In the recently published Forrester WAVE: DDoS Service Providers, Q3 2015 report (in which Verisign was identified as a leader), Forrester notes the importance of a hybrid approach to distributed denial of service (DDoS) protection. Specifically, the report highlights the pros and cons of on-premise and cloud-based DDoS protection solutions, and advocates for a hybrid solution that incorporates elements of both; specifically the speed to mitigation of on-premise with the scrubbing capacity of cloud-based.

We couldn’t agree more. That’s why in early 2015, Verisign announced the availability of the Verisign OpenHybrid™ architecture, an API-centric and automated approach to DDoS protection. This groundbreaking approach gives organizations increased awareness of attacks and improved ability to mitigate them across on-premise devices and in public and private cloud environments.

And today, I am pleased to announce the availability of Verisign OpenHybrid™ Customer Activated Mitigation, an important update to the Verisign OpenHybrid™ architecture that gives customers even more control of their DDoS protection strategy while greatly reducing the time to mitigate attacks.

Customer Activated Mitigation enables an organization to initiate or cease immediate DDoS mitigation across Verisign’s global network of scrubbing centers via Border Gateway Protocol (BGP) routing without having to contact Verisign for manual intervention.

How does it work?

In two minutes or less, the following steps are taken to mitigate DDoS attacks:

1. A customer experiencing a DDoS attack announces the IP prefix needing protection via preconfigured BGP sessions with Verisign using special community strings.
2. A BGP listener on Verisign’s network edge triggers a mitigation as soon as it receives the announcement sent over a pre-configured Generic Routing Encapsulation (GRE) tunnel between the customer router and the Verisign network.
3. Once the IP prefix is received, Verisign advertises the learned prefix to upstream service providers and peers so that all traffic covered by the IP prefix goes to Verisign DDoS Protection Services scrubbing centers.
4. A pre-defined set of mitigation templates and countermeasures are automatically applied and Verisign Technical Support Services are alerted so that they can monitor and optimize the mitigation to ensure clean traffic is forwarded back to the customer’s network via dedicated cross-connects, or GRE tunnels.

While mitigation is taking place, customers can view event details, traffic graphs and associated alerts on the Verisign DDoS Customer Portal.

Verisign Openhybrid™ Customer Activated Mitigation – The customer-activated mitigation traffic redirection technique is particularly well suited to work with Verisign’s DDoS Protection Services because of Verisign’s global network and robust peering. Verisign’s network is architected to provide for optimal convergence times when advertising customer IP address space to ingest and mitigate traffic faster.

As an integral component of the full Verisign OpenHybrid™ architecture, Customer Activated Mitigation gives organizations the ability to quickly and effectively defend against DDoS attacks, delivering:

1. Reduced time to mitigation
2. Increased control over initiating and stopping DDoS mitigations
3. Immediate operational support from Verisign’s experts.

If you are interested in learning more about Verisign OpenHybrid™ Customer Activated Mitigation, read the overview or request a consultation with an expert.