Bumblebee DDoS Protection Suite

Why is the DDoS Protection Suite needed?

When you order a Dedicated Internet Access (DIA) circuit, the ISP provides a /29 public subnet, known as the demarcation subnet. Devices on this subnet, such as firewalls, routers, load balancers, and servers, are exposed to the public internet and, as a result, are constantly targeted by malicious attacks from unwanted sources, as illustrated below.

As shown in the above screenshot from the Bumblebee platform, in the last hour 266 IP addresses have tried to connect to the customer site and out of which 124 of these IPs (47%) are malicious IPs that have scanned the site's public subnet. they continuously are probing for open ports to infiltrate your internal network.

In the other direction, do you know if there is any traffic from your site destined to some malicious IPs? These could be malicious traffic from infected IOT devices, laptops and host machines maybe sending exfoliated data to malicious sites.

Internet sources can launch DDoS attacks at any time, overwhelming firewalls and servers by exhausting their memory, leading to outages and productivity losses. For example, a TCP SYN flood attack sends thousands of TCP connection requests per second without completing the connections, flooding the target's memory database with useless entries and stalling its functions. Some attacks use a low rate to evade detection, while others involve distributed efforts from hundreds of thousands of source IPs.

What does Bumblebee DDoS Protection Suite provide?

The Bumblebee DDoS Protection Suite offers the following features:

1. Geo Visibility: Monitors ongoing port scanning from source IPs targeting the service provider’s public subnet (/29 or /30), including their geographic locations. Identifies source IPs with a 100% malicious reputation score.

2. Block Malicious Sources: Bumblebee Internet NIDs block source IPs with a 100% malicious reputation score, preventing their traffic from reaching firewalls, routers, and servers in the on-premises network.

3. DDoS Mitigation: Bumblebee Internet NIDs block TCP SYN, UDP, and ICMP flood attacks from the internet, ensuring attack traffic does not reach firewalls, routers, or servers in the on-premises network.

   
   

   Below is an example display of Block Malicious Source IPs

   

   
   
   
   

   Below is an example display of DDoS Mitigation and Attack List.

   

   
   

How to enable DDoS Protection Suite?

The protection suite is enabled on the per site bases.

To enable protection,

• Login to the Bumblebee portal

• On the left navigation bar, click Internet NIDs

• Select one Internet NID, click Actions -> Edit Block Malicious Sources to enable Block Malicious Sources

• Select one Internet NID, click Actions -> Edit DDoS Mitigation to enable DDoS attack protection.

How to view DDoS Protection Suite statistics?

The statistics and visibility can be viewed at Dashboards -> DDoS Protection Suite

Originating Traffic Geolocations

The Originating Traffic Geolocations chart displays the source IPs and their geolocations targeting the public subnet. The red dots represents malicious IPs with bad reputation score of 100%. The blue dots represents non malicious IPs.

Destination Traffic Geolocations

The Destination Traffic Geolocation represents the destination IPs and their geolocations.

Blocked Malicious IPs

Blocked Malicious IPs displays the source malicious IPs that are blocked by the CPE device. To view this chart, you need to enable "Edit Block Malicious Sources", as described in the previous section.

Blocked Malicious Traffic

Blocked Malicious Traffic displays the source malicious IPs in a table format. To view the table, you need to enable "Edit Block Malicious Sources", as described in the previous section.

The list of the Blocked Malicious Traffic contains the following information:

• Blocked IP Address

• Country: which country the blocked IP address resides

• City: which city (if known) in the country of the blocked IP address

• Malicious Reputation Score: this score should be 100 representing 100%

• Blocked Time: when was it IP blocked in UTC time

DDoS Mitigation

DDoS Mitigation displays the DDoS attack traffic throughput (Mbps) in the past hour, 3 hours, Day and week.

DDoS Attack List

DDoS Attack List displays the detailed information on the attack in the last hour, 3 hours:

• Attack IP address

• Status: Blocked, Alert

• Stat Time: attack starting time

• Duration: attack duration

• Throughput: attack throughput

• Volume: how many bytes of the attack traffic

• Description: TCP SYN flood, UDP flood or ICMP flood

• Attack Counts: how many attacks

What are the benefits of Bumblebee DDoS Protection Suite?

The Bumblebee DDoS Protection Suite is a cloud-managed, distributed implementation that protects sites from DDoS attacks capable of overwhelming resources on the public demarcation subnet, such as firewalls, routers and servers. It also blocks malicious IPs from accessing internal networks through port scanning activities. The solution benefits are

• Scalable The Bumblebee DDoS Protection Suite is a distributed implementation. The solution scales to any implementation size, requires no new hardware deployment, and offers upsell opportunities to enhance client security while boosting revenue.

• Fast Response Since the detection and mitigation are both carried out on the device, the response time is within a second, significantly reducing attack impact.

• Greater Control Fine-grained policies and configurations can be customized to each specific site.

What is the bandwidth can Bumblebee DDoS Protection Suite support?

Bumblebee DDoS Protection Suite supports 1Gbps line rate attack traffic.

What are the default parameters for DDoS mitigation?

There is a set of parameters used for detecting a DDoS protocol attack; their default values are listed below.

For TCP SYN flood, Active Block implies that at this rate, only unfinished TCP 3-way handshake deemed as attack traffic and is being blocked. Max Block implies that beyond this max rate from a single source IP, any TCP session is blocked.

These default values can be customized.