DDoS Protection

• 1: Overview
• 2: How-to guides
• 2.1: DDoS Protection Preparation
• 2.2: DDoS Protection Service Application
• 2.3: DDoS Protection Service Outage Response
• 3: Release Note

1 - Overview

Service Overview

DDoS Protection is a DDoS (Distributed Denial of Service) detection and mitigation service that uses multiple servers to detect and block attacks that generate concentrated traffic on the network. Through continuous monitoring, it detects external traffic attacks targeting a domain, performs additional verification and blocking, and protects servers inside the DMZ. When a DDoS attack occurs, it blocks and disperses traffic to minimize the load on the origin server, ensuring the continuity of the web service.

The DDoS Protection service of Samsung Cloud Platform is based on SECaaS. All user traffic passes through the SECaaS PoP before reaching the server, and when attack traffic arrives, it is analyzed by the SECaaS Rule, detected and blocked, and only clean traffic is forwarded to the server. Additionally, the service is provided from a nearby PoP based on the user’s connection country, and if a PoP failure occurs, service is provided from another PoP within the same country or region.

Features

• Rapid Attack Detection: When a large volume of traffic arrives, it detects and blocks DDoS attacks in real time. Continuously update detection criteria to address the latest attack techniques.
• Effective Attack Blocking: When L3/L4/L7 DDoS attacks are detected, through additional verification such as JAVA Script, Captcha, we ensure service availability by blocking only DDoS attack traffic, and allow regular users to access the website normally.
• Stable web service operation: With experience in large-scale network operations and 24x365 security monitoring, we can effectively respond to external security threats.

Configuration diagram

Provided features

We provide the following features.

• Intrusion detection through network flow and monitoring
  • Detecting and blocking high-volume traffic inbound to a domain
  • Perform deep inspection (JAVA Script verification, Captcha verification, etc.)
  • Block L7 application vulnerability attacks
  • 24/7 event monitoring
• Fast traffic processing through a global network
  • Fast traffic handling via global PoPs
  • Rapid routing transition through SDN and Tier 1 ISP integration

Component

domain

SECaaS DDoS Protection is registered on a per-domain basis.

• It can only be applied to domains served with an FQDN (Fully Qualified Domain Name); if the service is provided using an IP address instead of a domain, SECaaS DDoS Protection cannot be applied.
• Registration is only possible for domains registered in the public DNS, and after verifying the domain’s integrity via DNS lookup, it cannot be used when registering a private internal IP.
• It applies to traffic that uses HTTP/HTTPS protocols based on web applications, and other TCP traffic is dropped and cannot be used.

Traffic

Traffic is aggregated as the combined Mbps value of the individually registered domains between SECaaS DDoS Protection and the Origin server.

Constraints

To use DDoS Protection, please check the following items in advance.

• Domain Use
  • It can be applied only when the service is provided using an FQDN(Fully Qualified Domain Name). If you serve with an IP address instead of a website URL, DDoS Protection cannot be applied.
  • Registration is possible only for domains registered in a public DNS. DDoS Protection is located in the external Internet segment and verifies domain integrity via DNS Lookup. (Registration with internal private IPs such as 10.10.10.10 makes DDoS Protection unavailable.)
• Use HTTP/HTTPS
  • Only traffic using the HTTP/HTTPS protocol for web applications is accepted.
  • TCP traffic that uses protocols other than http/https is dropped, so DDoS Protection cannot be used.
• XFF(X-Forwarded-For) header function Enable required
  • SECaaS DDoS Protection has the XFF header feature enabled by default. If the XFF header feature is set to disabled, the session may be terminated.
• Client Source IP Change
  • When forwarding a user request from SECaaS DDoS Protection to the customer system, the Source IP is changed to an IP range owned by DDoS Protection rather than the original user’s public IP. The original user’s public IP is delivered via the XFF header.
• Maximum Upload Size Limit
  • The maximum uploadable file size is limited to 500 MB. (If it exceeds 500 MB, separate agreement is required.)

Provision status by region

DDoS Protection is available in the following environments.

Preliminary Service

This is a list of services that must be pre-configured before applying for the service. Please refer to the guide provided for each service for details and prepare in advance.

