the bandwidth measured at this time is registered during this process along with the protocol

conformity. This baseline data is finally used as comparison data to alert the company of DDoS attacks. In

the event of an alert, the respective alert level (low, medium, high) is triggered on the basis of a deviation

between baseline and the actually measured data stream throughput. Using this information the traffic

related to the company’s own infrastructure can be continuously monitored and analysed.

Figure 8: Status view via customer portal

3.2.3 Threat Management System

To defend against DDoS attacks, Swisscom uses what is known as a Threat Management System (TMS). In

the event of an attack, the traffic and/or the data stream can be rerouted via TMS in the direction of the

attacked system. The TMS analyses this traffic and can efficiently distinguish between non-malicious and

malicious traffic and filter it out. The filtered ant therefore authorised traffic is then rerouted again to the

original destination.




Corporate Business

P.O. Box

CH - 3050 Bern

Free phone 0800 800 900

Free fax 0800 800 905




Version 3.1


Date 01/03/2016 /18

4 DDoS Protection Service from Swisscom

4.1 Filtering process of an DDoS attack

The first four steps of the DDoS attack filtering process are:

1. Additional DDoS traffic (attack traffic)

2. Recognition of the malicious DDoS attack (malicious traffic recognition)

3. Automatic alerting via DDoS Protection Service (alerting/notification)

4. Manual activation via DDoS Protection Management Platform (DDoS filter activation)

Figure 9: Defence against a DDoS attack (1/2)

The next three and final steps of the DDoS attack filtering process are:

5. The malicious data traffic is rerouted via the TMS (malicious traffic rerouting)

6. Active filtering of the DDoS traffic (active DDoS filtering)

7. Normal forwarding of the legitimated data traffic (legitimated traffic)




Corporate Business

P.O. Box

CH - 3050 Bern

Free phone 0800 800 900

Free fax 0800 800 905




Version 3.1


Date 01/03/2016 /18

Figure 10: Defence against a DDoS attack (2/2)

The activation of the TMS filter function is always initialised by the customer. For the knowledge of his

network operations avoids false alarms released i.e. by a planned software upgrade, which can be

recognised as a traffic anomaly under certain circumstances.

The following activation options are available for selection:

Direct activation of the TMS using user name/password on a protected web site (->https) including

secure authentication by a client certificate

Activation or support via help desk 7 x 24h with the following response times:

Mon - Fri, 7 a.m. – 6 p.m. Mon - Sun, 7 a.m. – 6 p.m.

Via remote maintenance < 1 hr. < 2 hrs.

If the attack is currently utilising the full capacity of the customer’s Internet connection, the TMS can

alternatively be accessed via a Mobile Unlimited connection, a dedicated xDSL connection or another

Internet access technology via web browser.




Corporate Business

P.O. Box

CH - 3050 Bern

Free phone 0800 800 900

Free fax 0800 800 905




Version 3.1


Date 01/03/2016 /18

4.2 Option DDoS Protection enhanced

For an even more efficient protection the option DDoS Protection enhanced can be implemented as an

additional enhancement. It is based on Hardware which is implemented near to the WAN-LAN-transition at

the customer location. The HW analyses the traffic flow permanently „inline“ up to and including the OSI

application layer (layer 7). A SSL inspection function allows the cognition and neutralisation of the

increasing attacks via encrypted IP sessions. Based on the rule setting, the anomaly level is ongoing

determined and unambiguous attack traffic is filtered automatically. If a pre-defined anomaly level is

exceeded, help from the cloud is requested via cloud signalling.

If an operator decides for a mitigation of the situation, a new anycast address is set via the DDoS Protection

Service as a new next-hop for the attacked IP address. The traffic flow will now be re-directed and filtered via

the Threat Management System (TMS) and rerouted via GRE-Tunnel without attack traffic directly to the

customer router.

Figure 11: Enhanced defence of a DDoS attack with DDoS Protection enhanced

The option DDoS Protection enhanced the security level onto all seven OSI layers. The most important

advantages are:

Immediate protection against DDoS attacks on the application layer which could endanger the

availability of services and applications.

Automatic recognition and lock-out of DDoS attacks prior to the disturbances of services. This

requires no respectively only a minimal user intervention which reduces the pressure onto the IT

safety officer.




