Kaspersky DDOS Protection — защита от DDOS-атак от «Лаборатории Касперского»

Kaspersky event. At the online meeting, representatives of the vendor spoke about the DDOS protection solution and how to earn money by selling KDP, and also showed how convenient and functional the client and partner portals from Kaspersky are.

Today in the program:

• Attacks and options for protection from attacks;
• KDP Project Overview: current product and key features;
• Licensing Kaspersky DDOS Protection;
• Demonstration of the client portal;
• Demonstration of the partner portal.

Vendor speakers:

• Andrey Frolov, Key Account Manager;
• Vyacheslav Kirillov, Technical Account Manager.

Today's event is hosted by Andrey Frolov, Kaspersky. He is responsible for business development in the area of DDOS protection. Today he will talk about what goals attackers pursue when they attack customer resources, what options there are for protecting against attacks by attackers. Let's start with statistics.

Since the time of the pandemic, the number of DDOS attacks in the world has grown significantly. If we talk about Russia, we see simply an avalanche-like increase in the number of DDoS attacks since 2022. This number, it seems to me, is not planning to decrease, only grow. And month after month, year after year, it constantly increases. Interestingly, the latest trend that attackers are using is an attack on the entire subnet, on all customer resources within the autonomous system.

Not all managers know how to deal with this. In order to be able to protect against this, the entire customer network and the entire subnet must be brought under protection. Many of our customers use this, and those who do not use it come to us at the time of the attack and we protect them.

What goals do we see for attackers? We see four main goals when forming DDoS attacks. But at the same time, I must say honestly that the main goal for the last couple of years is still "Hacktivism". Hacktivism and some custom attacks on our resources from unfriendly countries. Why is this so popular? And it's all connected with the fact that it's all very cheap.

There are many resources where you can order DDoS attacks on any customer. There are many services that allow you to pay for DDoS attacks anonymously. And you order attacks and no one will ever find you. And no one will know that you have done something bad to some competitor or some government agency. But you need to protect yourself from this.

And there are not so many protection options, in fact there are four. Let's start, probably, with protection for the provider. This protection is good because it is generally quite easy to connect. Everyone has their own providers that provide data transmission channels. Most of these providers have DDoS protection and you can connect it. The only limitation is that if you use a solution from a provider, then you are very likely not to have application-level protection from some slow, complex attacks. Therefore, this is such a limited solution. This option protects customers from DDOS attacks. At the same time, it must be said that the provider's solution is dependent. It will be difficult for you to change your provider, with whom you have set up interaction in terms of DDOS protection. Well, and the simplest, probably the most correct method of protection is cloud protection. Customers receive a provider-independent solution if they choose cloud protection. They receive protection from all types of attacks. Well, and, in fact, they can also connect quite simply. You can get under protection within one hour. The time depends, in fact, mostly on the customer himself. If we talk about our solution and about those protection options that exist, then we now cover all options. We have a hardware solution for providers that can be installed on the territory, at the provider's or partner's center. There is a solution with filtering nodes on the customer's side. Naturally, there is a cloud solution, as the main product.

I would like to note that we have built-in bot protection. In principle, many customers already use WAF, but we are ready to enrich these WAFs with our data. Almost any WAF. We have a conditionally free App Protect.

Our customers themselves support this solution. We simply transfer all the levers of control, and they themselves manage it. Accordingly, if they have any problems with WAF, they will solve these problems themselves. There are partner WAFs, they are commercial.

Let's move on now to our product. This slide provides a general description of our solution. How we see the Kaspersky DDoS Protection or KDP product. It consists of three large groups. The main one, of course, is SLA. For any product related to DDoS protection, this is the most important document that describes the areas of responsibility between the service provider, in this case KDP, and the customer himself. It describes what level of service availability, describes what thresholds, what maximum amount of traffic, maximum amount of legitimate traffic, maximum amount of attack traffic.

We also have a description of our product, it is also posted online, this is a knowledge base. There are client and partner portals, this all refers to our interfaces.

If we talk about implementation schemes, we support any implementation schemes. From the simplest proxying to complex routing, building direct links with customers. Moreover, the customer himself determines which connection scheme is most interesting to him, most suitable for him. We do not charge money for this.

