Stop the largest DDoS attacks and protect your web applications everywhere.
A distributed denial‐of‐service (DDoS) attack is a cyberattack in which a malicious agent tries to force a machine or network resource offline. By disrupting the services of a host connected to the internet, it makes this service unavailable to its intended users.
For a DDoS attack to be successful, the attacker needs to send more requests than the victim's server can handle. There are three main types of attack vectors:
THG Hosting provides an on‐demand reactive service, ensuring that if an attack happens, we will take action to prevent any customer downtime. When purchasing an on‐demand reactive delivery service, traffic will only be routed through the DDoS mitigation
|No protection||On-demand protection|
|This option provides zero level of protection, upon any attack you will be blackholed. This means your service could be down for up to 24 hours.||Our reactive offering provides customers with the full security that if an attack is to happen, we will take action and prevent customer downtime.|
|Up to 10Gbps in bound clean traffic that is scrubbed.|
In normal circumstances, the clean traffic delivery does not trigger over‐usage fees for periodic or intermittent bursts, though we may review this on a case by case basis. On‐demand reactive customers are subject to the fair usage policy, and if a customer receives more than one attack per month, there will be additional charges. These attacks will be measured through a sliding scale – two small attacks (under 20Gb) and one large attack (over 20Gb).
Our DDoS protection is spread across the following THG data center locations:
This system is designed specifically to deal with DDoS attacks, and it’s far more than just a crude rate‐limiting system. It has advanced capabilities to detect, recognize and filter out common DDoS attack types, including the following:
|Malformed on truncated packets||NTP amplification|
|Invalid IP segmentation||UPnP|
|Bad checksums and illegal TCP flags||DNS amplification|
|Invalid TVP/UDP port numbers||Connectionless LDAP amplification|
|Use of reserved IP Space|
What is the goal of a DDoS attack?
The objective of a DDoS attack is to prevent legitimate users from accessing a site. For a DDoS attack to be successful, the attacker is required to send more requests than the victim’s server can handle, though such attacks can vary widely. Motives also range from mischief and sabotage to extortion and blackmail.
How do the three main types of DDoS attacks work?
Volume‐based attacks (also known as volumetric) use connectionless protocols such as UDP (User Datagram Protocol) to congest site bandwidth.
Protocol attacks seek to overwhelm web servers, firewalls or load balancers by exhausting the number of concurrent sessions a device can handle.
Application attacks target specific servers or applications by establishing a connection and then exhausting their resources.
What’s the most common type of attack?
Volumetric DDoS attacks are the most known and frequent attack, accounting for two‐thirds of all DDoS attacks in the wild. They span layers 3, 4, and 7 of the OSI Model – the Open Systems Interconnection Model is used to describe the functions of networks.
Why do I need DDoS Protection?
With attacks currently increasing at a rapid rate, DDoS protection is needed now more than ever. By utilizing DDoS Protection, your business will be better prepared to deal with such attacks. In turn, this minimizes the potential impact on your business, customers and turnover.
How can I protect myself from these types of attacks?
Modern online businesses ensure their security policies and solutions incorporate DDoS mitigation services to prevent any attacks before they happen. By applying DDoS protection to your business, you can prevent volumetric, protocol and application attacks alike.
How does your service direct traffic?
Our carrier‐grade network uses the Border Gateway Protocol (BGP) to steer traffic into scrubbing centers on the ingress direction. The service is unidirectional, so return egress traffic from your servers/services will flow in the normal direction.
Is there any encapsulation overhead to traffic redirection?
There are no additional layers of encapsulation needed – tricks like Generic Routing Encapsulation (GRE) tunneling are not necessary. There may be marginal changes to latency on the ingress direction.
Does the service support IPv6?
Yes, the service supports IPv6 natively.