At CubePath, we have internally developed an advanced DDoS attack mitigation system designed to effectively protect our clients' infrastructure. Our solution, the result of the hard work and experience of our engineering and security team, addresses both volumetric attacks and sophisticated attacks targeting different layers of the OSI model. We utilize cutting-edge technologies and advanced filtering strategies created by us. Below are the technical features of our two levels of protection: Standard AntiDDoS and Premium AntiDDoS.

Standard AntiDDoS

The Standard AntiDDoS service from CubePath, designed and developed by our team, offers robust defense against common DDoS attacks, including amplified attacks and traffic floods. This level of protection is provided completely free of charge, included with all our services, ensuring that every client benefits from essential security measures.

Technical Features

  • Mitigation of Amplification Attacks:

    • Target Protocols: Our system detects and blocks attacks exploiting amplification-susceptible protocols such as NTPDNSSSDPMemcached, and CLDAP.

    • Filtering Techniques: We have implemented specific filters, developed by us, based on packet attributes like source/destination ports, flags, and anomalous traffic patterns.

  • Filtering Based on FlowSpec:

    • Dynamic Policy Distribution: We use BGP FlowSpec across all our edge routers to distribute filtering rules in real-time, allowing rapid response to emerging attacks. Our customized implementation ensures optimal coordination among our Points of Presence (PoPs).

    • Supported Filtering Types: Our solution allows filtering traffic based on source/destination IP addresses, ports, protocols (TCP, UDP, ICMP), TCP flags, packet length, and other attributes, adjusted according to specific needs thanks to our internal tools.

  • High-Performance Global Infrastructure:

    • Edge Routers in Over 5 PoPs: We have deployed our own infrastructure in multiple PoPs worldwide, ensuring proximity to end-users and distributed, efficient mitigation.

    • Substantial Bandwidth: Our capacity to handle large volumes of traffic and volumetric attacks results from our investments in infrastructure and internally developed specific optimizations.

Premium AntiDDoS

The Premium AntiDDoS service from CubePath is the direct result of our commitment to innovation and development. It offers advanced protection against sophisticated DDoS attacks, including those targeting the application layer (Layer 7). This service, created by our team of experts, is optimized for platforms with a large number of players or simultaneous users and applications requiring high availability and low latency.

Cost

  • $35 Monthly: The Premium AntiDDoS service is available for a competitive rate of $35 per month, providing an additional layer of security and advanced protection features.

Advanced Technical Features

  • Stateful Filtering with XDP and eBPF:

    • eXpress Data Path (XDP): We have implemented XDP in a customized way to process and filter packets at the network driver level, allowing high-speed processing before packets reach the kernel's network stack. Our exclusive adaptation maximizes XDP's potential in our infrastructure.

    • Extended Berkeley Packet Filter (eBPF): Our team has developed custom eBPF programs that implement stateful filtering logic, enabling us to maintain connection states and perform deep packet analysis according to our clients' specific needs.

    • Advantages of Our XDP/eBPF Implementation:

      • High Performance and Low Latency: Thanks to our improvements and optimizations, we reduce latency and enhance the system's overall performance.

      • Flexibility and Dynamic Updates: Our tools allow eBPF programs to be updated in real-time without needing to restart the system, facilitating a rapid response to new threats.

  • High-Performance Infrastructure:

    • AMD Ryzen 9 Servers: We have selected and configured servers with high-performance, multi-core CPUs, optimized by our team to handle intensive packet processing.

    • 200 Gbps Network Interfaces: Each server, designed by us, features dual 100 Gbps network connections, providing a total aggregated bandwidth of 200 Gbps per server.

    • Deployment in All Our PoPs: Our servers are strategically distributed across our PoPs, optimized to ensure in-line mitigation and reduce latency, all under our design and management.

  • In-Line Mitigation:

    • Data Plane Processing: Our solution performs mitigation directly within the traffic flow without the need to redirect or encapsulate, avoiding additional latencies and potential points of failure, thanks to our internal development.

    • Total Transparency: We designed our system so that no changes are needed in the client's infrastructure; traffic is automatically protected as it passes through our systems.

  • Advanced Layer 7 Filtering Rules:

    • HTTP/S Protection:

      • Mitigation of HTTP Flood Attacks: Our solutions detect and block malicious HTTP requests intended to exhaust web server resources.

      • Header and Method Validation: We have developed advanced analysis of HTTP headers, methods used, and anomalous patterns to identify malicious traffic.

  • Specialized Protection for Specific Protocols and Applications:

    Our Premium AntiDDoS solution includes specific filters and rules, developed internally, to protect a wide variety of services and protocols:

    • VPN Services:

      • OpenVPN UDP Server and WireGuard Server: We offer specialized protection for VPN servers, ensuring connection integrity and data confidentiality.
        • Online Gaming Protocols:

      We effectively mitigate attacks targeting game servers, including:

      • Minecraft: Java Edition Server

      • FiveM Server Queries

      • Half-Life Dedicated/GoldSrc Server

      • SA-MP Server Queries

      • Arma 3 Server

      • RakNet Server (v2)

      • L4D2/CS:GO Sourcemod Anti-DDoS

      • LiteNetLib Server

      • Quake 3 Server

      • Renegade X Server

      • DayZ Server

      • Squad/Post Scriptum Server

    • Communication and Voice Protocols:

      We ensure the availability and security of services like:

      • TeamSpeak 3 Server

      • SIP Server

      • RTP Server

      • DTLS Server

    • Other Protocols and Services:

      We provide protection for:

      • GRE

      • RDP

      • QUIC Server

      • DNS Server

      • ASE/Multi Theft Auto Queries

      • Lineage II Server

      • RakSAMP Filter

For additional technical information or to discuss specific needs, please contact our specialized technical team. We will be delighted to explain more about our internally developed solutions and how they can benefit your infrastructure.