These Specific Terms for Anti-DDoS Protection Services (DDoS protection), which both the Company (as defined in clause 6 hereof) and the Customer
agree to be bound by, are incorporated into and made a part of the master services agreement and/or other general terms and conditions executed between the Company and the Customer (the “Service Agreement”).
Any capitalized terms used herein and not otherwise defined shall have the meaning set forth in the Service Agreement.
-
SERVICE DESCRIPTION
-
The Company shall provide Anti-DDoS Protection Service (“Service”) to the Customer as more specifically defined herein.
-
The Service can be provided to the Customer as a value-added service to the IP Transit Services provided by the Company to the Customer pursuant to a separate agreement or as a standalone service. If the Service is provided in conjunction with the IP Transit Service, the term of this Service shall not exceed the term of associated IP Transit Services.
-
This Service helps protect Customer’s Protected Asset against potential DDoS attacks by monitoring incoming or outgoing traffic towards or out of the Protected Asset, detecting potential DDoS attack and blocking the malicious traffic whilst letting potential genuine traffic pass through.
-
The Service involves:
-
Monitoring and detection of DDoS attack
The Customer or the Company (depending on the Service Package) shall continuously monitor the traffic toward the Protected Asset by different metrics (e.g. bandwidth utilization, packet pattern and etc.) to determine whether the traffic includes a DDoS attack. If traffic containing a DDoS attack is detected in the traffic going toward the Protected Asset, such traffic is considered to be “Suspicious DDoS Traffic”.
-
Traffic diversion
Once a DDoS attack is detected, the Suspicious DDoS Traffic shall be diverted to the IDMS (available in the Hybrid Anti-DDoS Service Package) installed in Customer Premises and/or the Company’s Scrubbing Centre(s) for mitigation of the DDoS attack.
-
Mitigation of DDoS attack
Once the Suspicious DDoS Traffic enters into the IDMS or Scrubbing Centre(s), it will be subjected to multiple layers of statistical analysis, active verification and anomaly recognition to identify potential malicious traffic, reveal potential abnormal behavior and discard packets that do not conform to the normal traffic pattern.
The filtered traffic from the IDMS or the Company’s Scrubbing Centre(s) will then be routed back to the Customer’s Protected Asset.
-
-
Three Service Packages
The Company currently offers three (3) service packages (“Service Package(s)”) as set forth below. The Customer shall select the purchased Service Package in the Order Form.
-
On-Demand Anti-DDoS Service Package
Under this Service Package, either the Customer or the Company shall monitor and detect a DDoS attack. Once the Suspicious DDoS Traffic is detected, it shall be diverted to the Company ‘s Scrubbing Centre(s) for inspection and mitigation.
-
Hybrid Anti-DDoS Service Package
The Hybrid Anti-DDoS Service Package integrates with an IDMS installed in the Customer Premise(s) and the Company’s Scrubbing Centre(s).
Throughout the term of this Service Package, Company shall install the IDMS on the Customer Premises, and provide the IDMS on a rental basis as specified on the Order Form. The Company will provide hardware maintenance for the IDMS. The lead time for on-site IDMS hardware repair or replacement service is subject to the geographical location of the Customer Premises where the IDMS is installed. The Company is responsible for the delivery, installation, initial setup and initial configuration of the IDMS, and on-going IDMS configuration changes related to the Customer’s network, provided that such configuration changes can be implemented by the Company remotely. Any configuration changes that involve on-site work shall be subject to the Company’s feasibility study and additional charges. The Customer shall be required to be on-site for all types of configuration change work as notified by the Company.
This Service Package will monitor and detect DDoS attack and divert the Suspicious DDoS Traffic to the IDMS and/or the Company ‘s Scrubbing Centre(s) if needed.
The Suspicious DDoS Traffic will be inspected and mitigated by the IDMS and the filtered traffic will be routed to the Customer’s network. If the volume of the Suspicious DDoS Traffic is larger than the mitigation capacity of the IDMS, the Suspicious DDoS Traffic will be diverted to the Company’s Scrubbing Centre(s) for inspection and mitigation; after mitigation by Company’s Scrubbing Centre(s) the filtered traffic is then routed from the Company’s Scrubbing Centre(s) to the Customer’s network.
