1

Service Description

DDoS mitigation from detection to correction in under 60 seconds.

1.0 Introduction This document details the Architecture Design of our DDoS Shield platform, the cloud-based DDoS protection for networks of Cogeco Peer 1, powered by ZENEDGE. The document outlines a first-hand overview of the DDoS solution, and the key technical components for service delivery, provisioning and management, and monitoring.

1.1 Cogeco Peer 1 DDoS Protection for Networks Cyber criminals use globally distributed and highly scalable resources to attack and breach enterprise networks. As a result, they obtain an unfair advantage over organizations that combat cyber security threats with perimeter only solutions. Enterprises need to embrace globally scalable and distributed solutions to thwart attacks.

Scalable workload resources that grow as threat detection procession is required.No longer are enterprises limited to the computing power of the security solutions installed as perimeter hardware devices in their data centers. Cogeco Peer 1 offers the ability to scale, using cloud resources dynamically to maximize resource effectiveness, while keeping costs in check.

On demand bandwidth to handle the largest DDoS attacks.Distributed Denial of Service attacks are commonplace in today’s cyber security landscape. These attacks range from just a few Gbps to several hundred Gbps. Most organizations have limited transit and available “burst” traffic connecting their data centers. Attackers use this to their advantage, easily flooding data centers with enough malicious traffic to make their online services unavailable to customers, partners and internal staff.

Shared, global threat intelligence.Cogeco Peer 1 provides the ability to share the latest attack information and mitigation techniques across departments, partners and an organization’s supply chain via threat intelligence and IP reputation, updated in real time across the entire network powered by the ZENEDGE platform. Cogeco Peer 1 allows for a common set of policies for all sites and infrastructures that run within the DDoS Network protected section of the FastFiber™ Network.

DDoS Infrastructure Protection and Mitigation for Networks

Mission Critical CloudOn Demand CloudVirtual Data Centre CloudHosting ServicesColocationPoint(s) of PresenceZenedge Scrubbing CentresFastFiber NetworkTM

FastFiber NetworkTM (Future)

1.2 DDoS Shield PlatformWhen building the DDoS Shield mitigation technology platform, which both the DDoS CleanIP and CleanBGP products also utilize, our team partnered with ZENEDGE to leverage years of experience with many top mitigation technology providers such as Radware DefensePro and Arbor TMS / Peakflow among others. The team ultimately chose to build our solution on an Arbor TMS base for layer 3 / 4 DDoS mitigation.

Each mitigation center in the Cogeco Peer 1 network is based on a Juniper MX480 routing platform and an Arbor TMS mitigation platform for high-capacity packet filtering.

Hence, the DDoS Shield mitigation platform is made of state-of-the-art high-capacity hardware that is combined with a software-based platform to provide a highly scalable and responsive solution.

The Arbor Peakflow collector provides the DDoS Shield Mitigation software platform with multi-tenant flexibility to profile customers down to the individual /32 IP level for baselining. This is an important differentiator that allows Cogeco Peer 1 to serve customers with a wide range of traffic patterns while minimizing false positives.

Data SovereigntyCogeco Peer 1 has configured its DDoS-protected network in certain countries so that, at a customer’s request, an in-country-based site can be served exclusively from in-country-based POPs, hence complying with local data residency and data sovereignty requirements.

2

Service Description

DDoS Mitigation – Network Layer 3/4The DDoS Shield platform has an automated DDoS attack protection at the network layer. These types of attacks are often referred to as layer 3 / 4 attacks since they affect the lower layers of the OSI Model (Network and Transport).

Some examples of types of attacks include: SYN Floods (Spoofed IPs, non-standard TCP flags), UDP Floods, IPSec flood (IKE/ISAMP assoc. attempts), IP/ICMP fragmentation, NTP / DNS / SSDP reflection, SMURF, DNS flood, etc.

Layer 3: Network Allows packets to be routed through a network enabling indirectly connected nodes to exchange data messages.

X NTP/DNS/SSDP Reflection X ICMP Flood X IP/ICMP Fragmentation

Layer 4: Transport Responsible for providing guarantees on message delivery, arrival order, loss recovery, and error recovery.

X SYN FloodX Other TCP Floods (varying state flags)

X UDP FloodX IPSec Flood (IKE/ISAKMP assoc. attempt)

The DDoS Network Protection products handle these types of attacks automatically at the network layer through high-capacity DDoS Mitigation Data Centers that are globally distributed to minimize latency. DDoS mitigation is performed by Cogeco Peer 1’s Amsterdam, Los Angeles, and Toronto high-capacity scrubbing centers (depending on geographic proximity of the customer to the nearest scrubbing center). In these situations we have experience mitigating against over 100bps of inbound traffic versus the average 46.82bps, making us experts in not only detection, but mitigation.

