Connection schemes

The chosen connection scheme is determined by the specific methods that will be used to redirect traffic to the Kaspersky DDoS Protection System and to deliver correctly filtered traffic to the site of the Protected resource.

Traffic redirection methods:

• Change the DNS A record to the IP address issued by Kaspersky DDoS Protection. This requires that you block the original IP address of the Protected resource (to prevent an attack on the original IP address that would bypass the Kaspersky DDoS Protection System) and reduce the TTL for the DNS A record.
• Switch via BGP, which involves forwarding announcements of the IP addresses of an autonomous system to the Internet through the Kaspersky DDoS Protection System.

Traffic delivery methods:

• Reverse proxy – this method is suitable for HTTP(S) resources, and involves establishing an HTTP session from each visitor of the Protected resource with a proxy node of the Kaspersky DDoS Protection System, and then reestablishing a session with the WEB server of the Protected resource. All requests to the WEB server will come from the IP addresses of the Kaspersky DDoS Protection System, and the original IP addresses of visitors will be forwarded in the HTTP headers X-Real-IP or X-Forwarded-For.
• Routing – this method is suitable for any resources that have non-HTTP(S) services, and involves setting up GRE tunnels or physical junctions between Scrubbing Centers and the site of the Protected resource, and configuring BGP peering. If the Customer has their own AS and PI addresses, the Customer's PI network is routed through Scrubbing Centers. If the Customer does not have their own AS and PI addresses, a private AS number and IP addresses from the Kaspersky DDoS Protection pool are issued to the Customer for switchover by changing the DNS A record. Traffic is delivered without any modifications.

Real-world connection schemes may consist of the following combinations:

Kaspersky DDoS Protection connection schemes

One separate element of a connection scheme is a Sensor, which will be required for attack detection if the "On demand" mode is selected or if protection without HTTPS decryption is required for "Always on" mode.