-
Always-On Anti-DDoS Service Package
Under this Service Package, all of the Customer traffic will be diverted to the Company’s Scrubbing Centre(s) for monitoring, detection and mitigation of DDoS attack.
-
-
-
TECHNICAL DESCRIPTION OF THE SERVICE
-
Traffic diversion method
The Suspicious DDoS Traffic will be diverted to the IDMS and/or the Company’s Scrubbing Centre(s) by way of DNS mode or BGP mode.
-
DNS mode
Under the DNS mode, if the Protected Asset is identified by the Internet via a domain, e.g.
www.abc.com
, the Protected Asset is considered as a protected domain, and the traffic going toward the protected domain to the Company’s Scrubbing Centre(s) via change of DNS setting.The Customer shall modify the domain mapping of the Protected Asset (i.e. the protected domain under DNS) to the Anti-DDoS IP Address provided by the Company. As a result, the traffic going toward the protected domain will go to the Company’s Scrubbing Centre(s) accordingly. After reaching the Company’s Scrubbing Centre(s), the traffic will be inspected and delivered back to the Customer’s server, which host the protected domain.
DNS mode can provide protection against both Pipe Saturation Attack(s) and Resource Exhaustion Attack(s).
-
BGP mode
Under the BGP mode, when the Protected Asset is identified by the network IP address (e.g. 1.1.1.0/24), the Protected Asset is considered a protected network.
Under the BGP mode, the traffic going to the protected network is diverted to the Company’s Scrubbing Centre(s) via BGP routing protocol. The Customer can trigger the traffic diversion via the Online Service Portal or by way of a BGP route announcement. After reaching the Company’s Scrubbing Centre(s), the traffic will be inspected and delivered back to the Customer site where the protected network is located.
BGP mode can provide protection against Pipe Saturation Attack(s) only. It cannot provide protection against Resource Exhaustion Attack(s).
-
-
DDoS Attack Mitigation Capacity
The Service provides different level of DDoS Mitigation Capacity ranging from 20G bps, 50G bps, 100G bps and Unlimited Capacity. “Unlimited Capacity” of DDoS Mitigation Capacity means the Company will utilize the available mitigation capacity of all of the Company’s Scrubbing Centre(s) around the globe to defend a DDoS attack.
The Service can handle DDoS attack volumes at a level which (i) does not exceed the level which the Customer purchases or (ii) does not affect the overall performance of the Company’s IP Network. If the DDoS attack volume exceeds any one of the above levels, the Company reserves the right to and shall, without notice, “Black Hole” the traffic destined to the IP Address(es) being attacked as required to protect the IP Network as a whole.
-
Routing Profile. Customer traffic will run under the following routing profiles:
-
-
-
IP Transit routing profile for On-demand Anti-DDoS Service Package or Hybrid Anti-DDoS Service Package
During normal time without attack or when the DDoS attack is detected and mitigation takes places in the IDMS, the routing profile will follow the routing profile of the Customer IP
transit service purchased. The Customer traffic does not pass through Company’s Scrubbing Centre(s).
In the event of a DDoS attack, the Suspicious DDoS Traffic will be diverted to the Company’s Scrubbing Centre(s), and such diversion will follow the routing profile of China Lite. After the mitigation, the Customer traffic will be directed from the Company’s Scrubbing Centre(s) to the Customer site hosting the Protected Asset, following the routing profile of the Customer IP transit service purchased.
-
IP Transit routing profile for Always-On Anti-DDoS Service Package
-
-
During normal time without attack, the Customer traffic passing
through the Company’s Scrubbing Centre(s) will, by default, follow the routing profile of China Lite unless the Customer has purchased the Always-On Anti-DDoS Service Package with the routing profile of China Direct.In the event of a DDoS attack, the Suspicious DDoS Traffic will pass through the Company’s Scrubbing Centre(s), following the routing profile of China Lite. After the mitigation, the Customer traffic will be directed from the Company’s Scrubbing Centre(s) to the Customer site hosting the Protected Asset, following the routing profile of the Customer IP transit service purchased.
