At Tech Connections Internet we have several layers of DOS and DDOS protection both within the Tech Connections Internet network itself and also with our upstream IP Transit providers and partners.  These are summarised below:

Tech Connections Internet Network Processes

• Tech Connections Internet Operate SBCs in front of our core voice application services and these SBCs protect our network from DOS attacks and fraudulent activity:
  • We have 8 SBCs deployed across our 3 main data centres supporting both Tech Connections Internet Retail and Wholesale Partnered customers
  • Each SBC operates as a highly scalable proxy to protect our backend application server cluster of hosts and can handle 1,000's of requests per second without any issue.
  • Each SBC also operates a highly scalable RTP Engine Proxy service so both SIP and RTP are protected on our backend voice core network
  • Each SBC has multiple layers of protection including packets per second limits on source addresses and automatic blocking of SIP traffic in the event of repeated REGISTER failures.  We also have tailored rules for New Zealand and Australia to recognise the source of the incoming traffic
  • Automated Firewall rules applied to source addresses that exceed a normal threshold level of packets per second inbound to our voice servers and SBCs
• Tech Connections Internet has several layers of fraud prevention to protect customers including:
  • Real time Heuristics to spot unusual call activity specifically with calls to overseas numbers and expensive destinations
  • Several threshold levels for differing customer types and destinations to catch fraud traffic quickly to limit call volumes to known fraud destinations.
  • Spend thresholds on an hourly and daily basis to protect the customer against unusual spending activity on their account(s)

Upstream IP Transit Networks

Tech Connnections Internet have 3 upstream IP transit providers and multiple peering points across New Zealand.  This allows us to move traffic easily using BGP and routing updates in the event of unusual network activity and find the best solution to mitigate against any DoS or DDoS attacks:

• We have 2 different levels of DDoS protection, the 1st level is that we will attempt to scrub traffic up to around ~20g per sensor (we have sensors at all entry points to the network).
• Once this has been exhausted, we will null-route target IP address, and announce this blackhole to our upstreams automatically, as well as to the Team Cymru UTRS project, which propagates the null route around the globe fairly quickly.

Product Feature Summary DDoS Mitigation

• Standard DDoS Protection (Out-of-Path)
  • On-Net BGP Flowspec Traffic can be redirected based on:
    • Source / Destination Prefix
    • IP Protocol (UDP, TCP, ICMP, etc.)
    • Source and/or Destination
    • Port
  • Upstream Network Protect
    • Volumetric attack mitigation
    • Null routes and permanent ACLs
    • Rate Limiters
  • DDoS Mitigation

    
    

    • On-demand triggered blackhole by customer or by Tech Connections Internet
    • Automatically redirected for scrubbing if attack reaches >100Mbps or 10000pps
    • Automatically blackholed upstream at 5Gbps of attack traffic

• In-line DDoS Protection (Always-On)
  • Volumetric and application layer attack mitigation
  • Low and slow attack mitigation
  • Zero day attack protection
  • Layer3-Layer7 attack mitigation
  • Traffic permanently flows through scrubbers
  • Attack detections and mitigations in 18 seconds or less
• Always On Mitigation
  • On-demand Blackhole triggered by customer or by Tech Connections Internet NOC
  • Automatically blackholed upstream at 5Gbps of attack traffic