2 - How-to guides

Users can create the DDoS Protection service by entering the required information through the Samsung Cloud Platform Console.

Create DDoS Protection

You can create and use the DDoS Protection service from the Samsung Cloud Platform Console.

To request the creation of a DDoS Protection service, follow these steps.

1. All Services > Security > DDoS Protection menu, click it. You will be taken to the Service Home page of DDoS Protection.
2. On the Service Home page, click the DDoS Protection Service Request button. You will be taken to the Support Center > Service Request List > Service Request page.
3. Service Request page, enter or select the required information in the mandatory input fields.
   • In the operation type, select Create DDoS Protection.

     Input field	Detailed description
     Title	Enter the title of the service request Example: DDoS Protection service creation request
     Region	Select the location of the Samsung Cloud Platform Automatically filled with the region corresponding to the Account
     Service	Select the service category and service. If you click the DDoS Protection service request button, it is entered automatically Service Category: Security Service: DDoS Protection
     Task classification	Select the Activity you want to request Create DDoS Protection: select if you are requesting a new service
     content	Guide to the service application process and reference information
     Attachment	If you have a completed DDoS Protection service application (required) and any additional files you wish to share, proceed with the upload You can attach up to 5 files, each no larger than 5 MB Only doc, docx, xls, xlsx, ppt, ppts, hwp, txt, pdf, jpg, jpeg, png, gif, and tif files are allowed

     Table. DDoS Protection Service Creation Request Items
4. After reviewing the application process and reference information, download the form > click the Service Request Form Download button to download the DDoS Protection Service Application Form.
5. Please fill out the DDoS Protection Service Application Form.
   • Refer to the item descriptions in the Application Information and Monitoring Information tabs and complete the required fields.

     Category	Detailed description
     Application Information	Complete required fields such as application type, usage period, and usage amount.
     Monitoring information	Complete required items such as migration schedule, domain, and secure recipient information Fill out all items except for special cases

     Table. Main contents of the DDoS Protection service creation request form
6. Attach the completed application form in the attachment area.
7. Click the Request button on the service request page.
   • When the request is completed, check the submitted details on the Support Center > Service Request List page.
8. After the monitoring personnel review the submitted service request, they proceed with the process to use the service.
   • The monitoring officer is contacting you via email to proceed with opening the firewall, SECaaS domain authentication, and certificate deployment.
   • User Guide > Security > DDoS Protection > How-to guides > Refer to the DDoS Protection Service Application page to proceed with monitoring integration.
   • We will conduct a test at the Security Monitoring Center (securitycenter@samsung.com) to verify the monitoring integration.
   • Perform a final check to confirm normal service access and detect any SSL certificate errors.
9. The DDoS Protection service is now available.

Check DDoS Protection detailed information

Detailed information on DDoS Protection can be accessed from a separate Security Platform (SSMP).

VM list

1. Security Platform (SSMP) Please access it.
2. Enter Knox login information.
3. Assets > Cloud Monitoring Management > Cloud URL List Check the SECaaS deployment status on the page. You can enter the required fields to query.

   Item	Detailed description
   Business Unit	Select the appropriate business unit
   Business name	Select the magnifying glass icon, then search for and enter the corresponding business name.
   website URL	Enter URL
   SECaaS implementation	Select whether to apply SECaaS (Apply/Do not apply)
   SECaaS mode	Select SECaaS mode (block/detect)
   SECaaS vendor	Select SECaaS vendor (None/Imperva/Cloudflare)
   Platform	Enter using SCP
   Deletion status

   Table. Search items
4. When you click the individual URL, you can view the URL details.

   SECaaS status	Detailed description
   Apply (Detection)	SECaaS applied state, conduct attack pattern detection and log analysis Recommend maintaining detection mode for at least one month, and after analyzing false positives/false negatives for at least one month, recommend switching to blocking mode via email
   Apply (Block)	SECaaS applied state, automatic blocking of detected attacks
   Not applied	State where SECaaS is not applied

   Table. SECaaS implementation status

DDoS Protection Terminate

To request termination of the DDoS Protection service, follow the steps below.

1. Click the All Services > Management > Support Center menu. You will be taken to the Support Center > Service Home page.