2.4 Service Level
The Company shall use commercially reasonable efforts to keep the Availability of Scrubbing Centre(s) to be at least 99.99% and ensure the Mitigation Time to be as follows:
If the traffic is diverted under the BGP mode, please refer to the table below for the Mitigation Time:
Attack Type
DDoS Attack Types
Time to Mitigate
Pipe Saturation Attack
UDP / ICMP Floods
Within 5 mins
SYN Floods
Within 5 mins
TCP Flag Abuses
Within 5 mins
Other Layer 3 or Layer 4 Attacks
Within 5 mins
DNS Reflection
Within 10 mins
DNS Flood Attack
Within 10 mins
If the traffic is diverted under the DNS mode, please refer to the table below for the Mitigation Time:
Attack Type
DDoS Attack Types
Time to Mitigate
Pipe Saturation Attack
UDP / ICMP floods
Within 5 minutes
SYN floods
Within 5 minutes
TCP flag abuses
Within 5 minutes
Other layer 3 or layer 4 Attacks
Within 5 minutes
DNS reflection attack
Within 10 minutes
DNS flood attack
Within 10 minutes
Resource Exhaustion Attack
TCP State Exhaustion attack (e.g. GET / POST floods)
Within 15 minutes
Layer-7 or application-layer attacks
Within 15 minutes
The Company does not provide any credit or rebate to the Customer in the event that it fails to meet the service level(s) set out above.
-
-
-
LIABILITY AND DISCLAIMER OF WARRANTIES
-
-
In addition to the provisions of Liability and Disclaimer of Warranties set forth in the Service Agreement, the Customer agrees to the following:
-
In the event that the Company observes the DDoS attack towards the IP Address(es) associated with the Protected Asset and has reason to believe it will cause adverse impact to the Company’s IP Network or service degradation to other customers on the IP Network, the Company will, at its sole discretion and without prior notice, implement necessary actions to reduce the impact of such DDoS attack. These actions include, but are not limited to, “Black Hole” of the IP Address(es) being attacked, or alteration to the routing of the traffic destined to the IP Address(es) being attacked. The Company shall not be liable to the Customer for any actions taken by the Company to reduce the impact of such DDoS attack including, without limitation “Black Hole” of the affected IP Address(es) nor any delay or failure in resuming the normal routing of the traffic destined to the affected IP Address(es). For the avoidance of doubt, The Customer is not entitled to any credit rebate in respect of the “Black Hole” period of the IP Address(es) and such “Black Hole” period of the IP Address(es) shall not be counted in the calculation of the Availability of Scrubbing Centres.
-
The Company reserves the right to, and shall terminate the Service as required to protect the IP Network as a whole if any service-impacting DDoS attack results or will result in degradation to the Company’s IP Network. The Company shall not be liable for termination of the Service for this cause.
-
The Company does not warrant that the Service can detect all DDoS attacks, and the source IP Address(es) that initiate(s) the potential DDoS attack(s), or filter/block all malicious traffic in all possible occasions. The Customer acknowledges that in the
course of mitigation, certain potential Legitimate Traffic may be discarded even if its behavior seemingly conforms to the normal traffic pattern.
-
The Company shall not be liable for failure in filtering and mitigating malicious traffic, nor liable to discarding certain potential Legitimate Traffic.
-
The Company shall not be liable for incidental, indirect, exemplary or consequential damages of any kind, including, but not limited to, damages caused to Customer due to the operation of the Service and/or the related IMDS and/or Service Equipment owned and provided by the Company or damages related to lost data, website downtime, network downtime or lost profits, even if the Company have been advised of the possibility of such damages.
-
The Company is not the data processor for the Customer traffic passing through the Company’s Scrubbing Centre(s) or IDMS under the applicable privacy laws and regulations.
-
-
-
-
CUSTOMER’S OBLIGATION
-
-
In addition to the obligations set forth in the Service Agreement, the Customer shall for the term of the Service,
-
appoint, in the Order Form, two (2) Points of Contact (“POC”) as the Customer’s authorised persons to submit to the Company on the Customer’s behalf, the initial and on-going network configuration information for the Service, and change requests in respect of the Service, including the authorization of the POC to make changes to the Customer’s security policy for the Service and appointment of additional or replacement of POC. The Customer warrants to the Company that the POC appointed in accordance with this clause are duly authorised to act on the Customer’s behalf in relation to the Service Agreement.
-
acknowledge that the monitoring or detection of DDoS attack is provided on a best effort basis.
-
acknowledge that the filtering of potential malicious traffic and pass of potential Legitimate Traffic during mitigation is provided on a best effort basis.