Now more details about our advantages. The first is any deployment schemes. If the customer wants on prem, we will make him on prem. The customer needs a cloud solution, we will make a cloud solution. We have three cleaning data centers in Moscow, Europe, and in Canada. We are now working on the issue of making a cleaning center in the countries of our former Soviet Union, in Kazakhstan, Uzbekistan or Kyrgyzstan. We have a transparent SLA, which is available from the Internet. There is technical support. Our product has been in the laboratory for quite a long time, it lived and developed as a solution for Enterprise clients. We understand that a conditional Enterprise customer sometimes finds it easier to pick up the phone, call us and ask us to do something or write a letter. Therefore, you can contact us by phone, by mail. Many issues can be resolved through client portals, but again, not all of our customers do this. Protection of encrypted traffic without disclosing the certificate, protection at the application level without disclosing the certificate.

We have a large number of large customers. We also hope, thanks to the fact that we are now developing partnership schemes with various telecom operators, we plan to enter the SMB business as well. We are optimistic about the SMB business. We hope that this segment will also occupy a large share of our business in the future. Well, and of course, our most important advantage, our most important difference from competitors, is that we have an FSTEC certificate. Therefore, we have a lot of government customers, who just need this certificate in FSTEC.

Next are small screenshots of our portals. For starters, this is the client portal. The customer can practically do everything by contacting technical support and it will solve all his problems. But at the same time, we have made a very convenient functional client portal. Clients can independently view information about resources, about attacks, about anomalies, see what traffic they have, add a certificate to a resource, make the certificate automatically issued

The partner portal was developed for schemes with partners, so that the partner portal provides billing services used by customers, so that partners can independently bring customers under our protection, not only customer resources, but also the entire network as a whole. Partners now, those with whom we have signed agreements, are actively using this.

Now let's move on to licensing. We have quite simple licensing, and if we talk about some basic licensing metrics, there are actually two of them. This is reserved bandwidth and the number of protected resources. Bandwidth is the bandwidth required for the cleaned traffic of all protected resources. We only count legitimate traffic. Actually, protected resources are IP addresses or the infrastructure of Internet services, defined by IP addresses. That is, in fact, we are licensed by the number of protected IP addresses. We are always ready to help the customer choose the most optimal option for him. It is clear that if a customer comes to us and says that I have an "autonomous system", I want to protect everything that is there. We say great, but it will be very expensive. Therefore, let's protect your subnets completely, put them on us. They will be like a resource as a whole. And from these subnets we will select the most important resources for you. We will put them separately to get optimal solutions and somehow save money, and not pay some completely gigantic money.

We have historically developed license types. The certified version has three tariffs. Standard, Ultimate and Ultimate+. They differ in the level of SLA and the included bandwidth of legitimate traffic. Standard is up to 100 Megabits, ultimate from 100 to 300 Megabits and ultimate plus is everything that is more than 300 Megabits. Accordingly, the more resources the customer protects, the cheaper it becomes for him the cost of protecting one resource.

Probably, at the beginning of last year we made the second part of our price list. We placed the uncertified version and added it to the price list and with it the certified version, made a larger number of tariffs, there are tariffs that are relevant for SMB customers, tariffs for 25 and 75 Megabits of legitimate traffic. Accordingly, the cost of the uncertified version is naturally lower than the certified one. Well, that is, if these are government customers, well, most likely they want a certified version. We suggest that customers choose themselves. We usually calculate several options, show how much each option costs, what level of SLA they receive. The customer chooses a solution, and then we pilot it. The time for the pilot project is two weeks, the pilot project is a fairly standard procedure. If you have potential customers who would like to see, but even conditionally speaking do not know what traffic they have, we will conduct a pilot project together with you. It is absolutely free for the customer and for the partner. As a result, we will see whether the customer is satisfied with the solution. It is clear that DDoS attacks do not always occur on the customer during the pilot project. We do not form DDoS attacks ourselves, if there were no DDoS attacks during the pilot project, the customer will be able to understand that the scheme is assembled, functions normally, there are no delays. During commercial use, he will already be able to understand how well it works and protects against DDoS attacks.