2. On the Support Center Service Home page, click the Service Request button. You will be taken to the Service Request List page.

3. On the Service Request List page, click the Service Request button. You will be taken to the Service Request page.

4. Service Request page: enter or select the required information in the mandatory input fields.

   • Select DDoS Protection termination in the work category.

     Input field	Detailed description
     Title	Enter the title of the service request Example: DDoS Protection Service Cancellation Request
     Region	Select the location of the Samsung Cloud Platform Automatically filled with the region corresponding to the Account
     Service	Select service category and service Service Category: Security Service: DDoS Protection
     Task classification	Select the Activity you want to request Cancel DDoS Protection: select if you are canceling the service
     content	Guide to the service application process and reference information
     Attachment	If you have a completed DDoS Protection service application form (required) and any additional files you wish to share, proceed with the upload You can attach up to 5 files, each no larger than 5 MB Only doc, docx, xls, xlsx, ppt, ppts, hwp, txt, pdf, jpg, jpeg, png, gif, and tif files are allowed

     Table. Table. DDoS Protection service termination request items

5. After reviewing the Application Process and Reference Information, click the Form Download > Service Request Form Download button to download the DDoS Protection Service Application Form.

6. Please complete the DDoS Protection Service Application Form.

   • Refer to the item descriptions in the Application Information and Monitoring Information tabs and complete the required fields.

     Category	Detailed description
     Application Information	Fill in required items such as application type, usage period, and usage amount Usage amount does not need to be filled in
     Monitoring information	Complete required items such as migration schedule, domain, and secure recipient information Complete all items except for special notes

     Table. Main contents of DDoS Protection service termination request form

7. Attach the completed application form to the attachment area.

8. Click the Request button on the service request page.

   • Once the request is completed, verify the submitted information on the Support Center > Service Request list page.

9. After the monitoring staff verifies the submitted service request, the termination process is completed once the URL is deleted.

   • Service termination takes 2–3 business days (including the cancellation request date).
   • The restoration of DNS settings that were changed for SECaaS implementation must be performed directly by the service operator.
   • When the service termination is completed, you cannot view the URL on the Security Platform (SSMP) Assets > Cloud Monitoring Management > Cloud URL List page.

2.1 - DDoS Protection Preparation

Configure firewall open settings

Client (User) - SECaaS (DDoS Protection) - Origin Server Each segment requires firewall opening. For the information required to open the firewall (Source, Type, Protocol, Destination), please inquire via the Support Center > Contact Us menu.

1. Proceed with opening the firewall for the segment where the client (User) connects to SECaaS (DDoS Protection).
   • The default supported web ports for SECaaS are as follows.
     • http : 80, 8080, 8880, 2052, 2082, 2086, 2095
     • https : 443, 2053, 2087, 2096, 8443
   • For websites that use ports other than the default supported web ports, fill out the DDoS Protection service request form to submit a service request. We will provide the Destination IP via the email account on the service request form. If the ports are changed (added, removed) or the Origin is changed after applying SECaaS, the IP may change. If you email the security monitoring center account (securitucenter@samsung.com) in advance, we will inform you of the changed IP through the responsible person.
     • If you are not using an IPv6 address, registration is not required.
     • The service application form can be downloaded and attached from the All Services > Security > DDoS Protection menu by clicking the DDoS Protection Service Request button, then downloading it on the Service Request screen.
     • For information related to service application, see the How-to guides’ DDoS Protection 생성하기.

       Source	Type	Protocol	Destination: SECaaS
       Client	HTTP, HTTPS	TCP	IPv4: 162.159.141.5 / 172.66.1.3 IPv6: 2606:4700:7::102 / 2a06:98c1:58::102

       Table. Example of IP forwarding form
2. Proceed with opening the firewall for the segment that connects to the Origin Server in SECaaS(DDoS Protection).
   • The origin server is the device that receives traffic from SECaaS. (e.g., LB, server, etc.)
   • The firewall or security device in front of the origin server must allow a specific range.
     • Cloudflare IP range information: https://www.cloudflare.com/ko-kr/ips/
     • If you are not using an IPv6 address, registration is not required.
       Caution

       We recommend blocking web traffic (HTTP, HTTPS) outside the specified range. If not blocked, the Origin IP may be exposed, potentially enabling attacks that bypass SECaaS, and such bypass attacks are difficult to monitor for security.

