Protecting the network from DDoS attacks using BGP

A DDoS attack targeted against just a single IP address on your network can severely limit the availability of your infrastructure to users. StormWall protection service mitigates this risk, which saves your business from unpleasant surprises; it ensures the stable operation of your network and infrastructure during DDoS attacks, regardless how complex. Your infrastructure and applications will run smoothly and reliably, no matter how devious or clever the attack.

Select a subscription plan

IP addresses (rented)11
Additional rented IP address00
BGP support, possibility to announce own IP addresses (unlimited)
Protection from L3-L5 attacks
Protection from L7 (HTTP/HTTPS) attacksPossible (contact us)Possible (contact us)
Included legitimate bandwidth (excess allowed) ?50 Mbps50 Mbps
Max support reaction time30 min15 min
Expert AntiDDoS support
Guaranteed availability (SLA), not less than ?99,2%99,5%
Ideal forEffecient solution for business applicationsBest solution for mission-critical applications
More details
Maximum filtering bandwidth without connection inspection (stateless)Over 2 TbpsOver 2 Tbps
Maximum filtering bandwidth with connection inspection (stateful)Over 600 GbpsOver 600 Gbps
Legitimate traffic volumeunlimitedunlimited
Support availability24/724/7
Delivery time ?15 min15 min
Less details
Price per month400 By requestBy request
Order Contact us

Contact our consultant to order a FREE webinar

Who needs our service?

Our BGP based DDoS protection service benefits ISPs, hosting service providers, data centers, as well as corporate clients operating their own IT systems. The service will help ensure the smooth operation of the IT infrastructure and network, and efficiently protect your organization from DDoS attacks.

Internet Service Providers can also benefit from the service by offering it as a value-added option to their customers for free, or as a compelling bonus. Our service is particularly beneficial for ISP’s as an investment and insurance policy; the service can be resold to their enterprise customers as-is, and used for protecting their own network.

Why do you need network protection

DDoS is a widely used, unfair competition tool. The strength, complexity, efficiency, and frequency of DDoS attacks increase yearly at an incredible rate, while the cost for generating such attacks diminishes. The monetary damage caused by a DDoS attack can be very detrimental. Companies can lose thousands of dollars during downtime and if a site is used for e-commerce or online services, the amount can increase exponentially. In addition, even a less powerful attack can result in losing hundreds and thousands of customers.

What will your company get

  • Reliable 24x7x365 protection from all known OSI Layer 3 – Layer 5 DDoS attack types
  • Analysis and filtering of all inbound traffic
  • DNS protection
  • Real-time traffic health analysis
  • Suspicious activity notifications
  • Personal account and API

Benefits of StormWall over other solutions

  • No limits: you only pay for legitimate traffic and do NOT pay for the number of attacks, protected IP addresses, AS numbers, etc.
  • Expert 24x7 technical support via Slack, with an average response time of just 5 to 7 minutes. We resolve your problems as well as those of your customers.
  • Flexible price policy: a set of services starting at 50 Mbps (for small networks), with the ability to increase the bandwidth at any time.
  • Free DDoS sensor. Set up an automated protection service, enabling it only during an actual attack.
  • Protected DNS servers: unlike other solutions, we offer protection for your DNS servers.
  • Retain the full functionality of your IP stack under attack, without any downtime: when attacked, the client will experience no delays in Web browsing, messengers, online games, WhatsApp/Viber/FaceTime calls, etc.
  • Setup assistance: contact our experts to access your systems remotely and set up a connection for you, free of charge.
  • Trial period and a free webinar: we will answer all your questions, showing and explaining to you how the protection works.
  • In-depth report on each attack, complete with graphs, statistics, source details, and malicious traffic samples.

Connecting to StormWall BGP based DDoS protection service

The service could be accessed by a customer via an IPIP/GRE tunnel, through an Internet Exchange (IX), or by physically connecting to the StormWall network at one of our sites.

