Protect your network with continuous, host-level protection against DDoS attacks. We offer cutting-edge DDoS mitigation technology across our global IP backbone, ensuring scalable, worldwide protection.
Our service applies surgical mitigation techniques to mitigate attacks automatically. Malicious traffic is dropped already within our backbone before it reaches your Internet connection, ensuring that only legitimate traffic passes through.
We provide a high-capacity solution throughout our global IP backbone that can be scaled to add more Managed Objects (MOs) and mitigation capacity to support your growing protection needs.
Our pricing model is designed in accordance with your risk profile, making it more economical than in-house edge solutions.
DDoS has an immediate and profound impact on businesses. We have designed our DDoS mitigation service to scale across the global Internet for each tier. We can absorb highly distributed attacks and allow data centers, servers and Internet connections to operate normally even when under attack.
We have designed our pricing model to adapt to the risk profile of each customer, making it more economical than in-house edge solutions that can cause additional bottlenecks during DDoS attacks.
Call us anytime at
Or email us
If I were to sum up the best things about Arelion, I would include extremely competent staff, quick response times, comprehensive DDoS protection with additional services and competitive pricing. Our company (...) was increasingly affected by DDoS attacks over a long period of time, to the extent that our business suffered daily. Thanks to the help we got from Arelion, we got back on track again, as a stable and reliable IT-company for our customers who always expect the best service 24/7.
|Protection against evolving attack vectors: volumetric, protocol, application|
|Surgical host level mitigation|
|Manual or automatic protection|
Secure by design features
|NOC situated in a well secured and connected building with multiple power sources|
|Physical and logical security from design to deployment|
|A network-wide Acceptable Use Policy (AUP)|
|Customer Service authentication procedures|
|Clear customer data handling policies|
10 quick questions for our IP & Security Product Manager at Arelion.
All the edge routers in AS1299 send traffic data in the form of NetFlow, BGP and SNMP to our DDoS system. Using detailed profiling and continuously updated threat intelligence, this data is analyzed for attack traffic. This is all run by our dedicated in-house SecOps team and backed by our industry leading DDoS vendor. If the system detects malicious traffic destined to one of our DDoS customers, it will initiate a redirect within our network to the nearest scrubbing center. Arelion has 5 of these locations globally. Using a variety of methods, we ensure that the traffic is routed to the scrubbing center nearest to the source of the attack, rather than the target. This ensures the lowest possible increment in Round Trip Delay (RTD).
Also, as this redirect is internal to our network, we can redirect only the traffic we absolutely need to – right down to a single host /32. This means that we leave as much customer traffic flowing as normal as we possibly can, minimizing the attack impact still further.
Once the traffic reaches the scrubbing center, it passes through our Threat Management System which drops the malicious traffic and allows the good/legitimate traffic through. This ‘clean’ traffic is sent into a clean VRF or other tunnel and handed to the customer’s nearest port.
Once the attack is over, any redirections are withdrawn, and peacetime routing is restored.
The onboarding process should not be complicated, but it really depends on the customer. Arelion offers quite a lot of flexibility to our customers which could add complexity. However, for most of our customers we recommend simply applying default settings, so all we need is some admin information (i.e., contacts for alerts and reports etc.) and details of the IP prefixes they wish to protect.
Customers may not want all of their IP’s protected, and some may run very sensitive DNS, web or email servers. These can be configured into the system separately allowing for customization of thresholds. Our solution engineers work with customers to optimize the set-up.
Multi-homed DDoS is Arelion’s solution for customers who buy IP access from more than one provider. Typically, in this scenario the customer would buy DDoS protection from each provider, but this service allows customers to buy a complete DDoS service solution from just us, covering the whole system end to end.
Multi-homing service works very much like our base service, but with a couple of key additions:- We need to be able to ‘see’ the traffic that doesn’t flow through our network. For this, we need the customer to send Netflow (or SFlow) data from the relevant edge routers to our system.
Multi-homing service is a fully automated feature.
