This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Overview

    Service Overview

    DDoS Protection is a DDoS (Distributed Denial of Service) detection and mitigation service that uses multiple servers to detect and block attacks that generate concentrated traffic on the network. Through continuous monitoring, it detects external traffic attacks targeting a domain, performs additional verification and blocking, and protects servers inside the DMZ. When a DDoS attack occurs, it blocks and disperses traffic to minimize the load on the origin server, ensuring the continuity of the web service.

    The DDoS Protection service of Samsung Cloud Platform is based on SECaaS. All user traffic passes through the SECaaS PoP before reaching the server, and when attack traffic arrives, it is analyzed by the SECaaS Rule, detected and blocked, and only clean traffic is forwarded to the server. Additionally, the service is provided from a nearby PoP based on the user’s connection country, and if a PoP failure occurs, service is provided from another PoP within the same country or region.

    Features

    • Rapid Attack Detection: When a large volume of traffic arrives, it detects and blocks DDoS attacks in real time. Continuously update detection criteria to address the latest attack techniques.
    • Effective Attack Blocking: When L3/L4/L7 DDoS attacks are detected, through additional verification such as JAVA Script, Captcha, we ensure service availability by blocking only DDoS attack traffic, and allow regular users to access the website normally.
    • Stable web service operation: With experience in large-scale network operations and 24x365 security monitoring, we can effectively respond to external security threats.

    Configuration diagram

    Diagram
    Figure. DDoS Protection operation

    Provided features

    We provide the following features.

    • Intrusion detection through network flow and monitoring
      • Detecting and blocking high-volume traffic inbound to a domain
      • Perform deep inspection (JAVA Script verification, Captcha verification, etc.)
      • Block L7 application vulnerability attacks
      • 24/7 event monitoring
    • Fast traffic processing through a global network
      • Fast traffic handling via global PoPs
      • Rapid routing transition through SDN and Tier 1 ISP integration

    Component

    domain

    SECaaS DDoS Protection is registered on a per-domain basis.

    • It can only be applied to domains served with an FQDN (Fully Qualified Domain Name); if the service is provided using an IP address instead of a domain, SECaaS DDoS Protection cannot be applied.
    • Registration is only possible for domains registered in the public DNS, and after verifying the domain’s integrity via DNS lookup, it cannot be used when registering a private internal IP.
    • It applies to traffic that uses HTTP/HTTPS protocols based on web applications, and other TCP traffic is dropped and cannot be used.

    Traffic

    Traffic is aggregated as the combined Mbps value of the individually registered domains between SECaaS DDoS Protection and the Origin server.

    Constraints

    To use DDoS Protection, please check the following items in advance.

    • Domain Use
      • It can be applied only when the service is provided using an FQDN(Fully Qualified Domain Name). If you serve with an IP address instead of a website URL, DDoS Protection cannot be applied.
      • Registration is possible only for domains registered in a public DNS. DDoS Protection is located in the external Internet segment and verifies domain integrity via DNS Lookup. (Registration with internal private IPs such as 10.10.10.10 makes DDoS Protection unavailable.)
    • Use HTTP/HTTPS
      • Only traffic using the HTTP/HTTPS protocol for web applications is accepted.
      • TCP traffic that uses protocols other than http/https is dropped, so DDoS Protection cannot be used.
    • XFF(X-Forwarded-For) header function Enable required
      • SECaaS DDoS Protection has the XFF header feature enabled by default. If the XFF header feature is set to disabled, the session may be terminated.
    • Client Source IP Change
      • When forwarding a user request from SECaaS DDoS Protection to the customer system, the Source IP is changed to an IP range owned by DDoS Protection rather than the original user’s public IP. The original user’s public IP is delivered via the XFF header.
    • Maximum Upload Size Limit
      • The maximum uploadable file size is limited to 500 MB. (If it exceeds 500 MB, separate agreement is required.)

    Provision status by region

    DDoS Protection is available in the following environments.

    RegionProvision status
    Korea West (kr-west1)Provided
    Korea East (kr-east1)Provided
    South Korea South 1 (kr-south1)Not provided
    South Korea South 2 (kr-south2)Not provided
    South Korea South 3 (kr-south3)Not provided
    Table. DDoS Protection regional availability status

    Preliminary Service

    This is a list of services that must be pre-configured before applying for the service. Please refer to the guide provided for each service for details and prepare in advance.

    Service CategoryServiceDetailed description
    ComputeVirtual ServerVirtual server optimized for cloud computing
    SecurityWAFA service that protects web applications from web vulnerabilities and attacks
    Table. DDoS Protection Preliminary Service