DDoS Best Practices

This guide covers the architectural best practices for protecting your infrastructure from DDoS attacks using NetActuate's layered mitigation model. For portal-level DDoS rule configuration, see the DDoS Protection section.

Concentric Circles of DDoS Mitigation

DDoS mitigation is most effective when deployed in multiple layers. Each layer progressively reduces the attack surface before traffic reaches your applications.

Outer Circle: Transit Providers and Peer Rules

Rules are pushed to the far edge — your transit providers and peers — to limit traffic toward announced prefixes. If you know a specific prefix should only accept DNS (UDP/TCP 53) traffic, you can block or rate-limit other traffic at this outer layer. These rules are typically stateless and designed to stop large volumes of unwanted traffic before it enters your environment.

Middle Circle: Edge Rules

At the network edge, more advanced rules handle rate limiting, policy-based routing, and other network controls. This layer filters out more targeted attacks before they reach core resources.

Inner Circle: Core Rules or Managed Firewall

Using NetActuate's VM Interface Firewall API, you can configure access control lists (ACLs) at the host level. You can also engage the NetActuate team to deploy a managed firewall or other services to monitor and control traffic headed to your resources. These inner-layer rules offer the most granular control.

Once these layers are in place, your deployment has a significantly reduced attack surface. DDoS attacks can still occur, but they have fewer pathways and resources to exploit.

DDoS Mitigation Flow

With the layered defense in place, large-scale attacks are handled by NetActuate's DDoS mitigation platform, which inspects traffic at the edge. In a multi-PoP Anycast deployment, attack traffic is distributed across a wide surface area, allowing detection systems to quickly identify unusual patterns.

If an attack is confirmed, the platform applies policies and can execute pre-determined actions:

Swing your network to a DDoS-protected scrubbing network managed by NetActuate
Inspect traffic and remove bad packets by filtering at the packet level or analyzing source addresses, protocols, and other anomalies
Distribute clean traffic back to your deployments automatically with no changes required on your part

Alternatively, you might choose to route to a third-party mitigation provider, withdraw specific announcements, blackhole certain traffic, or fail over to another PoP. NetActuate will work with you to implement the best strategy.

Anycast Group Best Practices

Use Separate Subnets per Service

Assign different /24 IPv4 subnets (and corresponding IPv6 /48 subnets) for each critical service. For example, primary (ns1), secondary (ns2), and tertiary (ns3) authoritative name servers should each use their own prefix. This prevents:

A single DDoS attack on one /24 from impacting every nameserver
Global BGP dampening issues on a single prefix from taking all DNS offline
Cross-contamination of mitigation policies between services

Use Larger Anycast Subnets

Advertise at least a /23 prefix (IPv4) for each Anycast group. Advertising a more specific /24 from your /23 allows traffic diversion to different mitigation providers, or lets you sink DDoS traffic away from primary infrastructure as part of a disaster recovery strategy.

Diversify by Service Class

If you operate a multi-tenant service, separate different service classes (e.g., free vs. enterprise users) into distinct Anycast groups. Attacks targeting one group will not spill over to affect another.

Leverage Carrier Diversity

Each Anycast group can use a different mix of transit carriers. If one carrier experiences an upstream issue or major DDoS event, the other groups with different carriers remain unaffected. See Redundant Anycast Groups for a full reference architecture.

Manual Mitigation Options

Trigger DDoS Mitigation via BGP Communities or API

You can manually initiate or modify DDoS mitigation rules by sending the appropriate BGP communities or using the NetActuate API.

Blackhole Traffic Using BGP Communities

If you detect a specific attack vector and want to drop traffic entirely, you can trigger a blackhole to discard malicious traffic before it reaches your environment.

DDoS Protection Portal — configure DDoS rules, review analytics, and browse attack logs
VM Interface Firewall — host-level ACLs for per-VM traffic control
Redundant Anycast Groups — primary/secondary/tertiary DNS architecture
ECMP Load Balancing — distribute traffic across multiple servers at one location

Need Help?

Contact support@netactuate.com or open a support ticket from the portal.

Concentric Circles of DDoS Mitigation​

Outer Circle: Transit Providers and Peer Rules​

Middle Circle: Edge Rules​

Inner Circle: Core Rules or Managed Firewall​

DDoS Mitigation Flow​

Anycast Group Best Practices​

Use Separate Subnets per Service​

Use Larger Anycast Subnets​

Diversify by Service Class​

Leverage Carrier Diversity​

Manual Mitigation Options​

Trigger DDoS Mitigation via BGP Communities or API​

Blackhole Traffic Using BGP Communities​

Related Guides​

Need Help?​