How the Service Works

The “StormWall for Networks” service is designed for internet service providers, data centers, hosting companies, and corporate clients with their own autonomous systems. Our protection blocks and mitigates the impact of even the most complex DDoS attacks on your network.

How the Service Works Algorithm of operation:

  1. Connection setup;
  2. Establishment of a BGP session, where you announce the required IP prefixes;
  3. Reception of announcements, filtering, and redirection of clean traffic back to you.

Connection Methods for Protection:

  1. IPIP/GRE Tunnel
  2. Internet Exchange (IX)
  3. Physical Connection to the StormWall Network at one of our locations

Protection Options:

  1. Enable Permanent Protection, with all incoming traffic routed through our filters:

In this case, all of the client’s networks will be under constant protection (DDoS attacks will never catch you off guard), but flexibility in managing incoming traffic will be limited.

  1. Manually connect protected networks – only the necessary client networks will be announced:

Not all client networks will be announced — only those that require protection at a specific moment. For example, if you expect an attack or one has already started, you can manually redirect network announcements to StormWall (removing them from other providers).

  1. Automate announcing protected networks when an attack begins using a DDoS sensor.:

The sensor, installed on the client side, automatically switches the attacked network to protection mode and withdraws it from unprotected providers as soon as an attack is detected. After the attack ends, it returns the network to its original state.

  1. Deploy a DDoS sensor on the client’s network:

The sensor can receive traffic information via NetFlow, sFlow, or Mirror/SPAN and integrates with your edge router or router group using BGP, sending signals to activate protection using BGP Community. Deployment on a virtual machine is supported.

DDoS sensor operation scenarios:

[If the DDoS sensor is on the client’s side]

  1. The sensor detects the beginning of an attack on one or several IP addresses;
  2. Then, the sensor initiates the announcement of the attacked network through StormWall;
  3. After that, the sensor removes the attacked network from unprotected providers.

[Regardless of the presence of the sensor on the client’s side]

  1. The sensor on StormWall’s side (FlowSense system) determines which IP addresses are being attacked and redirects the traffic going to these addresses for filtration;
  2. The attack is cut off by StormWall’s filters;
  3. After the attack ends, the traffic stops being routed through the filters and goes directly.

[If the sensor is on the client’s side]

The network announcement is returned to its providers and removed from StormWall. Triple filtration (Triple Filter) is used for traffic filtering, FlowSence technology for anomaly detection and automatic attack type identification, and Global Session technology for protection against failures at StormWall network nodes.