The connection procedure is as follows:

  1. We establish a connection with you.
  2. We establish a BGP session for which you announce the necessary IP prefixes.
  3. We accept your announcements, filter all the traffic and send it to you, cleared of attacks.
How network protection works (BGP) StormWall

DDoS protection options for BGP connection

You can use the BGP based DDoS Network Protection service with one of the three options:

  1. Enable the persistent (Always-ON) protection and run all incoming traffic through StormWall filters. With this option your networks remain constantly protected, so a DDoS attack will never take you by surprise With StormWall always on, the flexibility to manage incoming traffic is limited.
  2. Connect the protection service, although instead of announcing all your networks, do it for those only that you believe should be protected at a certain point in time. For example, if you are expecting an attack to target you or an attack is already underway, you can manually announce the network for StormWall (while ceasing to announce it for other service providers).
  3. Announce the protected networks automatically whenever an attack begins by connecting the free Anti-DDoS sensor. Immediately after detecting the attack onset, the client-side sensor automatically switches the network being attacked to protection mode, hiding it from unprotected service providers. After the attack is over, the sensor returns everything back to normal. Deployed in a virtual machine, the sensor can receive traffic information using NetFlow, sFlow or Mirror/SPAN, integrating with your edge router or router group using BGP. The sensor signals that the protected mode has been enabled using BGP Communities.

What happens during a DDoS-attack

[If there is an Anti-DDoS sensor on the client side.]

  1. The sensor detects the beginning of an attack targeting one or more IP addresses.
  2. The sensor then triggers an announcement of the attacked network via StormWall.
  3. The sensor then hides the attacked network from unprotected service providers.

[Regardless of whether the sensor is on the client side]

  1. The sensor on the StormWall side (the FlowSense system) detects which IP addresses are under attack and reroutes the traffic aimed at these addresses for filtering.
  2. The attack is cut off by the StormWall filters.
  3. When the attack is over, the traffic is no longer routed through the filters, going directly to the original addresses instead.

[If there is a sensor on the client side]

  1. The network is announced again for the client’s service providers rather than for StormWall.

Will the latency increase?

  • Only inbound traffic is passed through StormWall’s filters, while the outgoing traffic route stays unchanged. The latency may increase, as the traffic will pass through filtering points located in data centers with multiple connections to popular CDN networks.

However, for some online resources the latency may actually decrease as StormWall has direct connections to popular services such as Google, Facebook, Microsoft, Akamai, and others.

How we ensure high quality of service

Triple Filter

All of your server’s inbound traffic is cleaned up in three stages:

Edge routers. Over 100 edge routers all over the world are set up to discard traffic that should never reach your servers. This protective layer makes our clients resistant to 100+ Gbps attacks, with TCP and UDP amplification attempts entirely blocked at this stage.

Hardware filters. Most of the TCP/UDP flood is blocked at this layer. Thanks to the use of hardware-based filtering appliances, extremely high packet processing speeds are achieved. The filtering network is built in such a way that evenly distributes the load between a number of appliances.

Stateful filters. The fine-filtering layer is where the most complex and sophisticated attacks are blocked, including bot-based ones. For HTTP traffic, this layer includes our BanHammer HTTP filtering system.

Triple Filter All traffic passing towards your server is cleaned in three places


FlowSense system

Our FlowSense system continuously monitors all of your server/website’s inbound data flows, looking for anomalies and automatically determining the type of ongoing attack. This enables automated filtering adjustment using the BGP FlowSpec (RFC 5575) protocol and our filtering system’s API.

Global Session

Our infrastructure is built from the ground up with disaster-resilience in mind. Even if an event causes the outage of one of our points-of-presence, our customers will remain connected!. How is this achieved? Thanks to our Global Session technology, all our filtering points worldwide “know” whenever a visitor has a connection to your server, and in the event of one point-of-presence becoming unavailable, the traffic is automatically redirected to another location nearest to the client.

Global Session: DDoS protection technology

StormWall network capability

Points of presence:

Internet exchange (IX) points available for connection:

- Over 2 Tbps stateless bandwidth, with IP packets processed at ACL/FlowSpec level without TCP connection check, efficiently blocking TCP/UDP amplification attacks.

- Over 600 Gbps stateful bandwidth, with every incoming TCP connection processed and analyzed.

Becoming our customer

Chat with our online consultant or call us! Our experts are always online, available 24x7 to help you activate the protection.

Payment options

  • Wire transfer
  • Credit card (Visa/Mastercard/etc.)
  • PayPal
  • Google Pay
  • Apple Pay
Did not find an answer to the questions you have?