When the strongest attacks in the history of the Czech Internet came at us in April 2021, which managed to clog all 3 of our 100 Gbps routes for a short time, we understood that the rules were changing. Despite upgrading the hardware of our protections, strengthening our infrastructure and implementing new processes, it was only a matter of time before short attacks of this magnitude became longer or even permanent attacks.
Such strong attacks overload not only the connectivity of our suppliers, but also the ISP lines through which they pass. Some don’t have anywhere near the connectivity we do. Still, attacks are coming off of them from the attacked facilities. Today, not only a compromised server or computer, but also a smart TV or refrigerator can create a powerful attack. Just compare what connection you have at home today and what you had 5 or 10 years ago. How many new devices have access to the network and what processors they use. In 5 – 10 years, everything has moved forward tremendously.
We can increase connectivity, strengthen infrastructure, but here in the Czech Republic they will beat us or our providers. Therefore, the only way is to go out into the world. Move the fight to local battlefields around the world, right where they originate. And that is exactly what the decentralised WEDOS Global network will do.
What is WEDOS Global
WEDOS Global uses the BGP anycast technology, which allows the nearest server to respond to a visitor’s query. As opposed to the normal solution, where only 1 server on the entire internet knows the answer. This technology is used, for example, for anycastDNS or CDN. We plan to do both 🙂
The essence of WEDOS Global is therefore to deploy servers around the world to capture traffic in a given location.
In our case, it will be HPE Moonshot 1500 server cabinets, which contain 45 physical servers and 2 switches. With two integrated network switches (4 x 40GE and 8 x 10 GE ports) with full duplex connectivity (bidirectional), a single HPE Moonshot can be connected with up to 320 Gbps connectivity,. We expect to use only half of it and the rest will be for redundancy. A new fully-stocked HPE Moonshot 1500 costs about the same as a family home.
Originally we had planned to deploy HPE Moonshots in 5 locations in the first phase. Test everything, tweak it and add more. Unfortunately, the situation is getting serious. There is a war raging in cyberspace and the Czech measured record of 164.3 Gbps DDoS attacks from 20 21 was broken last week. Article in preparation. Moreover, the attack was quite long and many ISPs were affected. As far as we know, there have been strong attacks on other hostings in recent days.
So we need to speed things up and scale properly. We are almost ready for it. On the photo from our second datacenter WEDOS DC2 you can see 3 pallets with 20 fully populated HPE Moonshots. There is 1 being prepared in the next room, 2 ready for dispatch and 2 already plugged in.
But it doesn’t stop there. We are actively negotiating the purchase of an additional 25 units for the next phase of our WEDOS Global expansion.
Current status of WEDOS Global
We have managed to complete the development of the decentralised network, now we are fine-tuning the details, collecting data, etc. Test traffic is already going through the first points.
We currently have two points. One in Hluboká nad Vltavou and the other in Prague. There are plans to modify and strengthen connectivity. We want to test 100 Gbps connection to Peering.cz, to test how it will work, how to handle big attacks. This connection will be via DC Sitel, where we would like to increase the total connectivity to 410 Gbps (Telia, Cogent). We also have a 100 Gbps connection via DC CTD U2 , where we have and will have 110 Gbps (CTD + Kaora).
In Prague, we filter what we need and then route the clean traffic via 3×100 Gbps to our Hluboká nad Vltavou site.
It is mainly about better covering traffic from the Czech Republic and strengthening abroad.
We will place the first Moonshot in Vienna (Telia). If all goes well, next week. Looks like we’ll just take him there ourselves. We’re still arranging Munich with Telia.
We have also signed contracts for several years with other suppliers, now in 7 locations:
- Helsinki
- Stockholm
- Amsterdam
- Paris
- Madrid
- Zurich
- Warsaw
Transportation to 6 of these locations has already been arranged. As it is the export of the first pieces, we have to figure it all out, process it, arrange it. The next batches will be easier to organise.
New York is still in the process of negotiations.
So we are currently working on 10 locations + we have Prague and Hluboka. In all locations we are arranging a minimum 80 Gbps line, but in most it will be 120-160 Gbps. We expect to have 40 Gbps to Telia (renamed since March), 40 Gbps from someone else (mostly Cogent). 20 Gbps to the local peering, 20 Gbps to the actual connections between our points. And then 40 Gbps reserve not anything (mostly additional peering or direct link to someone). We will see according to the needs in each location.
So we will be able to filter over 800 Gbps outdoors, and about 400 Gbps in the Czech Republic (we have one 100 Gbps line as a backup). This means a total of 1.2 Tbps of connectivity, if we do not count backup routes. We expect to double that during the spring.
During the spring we would like to increase the number of points to 30. Of course, we can add more HPE Moonshots in locations where needed and scale as needed, but technologically it is better to have more points. For security and redundancy.
Conclusion
This is the current state of building our decentralized WEDOS Global network, which will include traditional DDoS protection (on 3. and 4th network layer). We are further developing WEDOS Global Protection on top of it, which is the protection of websites (network layer 7). The basic version will protect all our customers’ websites on NoLimit, NoLimit Extra, LowCost, WMS and WEDOS WebSite. There are also plans for individualised tariffs and better protection, but more on that next time.
Once this is complete, we will move on to other services built on WEDOS Global, such as CDN, VPN, etc.
We will keep you informed about the construction of WEDOS Global. This is our biggest project since the construction of our second private datacenter WEDOS DC2.
Next time we will also explain how WEDOS Global on anycast technology works and will work.