Security operations teams routinely use firewall rules or router Access Control Lists (ACLs) to filter and control network traffic by specifying allowed or blocked traffic by source IP addresses, destination addresses, destination ports, and source country. These packet filtering rules are a proactive security control that helps to prevent unauthorized access and ensure that only legitimate traffic can pass through the network. Vercara UltraDDoS also supports this concept with the use of Filter Lists. Read on to find out more about filter lists, including creating and deploying them and the resulting benefits of doing so.
One of the tools the UltraDDoS Protect platform often uses to mitigate attacks is employing Filter Lists. Filter Lists are provided by our customers as a way of filtering network traffic by specifying which IP addresses (or ranges) and service ports are allowed or denied access to their network resources. Filter Lists are then used by UltraDDoS Protect to determine which traffic to deny or allow during a DDoS attack. These lists can be configured to either allow or block traffic using criteria such as source IP address, source network block, source country, source port, destination IP address, destination network block, or destination port in a manner like an Access Control List (ACL) or firewall rule. This makes Filter Lists a powerful tool for defining normal traffic for public-facing services and proactively protecting your network, services, and applications.
Filter Lists and UltraDDoS Protect.
Vercara customers can define their Filter Lists by defining them as trouble tickets through the DDoS Protect portal. The Vercara SOC team then implements the Filter Lists. The SOC team can then select these filter lists for inclusion in mitigation events in a couple of different ways: during auto-mitigations on the customer’s behalf or when the SOC manually creates a mitigation for the customer.
One of our recent enhancements is to make these IP Filter Lists visible to customers in the UltraDDoS Portal. You can find them in the navigation menu under Configuration > Filter Lists.
There, you will find that several types of lists are supported:
- Deny/Allow Filters Lists are configurable lists consisting of the FCAP specifications to drop or pass traffic without additional scrutiny. Vercara’s DDoS service leverages an extended version of the standard FCAP expression language used by programs such as tcpdump and Wireshark. FCAP syntax allows complex filtering based mostly on IP header and TCP/UDP/ICMP header information with full and/or/not logic, nested elements, and intermixed drop and pass filter statements.
- IP Address Drop/Pass Filter Lists are used to define which traffic by IP address prefix (in CIDR notation) should be dropped or passed by mitigation.
- IP Location Filter Lists are used to define which traffic should be passed or dropped based on the source country of the IP Address, using ISO3166 2- or 3-character codes for country identification.
Building Proactive DDoS Defenses.
Filter Lists inside UltraDDoS Protect provide a way to proactively mitigate large categories of DDoS attacks by baselining traffic to block unwanted traffic before an attack. This gives security, infrastructure, and application teams a huge advantage in blocking malicious network traffic during an attack and leads to a quicker time-to-detect and time-to-block.
As a best practice, we recommend customers review their Filter Lists monthly based on their public-facing services, recent mitigations, and latest threat intelligence and request updates as needed.
Discover the power of UltraDDoS Protect.
Ready to discover how these new features can help you secure your online experience? Contact your account manager or reach out to our sales team for a free demo!