Corporate Business

P.O. Box

CH - 3050 Bern

Free phone 0800 800 900

Free fax 0800 800 905




Version 3.1


Date 01/03/2016 /18

5 Summary

5.1 Solution alternatives

Actually the customer has the choice between three different options:

1. The customer infrastructure does not have any DDoS defence mechanisms. Therefore an attack

quickly becomes effective and the web site is offline.

2. Right before the firewall at the customer’s site a DDoS device is integrated. If the bandwidth of the

DDoS attack exceeds the bandwidth of the access link, the web site falls into the offline modus, too.

3. In the third and most effective solution alternative the DDoS attack is detected already before its

ingress into the ISP backbone and it can be filtered accordingly. Within this setup the attack traffic is

filtered out and the legitimated traffic is continuously routed to the web service. Therefore the

online modus practically can be ensured completely.

Figure 12: Possible solution alternatives for defending DDoS attacks

The option DDoS Protection enhanced offers additional protection which includes a permanent local inline

traffic analysis up to and including OSI layer 7.




Corporate Business

P.O. Box

CH - 3050 Bern

Free phone 0800 800 900

Free fax 0800 800 905




Version 3.1


Date 01/03/2016 /18

5.2 Danger and damage potentials

During the past 12 months an above-average growth rate of DDoS attacks on enterprises in different

branches and on political organisations was registered in Switzerland. Within a case study, a real DDoS

attack on an enterprise with an online platform and the progress and defence of the attack were

documented. The analysed attack traffic originated mainly from Peru, Chile, China, Taiwan, USA, Egypt and

Kenya. The progression of the attack clearly gave proof that it was actively leaded against the customer.

This circumstance was illustrated beneath others by the appearance of another traffic peak some two days

after the start of the first attack. By this, the offender proved if the online services can be disturbed by

intensifying the attack traffic. However, also this trial ended unsuccessfully due to the DDoS Protection

Service from Swisscom. Without its activation the online services would have been unavailable for at least

two days. The attack would have caused a large damage – on the one hand financially (sales shortfall), on

the other hand to the company’s image. The latter damage is hard to quantify, but so much sustainable.

5.3 Managed Service

The DDoS Protection Service is set up in the IP Plus Business Internet backbone as a Swisscom Managed

Service, using the IP address range requested by the customer. This setup allows the Internet access to be

continuously monitored for anomalies and the customer alerted depending on the defined bandwidth

limits. This direct access to the TMS provides an efficient tool that allows the customer to perform an in-

depth analysis of the data traffic aimed at his infrastructure and protect himself immediately in the case of

an attack. Of course, Swisscom also provides the customer with the best possible support in this process.




Corporate Business

P.O. Box

CH - 3050 Bern

Free phone 0800 800 900

Free fax 0800 800 905




Version 3.1


Date 01/03/2016 /18

6 Glossary

Term Explanation

AS Autonomous System

ASN Autonomous System Number

BGP Border Gateway Protocol

Blackhole „Blackholes“ are used to route all IP packets sent to an offended system to the Null0

interface.

Botnet A Botnet can be described as a network of remotely controlled PCs which were

infected with worms, Trojan horses or others and which can be misused for specific

attacks on demand.

CPE Customer Premises Equipment

DDoS Distributed Denial of Service

DNS Domain Name System

GRE Generic Routing Encapsulation (serves the encapsulation of other protocols and their

transport via a tunnel over IP)

HTTPS Secure Hyper Text Transport Protocol

IP Internet Protocol

ISP Internet Service Provider

Mpps Mega packets per second

OSI Open System Interconnection (reference model for data networks; it consists of seven

communication layers with different tasks(

PC Personal Computer

SAP Service Access Point

SMS Short Message Service

SNMP Simple Network Management Protocol (is used for the management of network

elements like router, switches, printers etc.)

SSL Secure Sockets Layer (encryption protocol for a secure data transmission)

TCP Transmission Control Protocol

TMS Threat Management System

UDP User Datagram Protocol

DDoS Protection Service - Swisscom€¦ · Document White Paper DDoS Version 3.1 File...

Documents

Transcript of DDoS Protection Service - Swisscom€¦ · Document White Paper DDoS Version 3.1 File...