UltraDDoS Protect™ FAQ

What is Neustar UltraDDoS Protect?

Neustar UltraDDoS Protect is one of the largest, dedicated cloud-based, on-demand DDoS mitigation services in the world with a data scrubbing capacity of 15 Tbps, with plans for further expansion. When activated, UltraDDoS Protect scrubs malicious Internet traffic, allowing clean, legitimate traffic to flow to your infrastructure. By defending your website, UltraDDoS Protect shields your online revenues, customer satisfaction and brand reputation.

Why Choose Neustar for DDoS Protection?

Our security operations are fully manned 24/7 by senior-level DDoS mitigation professionals. The countermeasures, processes, and practices built from more than a decade of thwarting DDoS attacks makes Neustar your best partner to monitor and responds to threats - even flexibly changing defenses as attackers assault using multiple tactics from multiple vectors with multiple motives.

How will traffic be redirected?

When attacked, traffic can be redirected in two ways:

  • DNS redirection
  • Border Gateway Protocol (BGP) redirection

How does redirecting traffic via DNS work?

It’s easy. Simply switch the DNS A records for any hosts under DDoS attack to your assigned UltraDDoS Protect IPs. Traffic will start flowing through the UltraDDoS Protect mitigation cloud, where it’s cleaned and forwarded to your infrastructure. Once a DDoS attack subsides, just switch your DNS A records back to your original IPs.

What is Neustar UltraDNS?

Neustar UltraDNS is an enterprise grade, cloud-based authoritative DNS service that securely delivers fast and accurate query responses to websites and other vital online assets

Do I have to use Neustar UltraDNS with Neustar UltraDDoS Protect?

No. You can use any DNS solution. Just be sure your solution lets you set a low TTL (time to live) for each record, so you can quickly redirect your traffic to UltraDDoS Protect. With Neustar UltraDNS, you can set a lower TTL at both the domain and record levels.

What is UltraDNS Firewall?

Neustar UltraDNS Firewall is a cost effective enterprise grade, cloud-based recursive DNS service that delivers fast and reliable access to vital online applications with built-in security and threat intelligence.

Why chooses Neustar for DNS services?

Security, reliability, performance. Just what you want in your DNS provider. They’re the reasons Fortune 500 and Alexa 100 companies count on Neustar to secure this cornerstone of their connected world.

Does UltraDDoS Protect support forwarding to CNAMEs?

Yes, our DNS redirection service can forward traffic to DNS CNAME records. This is important if you want to place Neustar's DDoS prevention service in front of your CDN service.

Is UltraDDoS Protect PCI Compliant?

Yes. Neustar maintains PCI DSS Level 1 compliance for it’s UltraWAF and UltraDDoS Protect solutions. Neustar is audited annually by a third-party Qualified Security Assessor QSA. Neustar's Attestation of Compliance (AoC) is available upon request.

How does BGP redirection work?

When you’re hit with a DDoS attack, we’ll work with you to redirect traffic to the UltraDDoS Protect mitigation cloud. For affected prefixes, you’ll withdraw BGP announcements from your routers. Our Security Operations Center will initiate BGP announcements from the UltraDDoS Protect network. Within minutes, UltraDDoS Protect will start to absorb the attack. Security Operations will oversee DDoS prevention, sending clean traffic to your infrastructure via GRE tunnels. When the DDoS attack is over, we’ll help you re-establish BGP announcements on your routers for affected prefixes.

Are there requirements for BGP redirection?

To use BGP redirection you must have:

  • A /24 prefix, at a minimum.
  • A BGP (Border Gateway Protocol) and GRE (Generic Routing Encapsulation) capable router.
  • IP address space to terminate GRE tunnels that lies outside of the prefixes that you need defended.

Why choose DNS redirection over BGP or vice-versa?

Both DNS and BGP are efficient ways to route your UltraDDoS Protect. Most customers choose DNS redirection because it’s easier to deploy and maintain. If you have a more complex Internet infrastructure, with many hosts and IPs to defend, you may want to opt for BGP routing. Note: BGP routing requires one or more /24 prefixes, along with BGP/GRE-capable routers. Any router that can handle BGP and GRE (Generic Routing Encapsulation) tunnels should be compatible.

Does UltraDDoS Protect have an always-on option?

Yes. Always-on has become the industry best practice for DDoS protection as it allows immediate mitigation of common DDoS attacks and mitigation within seconds for more complex attacks. We encourage all customers to migrate to the UltraDDoS Protect always-on service to maximize your protection capabilities. The UltraDDoS Protect network boasts over 15 Tbps of capacity to handle multiple times the largest attacks and presence in many datacenters around the world ensuring low latency operation for where our customers operate.

How do you determine your clean traffic?

Clean traffic is defined as the total amount of traffic to be protected going in and out of your network to the Internet in Mbps (Megabits/Second) or Gpbs (Gigabits/Second), at the 95th percentile. If multiple services (e.g., email, Web, etc.) are to be protected, each service must be measured and added to the total.

Using the right unit of measurement is critical. UltraDDoS Protect packages use the Mbps (Megabits/Second) or Gbps (Gigabits/Second). Other formats such as Mbps or MB/Sec (megabytes per second), (KB/Sec (kilobytes per second) or Kbps (kilobits per second) should be converted to Mbps for accurate measurement.