1.4 DDoS Shield – Enterprise Protection for entire IP subnetsCustomers using our DDoS Shield flagship product will have one or more full IP subnets protecting their entire infrastructure solution, giving them unlimited DDoS attack protection while providing nothing but clean legitimate traffic on a subscription tier commit basis needed. Customers are always routed through the high-capacity scrubbing centres in our network, so that when attacks are detected, traffic is automatically redirected to specialized scrubbing devices and returned to its normal path through the scrubbing center.

Whilst this may slightly increase latency, we’re aware that there are always latency issues with any DDoS solution, and the peace of mind of knowing all incoming traffic is cleaned and the result of genuine users is invaluable.

DDoS Shield - Premium Network DDoS Mitigation

Express Starter 10Mbps Starter-20 Enterprise-50 Enterprise-100 Enterprese-200 Enterprise-500 Enterpreise-1K

Clean Inbound Only Traffic 10Mbps 20Mbps 50Mbps 100Mbps 200Mbps 500Mbps 1,000Mbps

DDoS protection layer 3/4 (volumetric) up to 30 Gbps Unlimited,

always onUnlimited, always on

Unlimited, always on

Unlimited, always on

Unlimited, always on

Unlimited, always on

Netblock of CleanIPs Included (up to/24) 1 1 2 4 6 8 10

1.5 DoS CleanIP – Infrastructure Protection for Individual IP Addresses Customers using our DDoS CleanIP solution will be assigned protected IPs as needed. These CleanIPs can then be used by the customer to migrate services over to the new protected CleanIP on a timeline dictated by their needs. Like DDoS Shield above, CleanIPs are always on and routed through the scrubbing centers automatically using dedicated netblocks from within our DDoS Shield platform that ensure all incoming traffic delivered through CleanIPs are from legitimate users based on clean traffic commitments at a low, affordable rate.

Additional charges may occur in the event of attack traffic overages.

3

Service Description

DDoS CleanIP - Standard Network DDoS Mitigation Clean IP Clean IP Plus

DDoS Mitigation IP Block Per single IP (/32) Single IP (/32)

DDoS protection layer 3/4 (volumetric) up to 10 Gbps up to 20 Gbps

Always on or On Demand Always On Always On

Attack Limitations None None

1.6 DDoS CleanBGPFor customers who are utilizing BGP services, such as our colocation and transit customers, DDoS Shield can be deployed in a consumption model allowing our customers to route their traffic through the DDoS Shield protected space as needed.

DDoS CleanBGP - Standard Network DDoS Mitigation Clean BGP Clean BGP Plus

DDoS Mitigation IP Block Per Netblock (/24) Per Netblock (/24)

DDoS protection layer 3/4 (volumetric) up to 20 Gbps up to 30 Gbps

Always on or On Demand On Demand On Demand

Attack Limitations None None

1.7 Key Capabilities of DDoS Network Protection products• Comprehensive protection for all types of DDoS attacks.

• Dedicated high-capacity scrubbing centers in LAX (Los Angeles), TOR (Toronto) and AMS (Amsterdam) with 960Gbps scrubbing capacity serving the United States, Canada, UK and EMEA regions respectively.

• DDoS expert engineers perform real-time analysis and support for multi-vector attacks 24x7x365 in global SOCs.

• Cogeco Peer 1 portal provides real-time traffic updates as depicted in screenshots on the next page. Customers will be provided access to these resources.

• Protection of individual IPs to ensure complete end-to-end network infrastructure security from DDoS attacks.

• With DDoS Shield, large numbers of destination IPs, entire subnets, and IP-based apps are protected and optimized for availability and scalability

• DDoS CleanIP offers robust protection against volumetric for individual IPs unique in the industry, allowing for flexible and scalable growth options for SMBs.

• DDoS CleanBGP allows BGP-based cololocation and transit customers to detect, route and mitigate volumetric Layer 3/4 DDoS attacks within minutes

DDoS Network Protection Traffic FlowCogeco Peer 1 has developed a new model for rapid DDoS Mitigation through the automatic analysis of DDoS alerts and deployment of routing commands to ensure immediate action is taken when legitimate DDoS attacks are detected, without human intervention to ensure your traffic flow is cleaned on the IP level, which we call CleanIP. While this method means all traffic flow is routed through our always on high-capacity scrubbing centers, it allows our customers to have immediate access to clean traffic only going through the network.

