Our network is proactively filtered in 3 different stages (upstreams, core-routers, distribution routers) and dynamically filtered in 2 stages (distribution routers, firewalls). Our NIDS (Network Intrusion Detection System) device captures inbound traffic, detects and logs malicious traffic, analyzes it and finally provides the most appropriate filtering rules (layers 3-7) to our network firewalls by filtering the attack(s) with the least possible loss of legit traffic. NIDS' logging function includes reporting (after completing anti-spoof checks) source IPs involved to ISPs' abuse departments and anti-intrusion organizations which are connected with law authorities.
Our firewalls are capable to provide up to layer7 filtering and they're connected between our core-router (which is directly connected to our data center's core-router) and our main router (which our switches are connected to) receiving filtering rules from NIDS and/or rarely from our staff members. Our firewalls have been designed to function both independently and as a whole. By default they all function together, but if for any reason NIDS becomes unavailable, the firewalls will start functioning independently. This may result in a temporary slower performance in order to avoid the network being unfiltered until NIDS becomes available again. Additionally, if one of the firewalls becomes unavailable, it instantly gets excluded from the load balancing system to prevent the network from becoming affected. This way, the network has a complete fail-over no matter if any of the firewalls or NIDS becomes unavailable.
Additionally, our NIDS analyzes and identifies attacks per packet's protocol, packet type and several other characteristics giving the opportunity to our firewalls to filter an attack with at least 15 methods (planning to increase to 20+ methods in the near future). In rare cases, when an attack cannot get filtered differently, an IP null-route is applied. If the attack exceeds a specific number of Gbps (Gigabits per second) or Mpps (Million packets per second), additional ACLs may get applied in our router(s).
The firewalling mechanism described above has been completely designed and engineered by Host Honey staff using fundamental understanding of filtering, intensive knowledge and experience in preventing DDoS attacks. Our firewalls and NIDS use as open-source operating system with engineered firewalling and detection software.