To determine your clean traffic, your technical team should look at Netflow data on your routers, MRTG or CACTI graphs. You can also take a look at your Apache or IIS web logs.

What’s the maximum clean traffic limit for BGP and DNS?

UltraDDoS Protect packages are available for up to 40 Gbps of clean traffic, but have no upper limit to our requirements.

What options are available if you exceed the clean traffic limit?

For clean traffic beyond 2 Gbps, please contact our sales team at +1-855-727-1209 to find the right solution for your infrastructure.

How long does it take to mitigate a DDoS attack?

Once traffic starts flowing through UltraDDoS Protect, DDoS protection procedures are initiated immediately and our Neustar Security Operations Staff tunes mitigation strategies appropriately.

Can I sign onto the service if I am currently under a DDoS attack?

Absolutely. The Neustar team can provision you during a DDoS attack (additional fee applies). Before we start, set your TTL for each DNS record as low as you can. By following this best practice, you’ll accelerate your DNS changes across the Internet, helping to stop the DDoS attack faster and reduce website downtime.

What’s involved in provisioning UltraDDoS Protect via DNS redirection? How long does it take?

When you sign up for UltraDDoS Protect, we ask you to supply details on the infrastructure you want protected. After we receive these, we schedule a call to review your infrastructure in depth. Our Security Operations Center then provisions you, sending all instructions required to mitigate DDoS attacks.

Typically, this process takes 72 hours. If you’re under attack, however, we’ll work closely with your team to provision you in minutes.

What is involved in provisioning UltraDDoS Protect via BGP Redirection and how long does it take to get provisioned?

When you sign up for UltraDDoS Protect, we ask you to supply details on the infrastructure you want protected. After we receive these, we’ll schedule a call to review your infrastructure in depth. Our Security Operations Center will then provision you, sending you detailed instructions on setting up GRE tunnels. The SOC will also schedule a time to test your tunnels’ functionality with you. If you need emergency provisioning, we’ll initially set you up via DNS redirection, so we can mitigate the attack as we proceed with BGP provisioning.

Is UltraDDoS Protect carrier neutral?

Yes. If you have network connectivity from diverse carriers, UltraDDoS Protect can be your one DDoS protection service. It’s much easier and less expensive than having all your carriers supply their own protection.

Can UltraDDoS Protect handle my HTTPS traffic?

Yes, both our DNS redirection services can handle HTTPS traffic. If you choose DNS redirection and need to know end-user source IPs, you can opt to give us an SSL cert to serve; this way, we can pass along source IPs in an X-Forwarded-For header field.

Is UltraDDoS Protect an IPS/IDS (Intrusion Prevention/Detection) service?

No. UltraDDoS Protect is a DDoS mitigation service and doesn’t protect you against attempted intrusions like SQL injection attacks or cross-site scripting attacks.

Is there latency when routing traffic through the cloud?

Deployed strategically across the world, UltraDDoS Protect scrubbing centers use the same Anycast technology as Neustar UltraDNS. To minimize latency, we route traffic to the closest available scrubbing center. We can also cache static content to ensure faster replies. While routing traffic through additional hops will add some latency, it’s a matter of milliseconds. Visitors to your site won’t notice any difference. To reduce latency to an absolute minimum, we offer the Neustar NetProtect™ service as a complement to UltraDDoS Protect.

What is Neustar NetProtect?

Neustar NetProtect augments UltraDDoS Protect with a direct connection into each of our strategically located data scrubbing centers around the world to deal with denial of service attacks. Designed for highly complex, enterprise-level systems, it addresses and mitigates, or entirely avoids, the concerns of latency, complexity and other anomalies that are commonly associated with legacy Generic Routing Encapsulation (GRE) and Virtual Private Network (VPN) tunnel systems.

Do You Offer More Options to Pair with UltraDDoS Protect?

Yes we do. We also have Neustar UltraWAF. This web application firewall can be used in combination with UltraDDoS Protect to provide a cloud-based, always-on solution that protects against threats to layers 3-7. Cloud-provider, hardware and CDN agnostic, Neustar UltraWAF is compatible anywhere your applications are hosted.

What is Neustar’s Detection and Alerting Triggered Mitigation?

Customers direct their NetFlow data to Neustar for constant analysis and mitigation triggers when an attack is detected. For those short on expertise and staff, this defense option provides a valuable extension to stretched security operations.

What is Neustar’s DNS/BGP Customer Triggered Mitigation?

Standard configurations that allow a UltraDDoS Protect customer to mitigate in either DNS redirection or BGP connection service configurations. Attack traffic will spark mitigation for the targeted host reducing the time-to-mitigation and improving reaction times.

What is Neustar’s API-Triggered Mitigation?

Available with Neustar’s standard on-demand BGP service and allows customers to call the UltraDDoS Protect API to begin their mitigation. The ability for this API to be leveraged with other security services creates new potential stable state improvements and protective actions automatically.

What is Neustar’s Cloud Signaling Triggered Mitigation?

Endpoint detection based upon bits per second and/or packets per second thresholds that, when exceeded, initiates alert for BGP redirection mitigation.


Under DDoS Attack? Relief Begins Here!