Cybersecurity best practices and DDoS defence strategies
GRE (Generic Routing Encapsulation) tunneling, a means through which clean traffic is delivered back to protected networks, is the most common deployment method used in today’s networked world. Implemented via GRE tunneling and through the use of BGP-anycast routing, Nexusguard’s Origin Protection (OP) safeguards network resources against all volumetric and protocol-based DDoS attacks, including UDP, SYN floods, fragmented packets attacks, Ping death, Smurf DDoS and much more.
How Nexusguard uses GRE Tunneling
Incoming traffic is directed to Nexusguard’s strategically located scrubbing centres, equipped with over 2.24Tbps of mitigation capacity, using BGP announcements. Clean traffic is then forwarded through a GRE tunnel back to the customer networks, while all protected IP range announcements are transited through Nexusguard.
The traditional implementation of a GRE tunnel involves the configuration of a point-to-point tunnel going between two sites. This type of configuration works well when this is the behaviour and there are a limited number of virtual tunnels that need to be configured. However, if there are a number of routers at each customer site, the configuration of routers and number of independent IP address ranges (one per tunnel) could quickly grow, requiring more resources and effort to set up and manage the tunneling operation. These considerations are behind the development of Nexusguard’s Smart Tunnel.
Figure 1 - Nexusguard GRE Tunneling
Nexusguard Smart Tunnel
In terms of setup, protocol and functionality, i.e. delivery of clean traffic back to the origin server, and collection of route information from remote endpoints via BGP peering sessions, Nexusguard’s Smart Tunnel operates in exactly the same manner as traditional GRE tunneling. The main advantage of Smart Tunnel is that it reduces the number of point-to-point tunnels by centralizing all logical connections at two logical endpoints, establishing two GRE tunnels between the scrubbing centres and the OP customer router. In doing this, the number of BGP sessions is also reduced to two per OP customer router, thereby further reducing the amount of resources and effort required to maintain the tunnel operation.
Figure 2 - Nexusguard Smart Tunnel
Nexusguard Smart Tunnel operates by replicating the GRE tunnels, BGP sessions and routing information from the two logical endpoints, and distributing this data to the corresponding modules at each of the scrubbing centres, which subsequently reduces the manual configuration needed at each physical location.
Furthermore, the clean traffic data path is also preserved such that clean traffic from the scrubbing centres is returned directly to the customer network without the need to be routed through the two centralized endpoints.
Salient Features and Benefits of Smart Tunnel
Smart Tunnel is now available to customers using our Origin Protection service. For further information, please read about Nexusguard’s Origin Protection.
Nexusguard analyzes, fingerprints, and mitigates malicious traffic, then sends clean traffic over virtual Smart Tunnels, ensuring secure and uninterrupted connectivity to mission-critical systems.