There are many DDoS prevention and mitigation products. Many of these products work at the network level, filtering out malicious packets.
For example, Guard-Host states that it provides:
a mitigation solution based on VAC technology
- “To detect the attack, we use the netflow sent by the routers and analysed by the Arbor Peakflow boxes. Each router sends a summary of 1/2000 of the traffic that is actually passing through it. The Arbor Peakflow boxes analyse this and compare it to the attack signatures. If the comparison is positive, mitigation is activated within seconds.
- The signatures analysed are based on traffic thresholds of
- “packets per second” (pps, Kpps, Mpps, Gpps) or
- “bits per second” (bps, Kbps, Mbps, Gbps) on certain packet types”
DDoS attack types
For example, Guard-Host acknowledges the following DDoS attack types:
In the following diagram, the packets in the red area are flagged as belonging to a DDoS attack and are thus discarded and not sent to the server under attack.