-
provide all reasonable assistance to the Company in activities including but not limited to, traffic diversion, and information collection during DDoS attacks.
-
provide as much diagnostic information as is available or known at the time of Fault Reporting. The information shall include where appropriate:
-
the Customer’s name;
-
the Premises affected;
-
the details of the equipment in use if any;
-
the circuit number of the circuit affected, if applicable;
-
the date and time of the fault first occurring;
-
the nature of the fault;
-
the events or activities leading up to the fault; and
-
any other information as required by the GSOC.
-
-
permit the DDoS Traffic to be diverted to the Scrubbing Centre(s) for attack examination and filtering. Customer further acknowledges that any delay in diverting the Suspicious DDoS Traffic for examination, filtering and routing of the filtered traffic to Customer network so caused by the Customer shall not be deemed a service problem of the Service or the IP Transit Services.
-
-
In addition to the obligations in clause 4.1 above, if the Hybrid Anti-DDoS Service Package is selected, the Customer shall for the term of the Service:
-
acknowledge and agree that the IMDS will be, on a continuous basis, monitoring the incoming traffic flow and sending monitoring information to the Company including, without information, traffic statistics (e.g. bandwidth, cell per second, package per second and more granular network behavior statistics) and attack alerts. Customer further consents and authorizes the Company or its Third Party Supplier to use the collected information for analysis and research purposes and for performing obligations under these Specific Terms.
-
protect against the loss or damage of the Service Equipment (which includes, without limitation, the IMDS) provided and owned by the Company. If the Service Equipment is damaged or lost, the Customer shall be responsible for the cost of replacing the affected Service Equipment including, without limitation, the cost of the Service Equipment at the prevailing ‘fair market value ‘as the compensation; installation charge and transportation fees if re-installation is required.
-
provide premises facility for housing the IMDS and/or other Service Equipment, including, without limitation, suitable and secure environment and power supply.
-
permit the Company, its suppliers and subcontractors access to the Customer Premises at reasonable times for the purpose of installing, inspecting, or terminating the Service and/or replacing or recovering the IMDS and/or other Service Equipment for use with or for the provision of the Service.
-
provide all reasonable assistance or make the testing environment ready for the Company to carry out user acceptance test on the IMDS and/or other Service Equipment.
-
provide and be responsible for on-premises cable management for the cable connection(s) between the IMDS and other connecting networking equipment.
-
ensure the IMDS and/or other Service Equipment is/are used in proper business conduct and in compliance with Applicable Laws and regulatory requirements.
-
-
-
-
CHARGES
Subject to the provisions of Charges and Taxes of the Service Agreement, the following financial terms shall apply to the Service. Charges for the Service will consist of the components for the Service Packages, and/or other Charges as specified in the Order Form:
-
-
One-time Installation Charge
A fixed installation charge (non-recurring) applies to each connection of the Service, which covers both the provisioning and configuration of the Service. Such one-time fixed installation charge shall be due upon implementation of the Service.
-
Monthly Recurring Charge
A monthly recurring charge shall be imposed based on the required protection scope specified in Order Forms. Such monthly recurring shall be due in advance of provision of Service and depends on multiple factors, for example:
-
the required bandwidth of Customer’s Committed Legitimate Traffic Rate
-
the required DDoS Attack Mitigation Capacity
-
the Service Package
e.g. In the Hybrid Anti-DDoS Service Package, IDMS rental charge will be applied
-
the traffic diversion method
-
-
In Excess of the Committed Legitimate Traffic Rate
-
The Company will measure the Customer’s Committed Legitimate Traffic Rate based on the 95th
Percentile Usage, which includes the filtered traffic passing through the Company’s Scrubbing Centre(s).
In the event that the measured amount of the Legitimate Traffic is in excess of the Committed Legitimate Traffic Rate subscribed in the service plan for more than seven (7) calendar days, the Company will recommend the Customer to upgrade the existing service plan, from the next calendar month till the end of the contract term, covering the actual amount of Legitimate Traffic in accordance with the Company’s prevailing service plan rate. In the event that the Customer chooses not to upgrade the service plan within fourteen (14) calendar days upon the Company’s notice of recommendation, whether in verbal or writing, the Company will limit the filtered traffic from the Scrubbing Centre to the Customer’s network at the level equal to the ordered Committed Legitimate Traffic Rate.
