Equinix Internet Access provides security features that offer protection, detection, and mitigation of various types of threats.
Remotely Triggered Black Hole
During a potential distributed denial-of-service (DDoS) attack, Equinix blackholes a single IP address temporarily, and pushes the black hole advertisement towards the northbound ISP. All IP traffic towards that IP address is dropped. This action prevents saturation of all upstream ports, thereby protecting the Equinix network and its customers. This also prevents saturation of private connections on the Equinix Fabric network, in case an attack occurs over an Equinix Internet Access with Fabric service.
This triggering happens automatically when a single host exceeds predefined limits for traffic and packet rate in a pattern that suggests a volumetric attack. Once the threat is removed, the customer whose traffic was blocked is reinstated after sufficient time has elapsed.
Other Security Features
Equinix Internet Access provides additional security support:
-
Generation of Automated Internet Routing Registry (IRR) filters
-
Rich Border Gateway Protocol (BGP) community; no-advertise by provider and region
-
Transfer-net from non-routed address space
Adding Security to your Internet Access Service
Customers can take additional steps to safeguard their apps against attacks that come over the internet. These suggestions are optional, and up to your discretion.
Monitor Traffic
Customers should monitor their traffic or create alerts for sudden large spikes. Traffic can be viewed by navigating to Traffic Usage for Equinix Internet Access in the Equinix Customer Portal. If the source IP addresses are unknown or the traffic type is suspicious, an attack is likely. Contact Equinix to immediately blackhole the traffic.
Access Control Lists and Log Monitoring
An access control list (ACL) is a list of rules that specify which users or systems are granted or denied access to a particular object or system resource. This strategy is ideal if your traffic is largely internal traffic, where addresses and systems are known.
In addition, you should monitor logs for suspicious or unknown behavior. This is a good way to keep your control lists current.
Firewalls
Customers can select from a wide range of third-party firewall implementations based on their needs, ranging from simple network firewalls to specialized application firewalls. Virtual customers can also leverage Equinix Network Edge service offerings.
Intrusion Detection and Prevention Service Appliances
Customers who use Equinix colocation-related products can take advantage of a wide range of hardware and software appliances to guard against DDoS attacks. These users can select a capacity and price that meets their needs. This approach is ideal if you are a colocation customer with your own space and hardware.
Cloud Security Providers
Through a cloud security provider, you can conveniently add protection without deploying any hardware or software. This solution is viable if you have your own publicly routable IP address with Equinix Internet Access.
