Our security operations are fully manned 24/7 by senior-level DDoS mitigation professionals. The countermeasures, processes, and practices built from more than a decade of thwarting DDoS attacks make Vercara your best partner to monitor and respond to threats – even flexibly changing defenses as attackers assault using multiple tactics from multiple vectors with multiple motives.
When attacked, traffic can be redirected in two ways:
- DNS redirection
- Border Gateway Protocol (BGP) redirection
It’s easy. Simply switch the DNS A records for any hosts under DDoS attack to your assigned UltraDDoS Protect IPs. Traffic will start flowing through the UltraDDoS Protect mitigation cloud, where it’s cleaned and forwarded to your infrastructure. Once a DDoS attack subsides, just switch your DNS A records back to your original IPs.
You can add additional logging anywhere in your script using “log (‘message’)” These messages will show up at the bottom of the validation results dialog. Tip: log messages are useful for tracking variables and unique values as well as key execution points.
Vercara UltraDNS is an enterprise-grade, cloud-based authoritative DNS service that securely delivers fast and accurate query responses to websites and other vital online assets
The most common error is the converted script expecting 3xx response codes, but seeing 200 instead. This is usually caused by ads, which were originally redirected to register a unique impression. When the converted script attempts to replay the same request, it is caught by the ad server as a duplicate, and the response is altered to prevent additional (false) ad impressions. The fix is as simple as removing the faulty requests or changing the expected response code to what was actually returned. For example:
c.get("http://example.com/ad?req=12345", 301);Change to:
c.get("http://example.com/ad?req=12345", 200);The second most common issue is content from third-party domains. The blacklist requests directive from the original RBU script will not be maintained in the Basic script. Our recommendation is to remove any third-party requests from the script. Here is an example of requests that would be removed:
c.get("https://connect.facebook.net/en_US/all.js", 200);c.get(https://ssl.google-analytics.com/ga.js", 200);
No. You can use any DNS solution. Just be sure your solution lets you set a low TTL (time to live) for each record, so you can quickly redirect your traffic to UltraDDoS Protect. With Vercara UltraDNS, you can set a lower TTL at both the domain and record levels.
The most common error is the converted script expecting 3xx response codes, but seeing 200 instead. This is usually caused by ads, which were originally redirected to register a unique impression. When the converted script attempts to replay the same request, it is caught by the ad server as a duplicate, and the response is altered to prevent additional (false) ad impressions. The fix is as simple as removing the faulty requests or changing the expected response code to what was actually returned. For example:
c.get("http://example.com/ad?req=12345", 301);Change to:
c.get("http://example.com/ad?req=12345", 200);The second most common issue is content from third-party domains. The blacklist requests directive from the original RBU script will not be maintained in the Basic script. Our recommendation is to remove any third-party requests from the script. Here is an example of requests that would be removed:
c.get("https://connect.facebook.net/en_US/all.js", 200);c.get(https://ssl.google-analytics.com/ga.js", 200);
Vercara UltraDNS Firewall is a cost-effective enterprise-grade, cloud-based recursive DNS service that delivers fast and reliable access to vital online applications with built-in security and threat intelligence.
The most common error is the converted script expecting 3xx response codes, but seeing 200 instead. This is usually caused by ads, which were originally redirected to register a unique impression. When the converted script attempts to replay the same request, it is caught by the ad server as a duplicate, and the response is altered to prevent additional (false) ad impressions. The fix is as simple as removing the faulty requests or changing the expected response code to what was actually returned. For example:
c.get("http://example.com/ad?req=12345", 301);Change to:
c.get("http://example.com/ad?req=12345", 200);The second most common issue is content from third-party domains. The blacklist requests directive from the original RBU script will not be maintained in the Basic script. Our recommendation is to remove any third-party requests from the script. Here is an example of requests that would be removed:
c.get("https://connect.facebook.net/en_US/all.js", 200);c.get(https://ssl.google-analytics.com/ga.js", 200);
Security, reliability, and performance, which is just what you want in your DNS provider. They’re the reasons Fortune 500 and Alexa 100 companies count on Vercara to secure this cornerstone of their connected world.
The most common error is the converted script expecting 3xx response codes, but seeing 200 instead. This is usually caused by ads, which were originally redirected to register a unique impression. When the converted script attempts to replay the same request, it is caught by the ad server as a duplicate, and the response is altered to prevent additional (false) ad impressions. The fix is as simple as removing the faulty requests or changing the expected response code to what was actually returned. For example:
c.get("http://example.com/ad?req=12345", 301);Change to:
c.get("http://example.com/ad?req=12345", 200);The second most common issue is content from third-party domains. The blacklist requests directive from the original RBU script will not be maintained in the Basic script. Our recommendation is to remove any third-party requests from the script. Here is an example of requests that would be removed:
c.get("https://connect.facebook.net/en_US/all.js", 200);c.get(https://ssl.google-analytics.com/ga.js", 200);
Yes, our DNS redirection service can forward traffic to DNS CNAME records. This is important if you want to place Vercara’s DDoS prevention service in front of your CDN service.
Yes. Vercara maintains PCI DSS Level 1 compliance for its UltraWAF and UltraDDoS Protect solutions. Vercara is audited annually by a third-party Qualified Security Assessor QSA. Vercara’s Attestation of Compliance (AoC) is available upon request.
When you’re hit with a DDoS attack, we’ll work with you to redirect traffic to the UltraDDoS Protect mitigation cloud. For affected prefixes, you’ll withdraw BGP announcements from your routers. Our Security Operations Center will initiate BGP announcements from the UltraDDoS Protect network. Within minutes, UltraDDoS Protect will start to absorb the attack. Security Operations will oversee DDoS prevention, sending clean traffic to your infrastructure via GRE tunnels. When the DDoS attack ends, we’ll help you re-establish BGP announcements on your routers for affected prefixes.