Authenticate SECaaS domain

To authenticate the registrant of the domain, you must create a host and add a TXT record for domain verification to DNS.

• Authentication typically takes about 15 minutes after registration, but can take up to 24 hours depending on the environment. For example, when registering www.test.com, you must create/enter the Host and TXT Record values we provide into DNS.

Applying SECaaS Certificate

You can select and use either the certificate provided by SECaaS or the certificate supplied by the customer. Certificate installation is possible only if HTTPS is enabled for the domain; if the certificate is not installed, HTTPS communication will not work.

1. When using SECaaS certificate

• A new SSL certificate used between the Client ↔ SECaaS server will be generated.
• Validation of the domain owner is required for the generated SSL certificate. The owner verification is performed by creating/entering the HOST and CNAME values we provide into DNS.
• Certificates cannot be extracted and delivered, and there is an automatic renewal feature, so no separate renewal is required.
• Authentication typically takes about 15 minutes after registration, but may take up to 24 hours depending on the environment.

2. When using a client (Custom) certificate

• Provide the Full chain certificate, Key File, and Key Value.
• An API communication issue occurs when registering a single certificate. (Only pfx, pem, cer files are supported)
• The renewed certificate must be provided for renewal before the certificate expires.

2.2 - DDoS Protection Service Application

After completing the service request on the service request page, proceed with the steps below in order.

Perform pre-test

1. Before changing the traffic path with SECaaS, run a test to verify that it works correctly.
   • The security monitoring center provides the IP to be used in SECaaS. Example: 103.22.200.1
   • We will explain using aaa.test.com as the website example.
   • Add the example text below to the C:\Windows\System32\drivers\etc\hosts file and save it.
     • Example phrase : 103.22.200.1 aaa.test.com
2. When accessing a URL in Chrome, press F12 and then select F5 (Refresh) in the Network tab at the top of the developer tools.
3. The process completes when the response header ‘X-cdn’ has the imperva value, or when a SECaaS IP is present in the remote address.

Changing DNS Settings

The path is changed so that actual traffic is transmitted via SECaaS.

• We will configure each domain’s address as a CNAME using the provided CNAME domain. When using a CDN, change the CDN’s origin address to a CNAME.
• Root (Naked) domains cannot have a CNAME record. It is recommended to configure an A record using the two default Anycast IPs. If setting both IPs is difficult, configure only one.
  • Example: Register or modify DNS for test.com using the CNAME we provide, and register or modify an A Record DNS for test.com using the IP we provide.

Notify DNS Change

After the DNS change is announced, the security monitoring center checks for proper integration and traffic inflow.

Check Service

Verify normal service connectivity.

• Check whether an SSL certificate error occurs.
• DDoS Protection is operated in detection mode for one month, after which the logs are analyzed and provided to the service owner.
  • If no legitimate traffic is detected as an attack, switch to block mode. If a false positive occurs, verify with the service owner and then add an exception in DDoS Protection.

2.3 - DDoS Protection Service Outage Response

When a DDoS Protection service outage occurs, follow the steps below to address and respond to the issue.

Service outage detection

• The service owner will become aware of a failed service URL health check or a response error.
• The security monitoring center will encounter SECaaS service disruptions and cause the registered Origin Healthcheck to fail.

Remediation

• After identifying the cause of the failure, if it is determined to be a SECaaS service outage, you must change the registered CNAME/A Record values to the original service’s Origin IP/address for redirection (reversion) and apply them. Since DNS values need to be changed, the user must handle it directly.
• When an urgent bypass (restoration) is required.
  • SECaaS(DDoS Protection) → Server(Origin) Open the segment firewall to any.
  • You can achieve the same effect by asking the SECaaS administrator to request DNS bypass processing in the SECaaS settings. (It is applied based on the DNS TTL value and takes about five minutes.)
  • Websites that have DNS applied via an A Record value, such as a root (naked) domain, cannot be used.

SECaaS reapplication

After the outage is resolved, reapply the modified CNAME/A Record values to the SECaaS CNAME/A Record address.

3 - Release Note

DDoS Protection