FAQ NaWas – National Scrubbing Center against DDoS attacks

Do you have a question about our NaWas service? On this page you will find the answers to frequently asked questions.

Is NaWas also available outside the Netherlands? NaWas is working hard on a “distributed network architecture” setup to be available in as many countries in Europe as possible. Inquire about the locations where the NaWas is now available.

All parties with their own AS number can connect to the NaWas.

To connect to the NaWas, a port must be available from one of the following parties: AMS-IX, NL-IX, LINX, NET-IX, Top-IX, M-IX, V-IX or one of these cloud interconnects DCSPine, Epsilon, Megaport. The number of parties is growing rapidly, inquire about the latest developments.

First of all, the NaWas (NBIP) is an independent, non-profit foundation created by and for the Internet community and technical experts, this means that the operation and connections are easy understood by the the target audience. The goal is to make the Internet more secure. By joining the NaWas, you too can make the Internet a little safer. The NaWas is funded by the members, which keeps the costs as low as possible.

NaWas participates in several initiatives, such as nomoreddos.org and shares knowledge with its own participants and several universities, such as the University of Twente (UT). In addition, NaWas also contributes to the development of non-profit institutes such as the DDoS ClearingHouse of nomoreddos.org.

The NaWas infrastructure is designed as an on-demand service. After detecting an attack, the traffic is routed via BGP to the NaWas hardware and then the mitigation process starts. All traffic is then rerouted and the own connections can thus manage with less capacity and thus remain cheaper. After the attack, the traffic is routed back again so that it no longer runs through NaWas. As a result, the NaWas only needs to be set up based on attack traffic, which keeps costs low. NaWas is currently investigating the possibilities of offering an always-on solution.

The migration process starts a few minutes after the traffic is redirected to NaWas’ hardware.

Detecting attacks can be done manually or through an automatic tool. NaWas recommends installing tooling because attacks also happen outside of working hours and on weekends. NaWas has good experience with tools such as FastNetMon and Flowmon DDoS Defender. A pilot is currently running with FlowMon to offer Detection & Mitigation as a solution. NaWas is also looking into the possibility of offering the Detection service as a hosted solution.

NaWas is among the largest anti-DDoS scrubbing centers in Europe. But more important is how large and numerous our participants’ connections and network are. This, in fact, determines how efficiently NaWas can process the attacks.

NaWas has two redundant set-ups in geographically separated data centers

When compared to the OSI model, NaWas can mitigate DDoS traffic at all layers. Layer 7 (application layer) will mitigate NaWas based on header fields and not by (Deep) Packet Inspection.

NaWas uses a multi-vendor set-up in which several Triple A vendor devices are arranged in line (funnel). The operation is similar to a car wash, where multiple devices in succession first wash the raw part and later the smaller parts, i.e. clear them of attack traffic. NaWas continuously innovates the anti-DDoS solution and always applies the most effective and latest techniques.

The pricing model consists of a flat-fee model. The price is determined by the number of prefixes (based on /24) you want to protect. You pay slightly more for larger numbers. Prices are billed on a monthly, quarterly or annual basis.

Besides the fee for NaWas you pay a small monthly NBIP membership fee and a one-time fee for the set-up. Because of the non-profit nature of the services the costs are low compared to similar services from other providers.

NaWas has a BGP session with the participants on the clean side (with IXPs) on a private VLAN. A member can redirect a specific prefix or / 24 by advertising that prefix on the NaWas BGP session. NaWas advertises the prefix on our upstreams (transits & peering). So the trigger for redirecting is done manually or automatically by the participants. After receiving a prefix or receiving a new DDoS attack on an existing prefix, NaWas’ support team receives notification of the event. The support team checks if the attack is mitigated well enough and if modification is necessary. When the attack is over, the member receives an email with a report on the details of the attack. If an attack lasts longer, NaWas sends an interim report. Members can also view the information on the portal.

Yes, smaller than a /24 is not accepted by the Internet.

Basically, there is no packet loss. Parties who do not yet know the more specific follow the lesser specific. In fact, learning the more specific is very fast and is done within a few seconds.

The more parties know the more specific, the more the attack traffic disappears. We assume that clean traffic does still pass through.

Furthermore, it depends very much on the type of attack to what extent the mitigation systems can reduce the malicious traffic right away. Most attacks are mitigated right away. In some cases, it may take a few seconds. In a few cases, some of the attack traffic below a certain threshold may still be allowed to pass. If this is the case, the advice is to contact NaWas as soon as possible if the remaining traffic is causing inconvenience.

After advertising, within a second the traffic will go through the NaWas and it may take several seconds for the entire Internet to know the route.

If you would like more information about NaWas, request our service description.