Based on these two key things, the service may not suit everyone. Some customers may even struggle with providing Netflow data (e.g., due to security policy or not having capable devices). Our more specific announcement should win the BGP routing decision, so ideally in normal operation the customer announces /23 or larger prefixes to the outside world. The prefixes to be protected by us must be covered by an RPKI ROA that has AS1299 as originating ASN and a max length of 24. Our systems will not initiate a BGP announcement that would not be considered valid by RPKI validation.
AS1299 is a very large IP Transit backbone, with large number of connected ASN’s globally and edge traffic > 70Tbs, so we obviously have access to a lot of data.
We use this data for the purpose of supplying the services, running and maintaining the network. So, this does mean collecting flow data and using that within our analysis tools to determine the network demands for planning and forecasting.
For DDoS we use this kind of data to detect and identify suspicious traffic. We only apply these more detailed detection mechanisms to customers who purchase our DDoS services.
With multi-homing, there’s a slight difference as we need to collect some data that is not available from our AS1299 routers, but from customer routers themselves. We ask customers to send us not only Netflow/sFlow data from the routers on their other boundaries, but also SNMP data.
This enables us to better identify the external interfaces and only look at the interfaces that are relevant to the service we provide.
Arelion ONLY uses data for the purpose of providing the DDoS Service and we do not retain this data any longer than needed.
We currently do not offer such a service. In principle it is possible and it’s something we may consider in the future. If and when we do, it’s likely to be part of our Enterprise Product portfolio.
We need to explain a bit more about the mechanisms we have available to mitigate DDoS attacks
Highly-capable edge routers – meaning they support detailed filtering and Flowspec when needed
Filtering pre-TMS. We have dedicated routers fronting our TMSs. Here our SecOps team manages filters on an ongoing basis
TMS. These are the vendor scrubbing devices and form our last line of defense. They are modular and each can easily be upgraded to 400Gb/s each before a new chassis is needed
For these reasons, finite TMS scrubbing capacity is less relevant for us, as AS1299 essentially forms a global scrubbing centre. We have successfully mitigated a peak attack of >990Gbps. This capacity is currently being upgraded to ensure that it is future-proofed for our customers.
Currently – our only charging model is based on actual mitigation minutes. This, we believe, is pretty unique in the market. As mentioned, there might be some ‘all inclusive’ options coming in the future, but we are not planning on introducing a charging based on either clean or ‘dirty’ traffic.
We are working on being able to launch an ‘Express DDoS’ which would be exactly as described – an existing IP customer can tell us they are under attack and to which prefix(es), so we can instruct our routers to divert traffic to those prefixes to the TMSs. This would be a quick way to get traffic scrubbed. It is not a replacement for the full DDoS service and can run for up to 24 hours. Client would be responsible for telling us to stop the mitigation.
Is there a learning phase?
Yes – this is typically done during Delivery – and can be relatively short. It’s there to set some baselines in the system.
What if I realize I made a mistake on the IP addresses?
Simply notify Customer Service Center and we can get these amended/removed. The capability to update through the portal is road-mapped and is a priority for Arelion.
Am I limited in the number of IP addresses?
No, we do not have a limitation. You can have a number of prefixes – down to /32 host IP. We also protect IPv6 addresses, which have their own configured managed objects.
How do I make changes on my Mobile Operator configuration?
Currently by updating the configuration template and sending back to CSC.
Call us anytime at
Or email us
Direct access to your cloud with a dedicated connection to the major Cloud Service Providers, AWS, Google, Azure, Oracle, and IBM.
BGP Transit to Internet content and billions of end-users, with the world’s best-connected backbone, AS1299.
Expert knowledge and invaluable insights to help you navigate your digital journey.
Check out our expert hosted webinars diving deep into the latest topics within connectivity.
The world of networking has never been more exciting. Today, the Internet and network services play a critical role in our lives - individuals and businesses alike.
Our thoughts and deeds. From industry trends to geeky networks stuff.