Additional charges may occur in the event of attack traffic overages.

Additional charges may occur in the event of attack traffic overages.

4

Service Description

END USER

DATA CENTRE

INTERNET

CUSTOMER SERVERORIGIN IP - 1.1.1.1

DNSNAMESERVER

A RECORDWWW. MYCOMPANY.COM

1.1.1.1

TRAFFIC KEY

DNS FORWARD TRAFFIC

DNS RETURN TRAFFIC

RESULTING WEB TRAFFIC

CNAME RECORDEXAMPLE.MYCOMPANY.COM

WWW.MYCOMPANY.COM

1. An end user requests the ip address of www.’mycompany.Com’ from a dns nameserver

2. On the dns server, there is an ‘a’ record for ‘www.Mycompany.Com’ that points to the servers origin ip

3. The end user receives the dns response and intiates communication with the origin server. The origin server communicates directly with the end user

USER USER

USER

LEGITIMATETRAFFIC

LEGITIMATETRAFFIC

TRANSIT

BGPON

BGP ADVERTISEMENT OF /24

TRANSIT

BGP ADVERTISEMENT OF /24

FIREWALL

FLOW SAMPLE RATE / SNMP

ZenEdge LAXScrubbing Center

AS393676

DDoS CleanBGPNormal traffic: With DDoS Shield as a service, traffic is being routed through the current network configuration. This is a normal day-to-day environment prior to routing changes in case of an attack.

END USER

INTERNET

DATA CENTRE

CUSTOMER SERVERORIGIN IP - 1.1.1.1

APPARMOR POP(POWERED BY ZENEDGE)

WEB APPLICATIONFIREWALL

DNSNAMESERVER

CNAME RECORDWWW.MYCOMPANY.COM

ZENEDGE-A-RECORD.COM

TRAFFIC KEY

DNS FORWARD TRAFFIC

DNS RETURN TRAFFIC

RESULTING WEB TRAFFIC

REVERSE PROXY TRAFFIC

1. An end user requests the ip address of ’www.Mycompany.Com’ from a dns nameserver

2. On the dns server, the original ‘a’ record for ‘www.Mycompany.Com’ is replaced with a cname record that points to a new zenedge domain and ultimately resolves to a zenedge ip address

3. The end user receives the dns respon-se and intiates communication with the zenedge ip address in the dns response

4. The cloud based waf receives the traffic from the end user and forwards it on to the origin server. The source ip address is changed to that of the waf, to force traffic back through the firewall

5. The waf forwards on traffic recevied by the origin server to the end user

5

Service Description

During an attack: Using BGP community tagging, the customer communicates network advertisements to and from our DDoS Shield scrubbing centers. The following diagram depicts both legitimate traffic flow as well as any potential DDoS traffic that may hit the environment.

2.0 Detect and Mitigate in under 60 SecondsDDoS attacks can cause severe disruption to a customer’s business. Studies show that the industry average of business disruption from a DDoS attack is 1-4 hours in length with an impact often lasting up to 8 hours to resolve. In production tests, Cogeco Peer 1’s DDoS Shield platform powered by ZENEDGE is able to detect, route and mitigate volumetric Layer 3/4 DDoS attacks in under 60 seconds.

Maximum Tolerable Downtime – MTD in under 60 SecondsMaximum Tolerable Downtime is the time after which the process being unavailable creates irreversible consequences generally, exceeding the MTD results with severe damage to the viability of the business. Depending the process MTD can be in hours, days, or longer.

USER

ATTACKERS

USER

TRANSIT

BGPON

BGP ADVERTISEMENT OF /24

TRANSIT

BGP ADVERTISEMENT OF /24

FIREWALL

FLOW SAMPLE RATE / SNMP

ZenEdge LAXScrubbing Center

AS393676

LEGITIMATE TRAFFIC

LEGITIMATE TRAFFIC

ATTACK TRAFFIC

6

Service Description

2.1 Integrated Global Threat Intelligence All DDoS Network Protection products have integrated many threat intelligence feeds into our mitigation platform, based on customer demand. Our Security Operations team works with our customers to assess the best combination of threat intelligence feeds. Our platform manages the collection, enrichment and application of these feeds to both Layer 3 / 4 mitigation countermeasures.

