DDoS Attack Mitigation:  What happens when a DDoS attack occurs?

 What happens when a DDoS attack occurs?

This article describes the events that take place when Silverline SOC mitigates an attack.

There are a number of different configurations, so review the sections below that pertain to your setup:

• I am an "Always On" customer

• I am an "Always Available" customer

  • I have configured Silverline with Hybrid Defender (DHD).

  • I have configured Silverline to monitor my routers.

  • Other Configuration

---------------------------

I am an "Always On" customer

1. Silverline SOC will receive an alert based on flows gathered from our monitoring devices
2. We'll inspect traffic destined toward the alerted attack target
3. If an attack is identified, we'll begin mitigation.
   1. Unless specified otherwise on RTIP - How to Set Up Real-Time Incident Procedures (RTIP) for DDoS Attacks
4. We alert you based on what's written in your RTIP -  How to Set Up Real-Time Incident Procedures (RTIP) for DDoS Attacks
5. We'll keep you updated about the attack vector and volume. 
   1. Countermeasures are adjusted as attack vectors change.
6. Once the attack has ended, we will end the mitigation

I am an "Always Available" Customer

For almost all Always Available configurations, we recommend using our Route Origination feature which makes the process of activating and de-activating traffic routing through Silverline very simple and easy. 

As an Always Available customer, there are several configuration options including the following:

I have configured Silverline with Hybrid Defender (DHD).

1. Your On-Prem DHD will email the Silverline SOC that it has detected an attack. SOC is paged for all new tickets.
2. One of the following will occur
   1. We'll reach out to you to discuss next steps
   2. If you indicate in your Real-Time Incident Procedures for us to route your traffic on, then we will do so -- How to Set Up Real-Time Incident Procedures (RTIP) for DDoS Attacks
3. Once we observe traffic, we'll inspect for an attack
4. If an attack is identified, we'll begin countermeasures
5. We'll keep you updated about the attack vector and volume
6. Once the attack has ended, we will end the mitigation and withdraw your traffic, returning delivery via your ISP

See: Getting Started with Hybrid Signaling: Integrating On-Prem BIG-IPs With Silverline

I have configured Silverline to monitor my routers

1. Silverline SOC will receive an alert based on flows gathered from your router
2. One of the following will occur
   1. We'll reach out to you to discuss next steps.
   2. If you indicate in your Real-Time Incident Procedures for us to route your traffic on, then we will do so. -- How to Set Up Real-Time Incident Procedures (RTIP) for DDoS Attacks
3. Once we observe traffic, we'll manually inspect for an attack
4. If an attack is identified, we'll begin countermeasures
5. We'll keep you updated about the attack vector and volume
6. Once the attack has ended, we will end the mitigation and withdraw your traffic, returning delivery via your ISP

See: Router Monitoring

Always Available: Other Configuration

1. When you detect an attack, you must advertise your route to us
2. Depending on the severity of the attack, the SOC will be alerted. Otherwise you may need to contact us to inform us about the attack observed
3. Once we observe traffic traversing our scrubbing centers, we'll inspect for indications of an attack
4. If an attack is identified, we'll begin countermeasures
5. We'll keep you updated about the attack vector and volume
6. Once the attack has ended, we will end the mitigation and you will then withdraw your routes, returning delivery via your ISP

Related Content

• Getting Started with Silverline DDoS Routed Services
• Can we configure DDoS Services without any interaction from the SOC / Support ?
• Overview: Integrating On-Prem BIG-IPs With Silverline
• Router Monitoring
• Route Origination / Route Advertisement
• How to Set Up Real-Time Incident Procedures (RTIP) for DDoS Attacks