How does Oplink.net DDoS Protection work?

Oplink.net’s always on DDoS protection is critical security to defend against loss of service and is vital for enterprises, small businesses, game servers, and hosting companies. DDoS assaults cannot be defeated with traditional Internet gateway security solutions such as firewalls. Always on protection is fully automated for all customers adding another layer to protect your servers.

In May 2020, we deployed a Corero Smartwall to provide DDoS attack protection to our customers. We chose Corero protection because it delivers the best layer 3 to layer 7 DDoS mitigation in seconds. The Corero Smartwall real-time packet inspection and mitigation solution for protects against assaults measuring up to 100 Gbps. The Corero Smartwall deployment is inline to the front edge of our uplink to minimize latency, flexibly defend all attacks in real time, and maximize security. It’s always on and provides an incredibly fast and accurate system to keep your server online and protected.

With the Corero Smartwall, Oplink.net protects against large network-based DDoS attacks including floods, reflective amplified spoof attacks, as well as attacks that are typically too small to be detected by out of band solutions. Patented mechanisms designed with big data analytics automatically detect and stop volumetric and state exhaustion DDoS attacks while passing through legitimate traffic. Attack protection algorithms are continually enhanced based on Corero’s real-world experience of thousands of customers.

Some providers use a cloud-based DDoS scrubbing center method that requires all Internet traffic to be relayed offsite and sent back. This strategy cannot achieve the fastest real-time mitigation without increased latency.

Management and control of our own routers, switches, and servers in house is our priority, and this principle applies to our choice for DDoS Protection. Oplink.net engineers directly manage the Corero Smartwall in our data center to apply customized and latest filtering technology.

Here’s a diagram of how the defense system works:

DDoS Defense Security Filters

The Oplink.net DDos Defense system offers many smart and flexible filtering technologies. Here are some of the filtering methods now in use:

  • TCP/UDP port-based attacks
  • Berkeley Packet Filter (BPF)
  • Smart-Rules – Patented high-performance heuristics based engine that automatically detects & blocks volumetric DDoS attacks, including zero-day
  • Botnet protection
  • Volumetric DDoS (TCP/UDP/SYN/ICMP) Floods
  • Reflective Amplification DDoS
    • NTP Monlist Response Amplification
    • SSDP/UPnP Responses
    • SNMP Inbound Responses
    • Chargen Responses
    • DNS
    • Connectionless LDAP (CLDAP)
  • Resource Exhaustion
    • Malformed and Truncated Packets (e.g. UDP Bombs)
    • IP Fragmentation/Segmentation AETs
    • Invalid TCP Segment IDs
    • Bad checksums and illegal flags in TCP/UDP frames
    • Invalid TCP/UDP port numbers