Key Features
/01 Architecture
/02 UX
Easy to manage
One screen is used for the setup of countermeasures and monitoring of their effectiveness, without the need to switch between pages of the web interface
Documentation
The MITIGATOR web interface has detailed user documentation in English. The documentation is available both as a summary description and contextually for each element
Dashboards
MITIGATOR web interface allows for the creation of dashboards with a custom number of widgets, containing graphs and statistics, so the users can quickly switch between several sets of widgets and solve various tasks
Bulk Changes
MITIGATOR provides the ability to apply the same action to several selected protection policies at once
/03 Deployment and infrastructure
Allows the detection of attacks and activation of protection for individual policies without constant direction of traffic to MITIGATOR, as well as collection and visualization of statistical information in various sections, both in real time and historically
It is possible to send traffic of the protected service for analysis and additional checks to Web Application Firewall. Redirection parameters are set individually for each protection policy
REST API allows you to integrate with other security and monitoring systems and perform any actions in MITIGATOR with their assistance and to automate management
MITIGATOR supports two scenarios of interaction with GRE tunnels: delivery of scrubbed traffic to the protected service, and reception of traffic from a third-party service for subsequent scrubbing
The MITIGATOR software is supplied as a set of Docker containers. To update the system version, only few commands are required
MITIGATOR supports a wide range of x86-64 processors and network cards
MITIGATOR supports network adapters that use hardware bypass. In case of system or hardware platform failure, the network adapter switches to bypass mode at the physical layer. Traffic is redirected from port to port, bypassing the network adapter controller
/04 Mechanisms and countermeasures
To protect against TCP attacks while only incoming traffic is present, MITIGATOR uses widely accepted checking methods by resetting the TCP session and using the wrong sequence number with different combinations of flags.
In addition to the standard protection mechanisms, a unique mode of operation with ISN synchronization is available, in which protection against traffic asymmetry does not require unnecessary packet exchange or disconnection with the client.
Host protection can be activated only for the servers under attack, which eliminates the negative impact on the traffic of other services
In addition to the standard protection mechanisms, a unique mode of operation with ISN synchronization is available, in which protection against traffic asymmetry does not require unnecessary packet exchange or disconnection with the client.
Host protection can be activated only for the servers under attack, which eliminates the negative impact on the traffic of other services
MITIGATOR supports SYN-proxy (TCP Splicing) protection if outgoing traffic from protected resources passes through it
MITIGATOR allows the protection of TLS applications without traffic decryption by using various methods of the analysis of TLS parameters and JA3 fingerprints. In combination with other countermeasures and a web server log analyzer, it is possible to achieve maximum protection efficiency
In addition to TLS protection, MITIGATOR analyzes web server logs to detect attacking bots. Besides that, challenge-response authentication of senders can be performed within HTTPS via redirection to a special verification server
MITIGATOR contains countermeasures that allow you to describe the characteristic behavior of the protected protocol traffic and set sender authentication rules
A specialized user authentication protocol employing the Challenge Response method, convenient for embedding in a protected application. Supports operation over TCP and UDP protocols.
Custom traffic processing programs can be created and used in MITIGATOR
MITIGATOR can collect fragmented traffic for further procession with rules allowing to describe which fragments should be collected and which to be dropped without procession. This creates efficient protection against fragmented traffic attacks
MITIGATOR can block traffic senders if they try to access an unusually large number of services. The counting of requests is carried out independently for TCP and UDP
MITIGATOR protects game servers from DDoS attacks via TCP and UDP protocols. The product implements protection mechanisms for Counter Strike: GO and other games from Valve, as well as Minecraft, Rust, ARK, Source Engine Query, etc. New protection mechanisms are added constantly
A specialized user authentication protocol employing the Challenge Response method, convenient for embedding in a protected application. Supports operation over TCP and UDP protocols.
Challenge response
02
MITIGATOR contains countermeasures that allow you to describe the characteristic behavior of the protected protocol traffic and set sender authentication rules
Protection of specific protocols
07
MITIGATOR supports SYN-proxy (TCP Splicing) protection if outgoing traffic from protected resources passes through it
TCP protection for Traffic Symmetry
06
MITIGATOR protects game servers from DDoS attacks via TCP and UDP protocols. The product implements protection mechanisms for Counter Strike: GO and other games from Valve, as well as Minecraft, Rust, ARK, Source Engine Query, etc. New protection mechanisms are added constantly
Gaming servers protection
03
MITIGATOR can collect fragmented traffic for further procession with rules allowing to describe which fragments should be collected and which to be dropped without procession. This creates efficient protection against fragmented traffic attacks
Fragmented traffic procession
09
MITIGATOR can block traffic senders if they try to access an unusually large number of services. The counting of requests is carried out independently for TCP and UDP
Protection against сarpet-bombing attacks
10
In addition to TLS protection, MITIGATOR analyzes web server logs to detect attacking bots. Besides that, challenge-response authentication of senders can be performed within HTTPS via redirection to a special verification server
HTTPS Protection
08
MITIGATOR allows the protection of TLS applications without traffic decryption by using various methods of the analysis of TLS parameters and JA3 fingerprints. In combination with other countermeasures and a web server log analyzer, it is possible to achieve maximum protection efficiency
TLS Protection
04
To protect against TCP attacks while only incoming traffic is present, MITIGATOR uses widely accepted checking methods by resetting the TCP session and using the wrong sequence number with different combinations of flags.
