DDoS Protection Preparation

Configure firewall open settings

Client (User) - SECaaS (DDoS Protection) - Origin Server Each segment requires firewall opening. For the information required to open the firewall (Source, Type, Protocol, Destination), please inquire via the Support Center > Contact Us menu.

1. Proceed with opening the firewall for the segment where the client (User) connects to SECaaS (DDoS Protection).
   • The default supported web ports for SECaaS are as follows.
     • http : 80, 8080, 8880, 2052, 2082, 2086, 2095
     • https : 443, 2053, 2087, 2096, 8443
   • For websites that use ports other than the default supported web ports, fill out the DDoS Protection service request form to submit a service request. We will provide the Destination IP via the email account on the service request form. If the ports are changed (added, removed) or the Origin is changed after applying SECaaS, the IP may change. If you email the security monitoring center account (securitucenter@samsung.com) in advance, we will inform you of the changed IP through the responsible person.
     • If you are not using an IPv6 address, registration is not required.
     • The service application form can be downloaded and attached from the All Services > Security > DDoS Protection menu by clicking the DDoS Protection Service Request button, then downloading it on the Service Request screen.
     • For information related to service application, see the How-to guides’ DDoS Protection 생성하기.

       Source	Type	Protocol	Destination: SECaaS
       Client	HTTP, HTTPS	TCP	IPv4: 162.159.141.5 / 172.66.1.3 IPv6: 2606:4700:7::102 / 2a06:98c1:58::102

       Table. Example of IP forwarding form
2. Proceed with opening the firewall for the segment that connects to the Origin Server in SECaaS(DDoS Protection).
   • The origin server is the device that receives traffic from SECaaS. (e.g., LB, server, etc.)
   • The firewall or security device in front of the origin server must allow a specific range.
     • Cloudflare IP range information: https://www.cloudflare.com/ko-kr/ips/
     • If you are not using an IPv6 address, registration is not required.
       Caution

       We recommend blocking web traffic (HTTP, HTTPS) outside the specified range. If not blocked, the Origin IP may be exposed, potentially enabling attacks that bypass SECaaS, and such bypass attacks are difficult to monitor for security.

Authenticate SECaaS domain

To authenticate the registrant of the domain, you must create a host and add a TXT record for domain verification to DNS.

• Authentication typically takes about 15 minutes after registration, but can take up to 24 hours depending on the environment. For example, when registering www.test.com, you must create/enter the Host and TXT Record values we provide into DNS.

Applying SECaaS Certificate

You can select and use either the certificate provided by SECaaS or the certificate supplied by the customer. Certificate installation is possible only if HTTPS is enabled for the domain; if the certificate is not installed, HTTPS communication will not work.

1. When using SECaaS certificate

• A new SSL certificate used between the Client ↔ SECaaS server will be generated.
• Validation of the domain owner is required for the generated SSL certificate. The owner verification is performed by creating/entering the HOST and CNAME values we provide into DNS.
• Certificates cannot be extracted and delivered, and there is an automatic renewal feature, so no separate renewal is required.
• Authentication typically takes about 15 minutes after registration, but may take up to 24 hours depending on the environment.

2. When using a client (Custom) certificate

• Provide the Full chain certificate, Key File, and Key Value.
• An API communication issue occurs when registering a single certificate. (Only pfx, pem, cer files are supported)
• The renewed certificate must be provided for renewal before the certificate expires.