Nexusguard ClearDDoS provides enterprises – of all industries, form and factor – with reliable, cost-effective and scalable DDoS Protection services, backed by a globally distributed scrubbing platform that is able to handle the largest and most complex DDoS attacks today and in the future, including Zero-Day attacks.

As a cloud-based service, ClearDDoS can be deployed quickly and easily without any customer pre-requisites. This translates to higher efficiencies and lower costs, while remaining fully scalable to adapt to business growth and changes.

Nexusguard’s ClearDDoS encompasses the following:

•		Equipped with network capacities in excess of 120gbps to handle the largest attacks ever yet to be witnessed.
•		Utilizes a diverse spread of Global network carriers, including more than a dozen Asian carriers and numerous American and European carriers.
•		More than 50+ peering to different ISPs globally enables carrier diversity to facilitate our delivery of the best routing optimization to effectively eliminate of single-carrier dependencies and single point failures.
•		Multi-million dollar full-scale scrubbing centers in Hong Kong, Taiwan and San Jose delivers massive scrubbing capacity in close proximity to our customers, wherever they are.
•		Fully-meshed with redundancy for 100% availability.
•		Multi-national team of experts with localized understanding of cultures and practices to provide consultation in English, Mandarin, Bahasa Malaysia, Bahasa Indonesia, Tagalog, Tamil and Thai.

ClearDDoS Protection Scope
Complementing commercially available products with in-house custom developed system, Nexusguard is able to perform surgical multi-layer DDoS mitigation against attacks targeting at various OSI layers of the services, including but not limited to;

• ICMP Flood • UDP Flood • SYN Flood • Application-Level Floods • CC Attack
• Reflective attack • Degradation-of-service attacks • Unintentional DDoS

Nexusguard Processes
Whilst businesses may be similar, we understand that all businesses are unique in certain ways. At Nexusguard, we work with each and every of our customers to understand that unique setup so we can deliver solutions that synergize with their business practices – from setup, testing, right down to commissioning.

Dynamic DDoS attacks require real-time comprehensive, meticulous detection and action. Nexusguard subjects DDoS attack traffic through multiple layers of inspection to deliver fast, clear traffic.

Nexusguard Comprehensive Filtering

Hi-Speed Border Filtering
Nexusguard has established peering connections with multiple core Internet Service Providers to provide multi-gigabit attack protection. Each peer is closely monitored and continuously evaluated in order to deliver the fastest response time to customer’s critical and latency-sensitive applications.

At Nexusguard’s border, traffic is filtered for bandwidth flood using wire-speed Access Control Lists. Nexusguard also keeps tracking lists of bogon IPs and infected hosts which are also filtered at this layer.

Protocol Verification
At this level, protocol state such as TCP three-way handshake is verified. SYN flood and other similar attack attempts that do not conform to protocol standards are also filtered out.

To mitigate spoofed attacks, Nexusguard utilizes challenge-response algorithms like TCP SYN cookie and TCP SYN Authentication to distinguish between spoofed and legitimate traffic.

1   2

Adaptive Filtering
Nexusguard enforces both Statistical Analysis and Anomaly Recognition filtering for Application Level Attacks. Using Statistical Analysis, unusual number of packets or high traffic rate from zombie clients can be identified and filtered.

Using Anomaly recognition, auto-learning of normal baselines for protocol and source networks flows can be used to identify and filter malicious activities.

Application-Level Filtering
Nexusguard’s deep packet inspection engine provides comprehensive application-layer intelligence, allowing Nexusguard to understand what applications are running on the client’s network to efficiently detect and deter application traffic violations.

With increasing number of attacks from larger-sized clients (or zombies) using valid established connections to overwhelm the system resources, Nexusguard’s anti-zombie system mitigates such HTTP attacks by using a challenge response authentication process to differentiate between legitimate browsers and zombie programs that access the attacked site.

To further mitigate application-specific level attacks, HTTP attacks and/or Zero-Day Attacks, Nexusguard can enforce intelligent HTTP Malformed filtering to ensure the validity of HTTP transactions, and limit the number of connections or requests to specific objects.

Flexible-Content filtering
Nexusguard DDoS Mitigation System continuously monitors application traffic for unusual pattern and behavior. Using its proprietary pattern recognition and analysis system, Nexusguard deters morphing HTTP Flood attacks by adapting flexible-content filters to counter evasive intents rapidly.

Rate-Limiting
Rate-limiting will be applied to further limit the exploitation of system and bandwidth resources against baseline statistics.

1   2

Customers may choose to deploy Nexusguard’s solutions in a variety of options:

Proxy Solution Proxy Solution clients will redirect their traffic to Nexusguard scrubbing centers by changing the DNS on their domain record to the Virtual IPs provided. Nexusguard will work with customers to create and secure a backend channel to prevent further direct attacks.
Tunnel Solution Nexusguard Tunnel solution uses GRE to create a tunnel or virtual transport to connect Nexusguard with client infrastructure. BGP is then used inside the tunnel to exchange routing information. Tunnel solution is flexible and transparent, without any modification of client data using Network Address Translation or other methods. Nexusguard Tunnel solution is stable and reduces the risk of client’s real IP being attacked.
Direct Circuit Direct Circuit creates a direct physical connection between Nexusguard and the client for discerning customers who demand the highest level of protection. Although costlier than the other two options, the client enjoys dedicated true out-of-band connection for optimal security and reliability.

ClearDDoS is available in two operational modes:

Always-on
Point your domain name to Nexusguard’s VIP [Proxy mode] or advertise prefixes to Nexusguard [tunnel or DC mode], and traffic will always go through us for cleaning before proceeding to you. “Dedicated Always On” is the essence of simplicity; once configured there are no changes required regardless of whether you are under attack, or welcoming your millionth online customer.

Particularly suitable for customers who do not have, or have only basic DDoS mitigation systems.

On Demand
Simply point your DNS hostname or advertise your prefix to Nexusguard when your infrastructure is under an attack that is beyond your mitigation capabilities. This “On Demand” deployment may be preferable as it allows for speedier deployments and keeps security considerations firmly within your control.

Often overlooked, DNS plays a critical role in how both the Internet and TCP/IP work. As the Internet moves inadvertently towards IPV6, DNS will serve an important role more than ever. For the same reason, your DNS server is as vulnerable as your production server, if not more.

ClearDNS is a comprehensive and cost-effective solution that can be customized to serve your DNS needs. Choose to host your domain with us, or place your DNS servers under our protection – just like how you procure our ClearDDoS solutions. Our 24x7x365 Security Operation Center will respond with leading traffic scrubbing technologies to keep your DNS service up and running with a guaranteed 100% uptime. Our network is fully redundant and geographically distributed to consistently deliver the fastest, most reliable DNS services.