In addition to the standard protection mechanisms, a unique mode of operation with ISN synchronization is available, in which protection against traffic asymmetry does not require unnecessary packet exchange or disconnection with the client.
Host protection can be activated only for the servers under attack, which eliminates the negative impact on the traffic of other services
In addition to the standard protection mechanisms, a unique mode of operation with ISN synchronization is available, in which protection against traffic asymmetry does not require unnecessary packet exchange or disconnection with the client.
Host protection can be activated only for the servers under attack, which eliminates the negative impact on the traffic of other services
TCP protection for Traffic Asymmetry
01
Custom traffic processing programs can be created and used in MITIGATOR
Programmable filter
05
/05 Audit and Logging
sFlow
MITIGATOR can send sFlow on incoming and outgoing traffic with different sampling values
PCAP
MITIGATOR enables manual and automatic collection of traffic dumps and is able to send them to the user via e-mail and Telegram or post them on a file storage
Incidents
MITIGATOR keeps detailed logs of changes in traffic characteristics, recognized as attacks. Periodic delivery of incident reports in protection policies is implemented, as well as subscription to notifications about system events
Syslog Drops
MITIGATOR can send syslog messages about each dropped network packet of specified countermeasures and policies for subsequent analysis in SIEM systems
MITIGATOR can send notifications about system events via email, syslog and Telegram. The user chooses on which events to be notified
Network Deployment
MITIGATOR can work in L2-transparent and L3-router, inline and on-a-stick modes. The integration method depends on the network structure and tasks. Traffic can be directed to MITIGATOR permanently or only at the moment of attack. Interaction via BGP is supported. Read more
Clustering
In cluster mode, several MITIGATOR instances use single databases and are managed centrally. By adding additional instances, the system can be scaled without limits. Cluster mode allows for independent traffic processing on each instance while they can be managed via a single interface. In the event of a planned or emergency shutdown of any instance, others can still be managed.
MITIGATOR deployment steps
1
2
Contact with the client via available communication channels
3
Analysis of customer needs, discussion of the deal aspects
4
Pilot project
Practical testing, introduction
to the basic principles
of MITIGATOR operation
to the basic principles
of MITIGATOR operation
5
6
Configuration of MITIGATOR according to the specifics of the client’s infrastructure
Activation of the protection
Contact us by filling a simple form:
MITIGATOR detects and automatically suppresses DDoS attacks at levels L3-L7 of the OSI model. The product contains 50+ countermeasures based on various mechanisms: challenge-response, rate-based, regexp, validating, limiting, iplist, application behavior
While specific IP addresses or TLS fingerprints can be set up, MITIGATOR allows for usage of named lists from various sources, including MITIGATOR Feeds - regularly updated reputation lists of IP addresses, ASes, and JA3 fingerprints created by the MITIGATOR team
Supports interaction via BGP and BGP FlowSpec to redirect traffic to scrubbing, signal upstream equipment, and make blackhole announcements. Each MITIGATOR instance is an independent BGP speaker with the ability to automatically remove announcements if the filtering device fails. More on interaction via BGP
The host protection detector and host activation mechanism allows application of checks only to IP addresses whose traffic exceeds a set threshold. This enables flexible configuration of traffic processing and makes no impact on the traffic of unattacked services
MITIGATOR can be used to create a DDoS protection service. Traffic separation allows the provision of independent filtering settings for individual clients. Flexible role model and password management policy available
MITIGATOR has a built-in non-traffic-affecting testing mechanism for the security settings. Test mode can be activated for individual countermeasures or the entire policy
MITIGATOR allows traffic separation and filtering not only by the destination address, but by any combination of 5-tuple as well. Thus, specific services' traffic can be diverted to separate protection policies and only necessary countermeasures can be applied for scrubbing
MITIGATOR supports an operating mode in which active countermeasures do not drop traffic from unknown connections and records about them are added to the tables of authenticated connections for a set time after their activation. Thus, the traffic of the connections established before the protection was enabled, is not affected. When disabled in the Soft Stop mode, MITIGATOR will not break established sessions, but will wait for them to close
MITIGATOR supports operation in a cluster, which ensures maximum reliability of protection due to redundancy. Traffic processing performance increases due to a growing number of filtering nodes. Data synchronization mechanisms between cluster instances help to ensure seamless traffic transition.
MITIGATOR has a built-in function for automatic activation and deactivation of mechanisms based on set thresholds, both for traffic passing through the system and for data from the Flow collector. Independent setup of thresholds and response time on them being crossed is supported for each protection policy