Does Instart provide DoS and DDoS protection for a web property?
Absolutely. Customers who deliver their entire website or web application via the Instart network are automatically equipped with strong protection against both single-source and distributed denial of service (DoS & DDoS) attacks. The following are some highlights of the capabilities that enable our to service to protect customers from malicious traffic.
Massive scale to absorb attack traffic
By running your site through our service you deploy our globally-distributed infrastructure in front of your existing servers and network connections. We purchase dedicated connectivity globally from Tier 1 service providers including GTT, Level 3, and TeliaSonera. Using that network capacity we distribute your DNS & HTTP(S) traffic across a network of hundreds of physical and virtual servers and load balancers.
In addition to using our distributed infrastructure to terminate and validate DNS & HTTP(S) traffic destined for your servers before passing valid requests through, the Instart network is configured to automatically drop other types of traffic. This prevents attacks based on other protocols from ever reaching your network, including attacks such as the NTP-based DDoS attacks recently mentioned in the news.
Anycast DNS and anycast HTTP(S) to prevent DDoS hotspots
Traditional or "unicast" IP addressing routes all network traffic directed to a particular IP address to a single physical location. This leaves non-distributed DNS servers & websites vulnerable to relatively small-scale DoS and DDoS attacks. Because an attacker can direct all malicious traffic to a single network location, there's a much greater chance of flooding the attack target's network link or overwhelming the servers and any load balancers that might be in place.
We have architected the Instart network around anycast technology. By using anycast routing, traffic addressed to one of our IP addresses is automatically routed to the closest network location. While we made this architectural decision primarily for performance reasons, it has the additional benefit of automatically distributing malicious traffic across our entire global network. This enables us to absorb and drop much larger volumes of traffic than might otherwise be possible, especially in the case of distributed attacks which rely on focusing widespread resources on a smaller target.
IP/User Agent blacklisting and throttling at the Instart network edges
Our service provides the ability to quickly blacklist IP addresses or user agents sending malicious traffic. Traffic from blocked IPs and user agents will be dropped at our globally distributed edge servers. Additionally the service also provides the ability to throttle by IPs or user agents to reduce the impact of traffic that is overly aggressive but does not merit full blocking.
24x7x365 network monitoring and incident response
Our world class operations team monitors all components of our service 24x7x365 from locations in North America and Asia. The team is always proactive in adjusting our global network configuration to ensure availability and security. In addition, the team has a wide variety of controls available to block and drop malicious traffic on your behalf when needed.