Support

Support for business applications

Kaspersky DDoS Protection

Connecting to Kaspersky DDoS Protection

Configuring a DNS+routing scheme

Testing a DNS+routing scheme

Kaspersky DDoS Protection
Online Help
FAQ Download Forum Contact support Recovery tools Product videos

Testing a DNS+routing scheme

April 17, 2024

ID 205375

To complete the connection process, you must conduct a test switchover of the traffic of all the Customer's Protected resources to Kaspersky DDoS Protection Scrubbing Centers.

Prerequisites for conducting a test switchover

  • For testing purposes, it is recommended to select a time interval during which the load on the Protected resources is minimal.
  • The pre-sales support engineer involved in the connection process must be notified about the Customer's intention to conduct a test switchover at least 3 days in advance of the desired test date.
  • The pre-sales support engineer involved in the connection process must also be notified about the Customer's intention to conduct load testing.
  • Prior to testing, it is recommended to coordinate the test plan on the Customer side and record it in the document titled "Test Plan and Testing Protocol".

To switch traffic of Protected resources to the protection route:

  • Change the Protected resource's IP address in the DNS A record to the IP address issued by Kaspersky DDoS Protection. If the test switchover will be conducted on traffic of multiple Protected resources, each resource's original IP address in the DNS A record must be replaced with the IP address issued by Kaspersky DDoS Protection.
  • Block all traffic to the original IP address of the Protected resource upstream of the last mile. If GRE tunnels are terminated at the original IP address of the Protected resource, the provider must block all traffic except GRE (IP 47).
  • After the defined TTL expires, make sure that the Protected resource is accessible at the IP address issued by Kaspersky DDoS Protection and via the Protected ports and protocols previously specified.

To switch traffic of Protected resources to the original route:

  • Unblock all traffic upstream of the last mile to the original IP address of the Protected resource. If a specific type of traffic was blocked, remove these deny rules.
  • Restore the original IP address of each Protected resource in the DNS A record.
  • After the defined TTL expires, make sure that the Protected resource is accessible at the original IP address and via the Protected ports and protocols previously specified.

In Always on mode, traffic of Protected resources is not switched over to the original route.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.