2.2 Mitigating Attacks Against Individual IP’s (/32)While most DDoS providers are able to “swing” traffic utilizing BGP at the /24 level, Cogeco Peer 1 has designed an elegant solution that allows individual IP’s to be protected without the need for a TCP proxy system between live traffic and our customers or the need for GRE tunnels.

7

Service Description

Direct Connection vs. GRE TunnelsMost traditional DDoS mitigation options rely on building GRE tunnels to deliver clean traffic to the protected server. This method requires resources, technical knowledge, and costs from the customer to setup, maintain, and monitor throughout the course of the solution. Cogeco Peer 1 removes this need by directly performing all routing functionality across our backbone between our scrubbing centers and your protected service. This avoids any issues that can be caused by MTU limitations imposed by GRE tunnels and their impact on protocols such as SSL. This directly translates to:

■ Increased reliability with a greatly reduced risk of packet loss

■ Additional cost savings by eliminating the need for expertise to properly manage and maintain GRE tunnel capable infrastructure

■ Removal of complications stemming from GRE MTU limitations, such as having to make system and/or network changes for maximum segment size (MSS) to ensure proper functioning of TCP communication

■ Higher availability and scalability of automated solutions leveraging a cloud-based platform

■ Avoiding the latency and packet degradation or even loss from old hardware, VPN tunnels, and other aspects of a complex GRE tunnel based solution to provide DDoS mitigation

Control Center and High-Level Network ViewCogeco Peer 1’s DDoS Shield mitigation platform Control Center provides customers with a high-level network view and top alerts in real time.

8

Service Description

Customer Traffic with Application Breakdown

Example of Mitigation TechniquesTCP SYN FloodDDoS Network Protection products has several TCP SYN Flood countermeasures available depending on the attack vector present.

TCP SYN Authentication CountermeasureWhen TCP SYN authentication is enabled and a legitimate source host completes the TCP handshake, the source host has only a TCP connection with DDoS Network Protection products. The DDoS Shield platform then normally sends a TCP reset to the source host. This TCP reset usually results in an error from the application that is visible to the user and that can require the user to refresh their Web browser manually. To resolve this problem and to make the connection to the real server transparent to the user, DDoS Shield also enables out-of-sequence Authentication as described below.

TCP SYN out-of-sequence Authentication CountermeasureThis authentication method allows DDoS Network Protection products to transparently authenticate all applications without displaying error messages to the user or requiring them to refresh their Web browsers manually.

9

Service Description

The above countermeasures are examples of useful techniques that the Cogeco Peer 1 SOC uses to mitigate attacks. We have several other countermeasures available with fine-grained control over host blocking policies.

DNS FloodDDoS Network Protection products offer DNS DDoS protection at the network layer using a combination of countermeasures as per below:

DNS Flood Regex CountermeasureDDoS Network Protection products enable our SOC powered by ZENEDGE to perform a DNS Regular Expression countermeasure to drop malicious inbound DNS message packets based on regular expression matching and other filter settings. This countermeasure can also blacklist hosts that send packets that are dropped. This countermeasure can be used for inbound DNS queries, inbound DNS replies, or both.

DNS Reflection CountermeasureUpon provisioning we define the source ports that need to connect and block any source port 53 for reflection attacks.

DNS Open Resolver BlacklistingDDoS Network Protection products maintains a real-time database of DNS Open Resolvers to prevent these potentially harmful servers from overwhelming customer environments. The DDoS Shield platform applies ACL’s to blacklist Open Resolvers as well as other malicious IP’s that have been harvested from our Threat Intelligence programs.

© 2015 Cogeco Peer 1© 2016 Cogeco Peer 1

About Cogeco Peer 1With our suite of ICT solutions (Data Center, Cloud Infrastructure, Managed IT, Managed Security, Data Connectivity and Voice Services), Cogeco Peer 1 supplies its customers with the fast, reliable and secure ability to access, manage, move and store large amounts of data worldwide. Our wholly owned, all optical, redundant network and secure, ‘always on’, tier 3-quality data centers provide some of the world’s largest companies and public sector organizations with near limitless bandwidth and secure facilities for hosting and storing mission-critical data.

Ready to learn more?Streamline your IT with Cogeco Peer 1.

Visit cogecopeer1.com

Contact UsTORONTO 1.866.579.9690USA 1.844.712.3183 LATIN AMERICA 1.888.978.3518UK 0800 840 7490 FRANCE 0033 486 801 344 ALL OTHER COUNTRIES +1 646 396 0423