FAQ
Frequently asked questions about the NaWas
NaWas is working hard on a “distributed network architecture” that will be available in as many European countries as possible. With NaWas, you can request an overview of all available locations.
All parties with their own AS number can connect to the NaWas.
What is technically required to connect to the NaWas?
To connect to the NaWas, a port must be available at one of the following parties: AMS-IX, NL-ix, LINX, NetIX, Top-IX, MIX, VIX. You can also connect to the NaWas with a cloud interconnect from DCspine, Epsilon or Megaport. The number of parties providing access to NaWas is growing rapidly.
How does the NaWas distinguish itself from other providers of anti-DDoS services?
First of all, NaWas is part of NBIP; a non-profit foundation established by the internet community and technical specialists. This means that its operation and connection are easily understood by the target audience. The goal is to make the internet safer. By connecting to NaWas, you make the internet a bit safer. The participants of NBIP fund NaWas themselves, keeping the costs as low as possible.
What does NaWas do specifically to make the internet safer?
NaWas participates in multiple initiatives, such as the Anti-DDoS Coalition, and shares knowledge with its own participants and several universities, like the University of Twente (UT). Additionally, NaWas also contributes to the development of non-profit institutes such as the DDoS ClearingHouse.
Does NaWas offer “Always-On” or “On-Demand” services?
The NaWas infrastructure is developed as an on-demand service. After detection of an attack, the traffic is routed via BGP to NaWas hardware, and then the mitigation process begins. We redirect the traffic through our own connections. This means you don’t have to invest in extra capacity yourself, which will save you costs. After the attack, the traffic is routed back, so it no longer passes through NaWas. As a result, NaWas only needs to be set up based on attack traffic, keeping costs low. Currently, NaWas is exploring the possibilities of offering an always-on solution.
How quickly does NaWas work after detecting an attack?
The mitigation process starts within a few minutes after the traffic is redirected to NaWas hardware.
How and where are attacks detected?
The detection of attacks can occur manually or via an automated tool. NaWas recommends installing tooling because attacks also happen outside working hours and on weekends. NaWas has good experience with tools such as FastNetMon and Flowmon DDoS Defender. A pilot is running with the latter tool to offer Detection & Mitigation as a solution. NaWas is also exploring possibilities to offer the Detection service as a hosted solution.
What is the current scrubbing capacity of NaWas?
NaWas is among the largest anti-DDoS scrubbing centers in Europe. However, more important is how large and numerous the connections of our participants and the network are. This determines how efficiently NaWas can process attacks.
Does NaWas have a redundant setup?
NaWas has two redundant setups in geographically separated data centers.
For what type of traffic does NaWas work?
In relation to the OSI model, NaWas can mitigate DDoS traffic on all layers. For Layer 7 (application layer), NaWas will mitigate based on header fields and not through (deep) packet inspection.
How many and which components make up the functional structure of the scrubbing center?
NaWas uses a multi-vendor setup where multiple Triple A vendor devices are arranged in line (funnel). The operation is comparable to a car wash, where multiple devices in sequence first wash the rough part and later the smaller parts, thus removing attack traffic. NaWas continuously innovates the anti-DDoS solution and always applies the most effective and newest techniques.
What are the costs involved in connecting to NaWas?
The pricing model consists of a flat-fee model. The price is determined by the number of prefixes (based on /24) you want to protect. You pay slightly more for larger quantities. Prices are invoiced on a monthly, quarterly, or yearly basis.
In addition to the fee for NaWas, you pay a small monthly contribution for NBIP membership and a one-time contribution for the setup. Due to the non-profit nature of the services, the costs are low compared to similar services from other providers.
How do you activate a redirect?
NaWas has a BGP session with participants on the clean side (with IXPs) on a private VLAN. A member can redirect a specific prefix or /24 by advertising that prefix on the NaWas BGP session. NaWas advertises the prefix on our upstreams (transits & peering). So the trigger for redirecting is done manually or automated by the participants.
After receiving a prefix or receiving a new DDoS attack on an existing prefix, the NaWas support team receives a notification of the event. The support team checks if the attack is being mitigated well enough and if adjustment is necessary. When the attack is over, the member receives an email with a report on the details of the attack.
If an attack lasts longer, NaWas sends an interim report. Participants can view the report on the portal.
Does NaWas process anything other than /24s?
Yes, smaller than a /24 is not accepted by the internet.
How does the internet handle more specifics and packet loss?
In principle, there is no packet loss. Parties that don’t yet know the more specific follow the less specific. Learning the more specific happens very quickly, usually within a few seconds.
How long does it take before no more traffic is visible on one’s own transits?
The more parties know the more specific, the more the attack traffic disappears. We assume that clean traffic still passes through. Furthermore, it depends very much on the type of attack to what extent the mitigation systems can immediately reduce the malicious traffic. Most attacks are mitigated immediately. In some cases, it may take a few seconds
In some cases, a portion of the attack traffic below a certain threshold may still be allowed through. If that’s the case, the advice is to contact NaWas as soon as possible if the residual traffic causes disruption. After advertising, traffic will route through NaWas within a second, and it may take a few seconds for the entire internet to know the route.
