100G DDoS Protection is a unique service that Sharktech provides our dedicated server customers that expect DDoS attacks that exceed our standard DDoS protection limit, currently set at 40Gbps.
This service spreads incoming attacks using BGP across all of our data centers leveraging our total bandwidth available and our DDoS protection hardware located at each site. The IPs provided for the 100G DDoS protection are unique and differ from the standard IPs assigned to your server. The reason behind that is these IPs belong to prefixes that are being advertised across all of our data centers using anycast.
Anytime communication is initiated with a 100G IP the closest BGP path is selected for incoming traffic and reaches one of our data centers where it goes through our network and DDoS protection system than it is transported via GRE to the network hosting your service, your service would than respond back to communication through the local network. This means the traffic path is asymmetric (incoming traffic is going through to your service by a different path than outgoing).
A few things are worth considering when choosing 100G DDOS protection:
- It’s highly recommended that the 100G IPs are not used as primary IPs of your server. It’s standard procedure to keep service primary IP for only management access, and assign any public facing services to secondary IPs on service including 100G IPs.
- Unfortunately due to BGP load balancing, it’s not always possible to ensure the best path of incoming traffic to your 100G IP. We might be able to help you optimize, but this is a difficult situation with limited options to help us optimize path.
- Again due to BGP load balancing, it is not guaranteed that we are able to load-balance incoming DDoS attack across all our data centers evenly. This is caused sometimes by geo-centric DDoS attacks that causes a single site to receive a significantly higher rate than other locations. However, with the network upgrades we are conducting our thresholds are being increased constantly.
- Because of the spread of attacks across multiple data centers, notification of attack and action may not have accurate attack size, that is due to the fact that detection is happening at each site. This means the first site that detects an attack it is triggering the filters, sending the filters to all data centers, and sending email notification.
If you have any questions please feel free to contact our Sales Department via our helpdesk or email@example.com.