We sell annual licenses for certified and uncertified versions. We have monthly licenses, they are intended for MSSP partners. Accordingly, for ordinary reseller integrators, these are still monthly licenses. VAT is not charged.

We have such a small questionnaire. A file that we use to calculate the specification, to calculate the cost of connection for customers. Accordingly, some customers find it difficult, so if your customers say that they are not ready to fill out the questionnaire, these 8 questions that they need to send, the answers to which will help us form an approximate cost of solutions.

Then the presentation was continued by Vyacheslav Kirillov (Technical Account Manager). He began his story about the portal that the company Kaspersky has, it also has a partner portal.

Vyacheslav began to talk about the interface of the partner portal. Our partners, first of all, are communication providers who want to resell the DDOS protection service and independently connect customers. For such partners, we have a partner portal through which they can directly work with clients: bring them in independently, create protection objects and, in general, even provide support at the 1-2 line level. If they need some expert assessment or expert pre-sale, we are always ready to help.

The site provides, first of all, information about the client, that is, just a regular description and name. Each client has a protection object. This is an entity that is responsible directly for protection against DDOS attacks. A protection object is not necessarily one IP address, it can be a group of IP addresses. It is important to understand that a protection object is, first of all, a resource for which filtering will be applied. That is, if the customer wants to apply some unique settings for a specific IP address, he must create several protection objects.

Now let's take a closer look at what settings are available to partners. First of all, this is the traffic limit that is available by the number of bits per second and by the number of packets. Usually, the partner inserts a value equal to the license in order for the client not to overpay for exceeding the bandwidth. Additionally, you can open certain ports to improve protection. That is, if certain ports are installed, the protection will work better, special filters will be applied for this service and the protection will more accurately filter out traffic and there will be less negative impact on everything else during filtering. Additionally, you can disable attack detection, traffic redirection settings to the local cleaning center are also available, you can set certain thresholds, enable and disable filtering. All this can be configured directly through the partner portal. Partners also have access to information about attacks on all resources, on all their clients.

That is, the partner can receive reports, download them for periods and, accordingly, provide support on this or that issue for the client. Billing information is also available for each client, how many studied resources and licenses are utilized by this or that client, how much traffic passes through the system.

We also have a personal account directly for clients, that is, we usually developed this account for Enterprise customers. Here, more in-depth analytics are available for directly studied resources. You can also manage the configuration of resources here.

In principle, all the main tasks that are necessary in a more or less loaded project are available directly on the portal, if you need to add some more or less complex settings that are not available through the portal, you can always do this through our technical support. I repeat, we developed this portal for Enterprise, and it is tailored for engineers who understand Onshinx and can independently manage the resource. But if there are any questions, you can always contact support, our team will always tell you what can be done in that or another situation. This is what concerns parallel figuration. To exclude the influence of the filtering system, we have developed lists of allowed and prohibited IP addresses. If the IP address is in the list of allowed, it will always be passed through the filtering system, if it is always prohibited, it will be blocked. We also have a service where you can block a request using a specific code. Usually this service is used by customers who want to integrate together with some WAF solution and reduce the load during attacks on WAF, to block IP addresses and requests. We have the ability to check the uniqueness of IP addresses, that is, whether the IP address is blocked or not, how we classify it and classify it according to our databases. Now, the use of geo-filter is very popular among customers. Everyone likes to filter traffic and attacks using geo-filtering, so we have wide settings for managing such a filter. You can specify a list of allowed countries for each protocol, a list of prohibited countries for each protocol and limit the bandwidth for countries that are not included in either list. Accordingly, you can build certain settings for an attack. That is, in the event of an attack, certain geo-filtering settings will be applied. We also have a tab with a captcha.

You can use a regular standard captcha, you can use GS-Challenge. You can enable captcha for a specific country, for a specific category. That is, for example, if the customer wants captchas to be triggered for IP addresses that have previously participated in DDoS attacks, he can also configure this through his personal account. Thus, IP addresses that pose a certain threat will be checked by the system.