To use BGP redirection you must have:
- A /24 prefix, at a minimum.
- A BGP (Border Gateway Protocol) and GRE (Generic Routing Encapsulation) capable router.
- IP address space to terminate GRE tunnels that lie outside of the prefixes that you need to be defended.
Both DNS and BGP are efficient ways to route your UltraDDoS Protect. Most customers choose DNS redirection because it’s easier to deploy and maintain. If you have a more complex Internet infrastructure, with many hosts and IPs to defend, you may want to opt for BGP routing. Note: BGP routing requires one or more /24 prefixes, along with BGP/GRE-capable routers. Any router that can handle BGP and GRE (Generic Routing Encapsulation) tunnels should be compatible.
Yes. Always-on has become the industry’s best practice for DDoS protection as it allows immediate mitigation of common DDoS attacks and mitigation within seconds for more complex attacks. We encourage all customers to migrate to the UltraDDoS Protect always-on service to maximize their protection capabilities. The UltraDDoS Protect network boasts over 15 Tbps of capacity to handle multiple times the largest attacks and presence in many datacenters around the world ensuring low latency operation for where our customers operate.
Clean traffic is defined as the total amount of traffic to be protected going in and out of your network to the Internet in Mbps (Megabits/Second) or Gpbs (Gigabits/Second), at the 95th percentile. If multiple services (e.g., email, Web, etc.) are to be protected, each service must be measured and added to the total.
Using the right unit of measurement is critical. UltraDDoS Protect packages use Mbps (Megabits/Second) or Gbps (Gigabits/Second). Other formats such as Mbps or MB/Sec (megabytes per second), (KB/Sec (kilobytes per second), or Kbps (kilobits per second) should be converted to Mbps for accurate measurement.
To determine your clean traffic, your technical team should look at Netflow data on your routers, MRTG, or CACTI graphs. You can also take a look at your Apache or IIS web logs.
UltraDDoS Protect packages are available for up to 40 Gbps of clean traffic but have no upper limit to our requirements.
For clean traffic beyond 2 Gbps, please contact our sales team at +1-855-727-1209 to find the right solution for your infrastructure.
Once traffic starts flowing through UltraDDoS Protect, DDoS protection procedures are initiated immediately and our Vercara Operations Staff tunes mitigation strategies appropriately.
Absolutely. The Vercara team can provision you during a DDoS attack (an additional fee applies). Before we start, set your TTL for each DNS record as low as possible. By following this best practice, you’ll accelerate your DNS changes across the Internet, helping to stop the DDoS attack faster and reduce website downtime.
When you sign up for UltraDDoS Protect, we ask you to supply details on the infrastructure you want to be protected. After we receive these, we schedule a call to review your infrastructure in depth. Our Security Operations Center then provisions you, sending all instructions required to mitigate DDoS attacks.
Typically, this process takes 72 hours. If you’re under attack, however, we’ll work closely with your team to provision you in minutes.
When you sign up for UltraDDoS Protect, we ask you to supply details on the infrastructure you want to be protected. After we receive these, we’ll schedule a call to review your infrastructure in depth. Our Security Operations Center will then provision you, sending you detailed instructions on setting up GRE tunnels. The SOC will also schedule a time to test your tunnels’ functionality with you. If you need emergency provisioning, we’ll initially set you up via DNS redirection, so we can mitigate the attack as we proceed with BGP provisioning.
Yes. If you have network connectivity from diverse carriers, UltraDDoS Protect can be your one DDoS protection service. It’s much easier and less expensive than having all your carriers supply their own protection.
No. UltraDDoS Protect is a DDoS mitigation service and doesn’t protect you against attempted intrusions like SQL injection attacks or cross-site scripting attacks.
Deployed strategically across the world, UltraDDoS Protect scrubbing centers use the same Anycast technology as Vercara UltraDNS. To minimize latency, we route traffic to the closest available scrubbing center. We can also cache static content to ensure faster replies. While routing traffic through additional hops will add some latency, it’s a matter of milliseconds. Visitors to your site won’t notice any difference. To reduce latency to an absolute minimum, we offer the Vercara NetProtect™ service to complement UltraDDoS Protect.
Vercara NetProtect augments UltraDDoS Protect with a direct connection into each of our strategically located data scrubbing centers around the world to deal with denial-of-service attacks. Designed for highly complex, enterprise-level systems, it addresses and mitigates, or entirely avoids, the concerns of latency, complexity, and other anomalies that are commonly associated with legacy Generic Routing Encapsulation (GRE) and Virtual Private Network (VPN) tunnel systems.
Yes, we do. We also have Vercara UltraWAF. This web application firewall can be used in combination with UltraDDoS Protect to provide a cloud-based, always-on solution that protects against threats to layers 3-7. Cloud-provider, hardware, and CDN agnostic, Vercara UltraWAF is compatible anywhere your applications are hosted.
Customers direct their NetFlow data to Vercara for constant analysis and mitigation triggers when an attack is detected. For those short on expertise and staff, this defense option provides a valuable extension to stretched security operations.
Standard configurations that allow an UltraDDoS Protect customer to mitigate in either DNS redirection or BGP connection service configurations. Attack traffic will spark mitigation for the targeted host reducing the time-to-mitigation and improving reaction times.
Available with Vercara’s standard on-demand BGP service and allows customers to call the UltraDDoS Protect API to begin their mitigation. The ability for this API to be leveraged with other security services creates new potential stable state improvements and protective actions automatically.
Endpoint detection, based upon bits per second and/or packets per second thresholds that when exceeded, initiates an alert for BGP redirection mitigation.