6 DEFINITION
In these Specific Terms:
“America Zone” means the zone in which the Company Service Provisioning Points are located in the America. Detail of the Company Service Provisioning Points in this zone is specified in the Online Service Portal.
“Anti-DDoS IP Address” is a single public IP address provided by the Service under DNS traffic diversion mode. The IP address is dedicated for one Customer for the usage of the Service.
“AS Number” means Autonomous System Number. An AS Number is a collection of IP networks and routers under the control of one entity that presents a common routing policy to the Internet. An Autonomous System (AS) is uniquely identified by an AS Number by the Internet. The AS Number is assigned by the relevant Regional Internet Registry (RIR).
“Asia Pacific Zone” means the zone in which the Company Service Provisioning Points are located in the Asia Pacific region. Detail of the Company Service Provisioning Points in this zone is specified in the Online Service Portal.
“Asia Pacific Service Provisioning Points” means the Service Provisioning Points located in Asia Pacific region including, without limitation, Australia, Hong Kong, Indonesia, Japan, Korea, Malaysia, Philippines, Singapore, Taiwan and Thailand.
“Availability of Scrubbing Centre(s)” means the number of minutes when all Scrubbing Centres are not available / number of minutes in a calendar month.
“Black Hole(ing)” means discarding all data destined for a particular IP Address so that it does not disrupt the flow of data to other IP Addresses.
“BGP” means Border Gateway Protocol used to exchange routing information for the Internet and is the protocol used between Internet service providers (ISP).
“China Direct” means the routing profile of the IP Transit Services that the mainland China originated traffic (not including Hong Kong) will be routed within the Asia Pacific region. This China Direct routing profile is only applicable to and can only be purchased by a Customer when the Customer’s protected network(s) is /24 or broader.
“China Lite” means the routing profile of the IP Transit Services available in Asia Pacific Service Provisioning Points. Under China Lite, the mainland China originated (not including Hong Kong) traffic will be routed through US or Europe region first, then back to Asia Pacific region.
“China Traffic” means those traffic on the IP Port which passes through the AS numbers (AS4134, AS4809, AS4837 and AS9929) via the Company IP Network with AS number AS3491.
“China Zone” means the cities in mainland China where the IP Network is connected with the network of the Company’s peering partners in mainland China, which may include Beijing, Shanghai, Guangzhou or wherever applicable as determined by the Company.
“Committed Legitimate Traffic Rate” means the amount of Legitimate Traffic (in Mbps or Gbps), as set out in the Order Form, which the Company agrees to provide DDoS protection to the Customer and for which the Customer agrees to pay at a fixed charge per month payable monthly in advance.
“Company” means the service providing company that has entered into the Agreement with the Customer, as more particularly specified in the Service Agreement and the relevant Order Form.
“Company Edge Router” means the edge router assigned by the Company to which the IP Transit Services will be connected at the Company Service Provisioning Point.
“Customer IP Address(es)” means the IP Address(es) advertised by the Customer into the IP Port(s) that are not provided by the Company.
“DDoS (Distributed Denial of Service)” means a form of Internet threat or attack involving multiple computers, which send repeated false traffic or requests to a server (web site) to render it inaccessible to valid users.
“DDoS Attack” means a malicious attack aims at disrupting an Internet-facing system (a target) by overwhelming the target with a huge amount of fake traffic. Two typical types of attack are categorized as Pipe Saturation Attack and Resource Exhaustion Attack.
“DDoS Mitigation Capacity” means the size of DDoS attack which the Company’s Scrubbing Centre(s) can receive from the Internet and mitigate it accordingly.
“DNS / Domain Name System” is a hierarchical decentralized naming system for computers, services, or other resources connected to the Internet or a private network. It translates more readily memorized domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols.
“Europe Zone” means the zone in which the Company Service Provisioning Points are located in Europe. Detail of the Company Service Provisioning Points in this zone is specified in the Online Service Portal.
“Gbps” means gigabit per second which is a unit of data transfer rate equal to 1,000,000,000 bits per second or 125,000,000 bytes per second.
“In Excess of the Committed Legitimate Traffic Rate” means that the amount of Legitimate Traffic measured is higher than the Committed Legitimate Traffic Rate .
“Intelligent DDoS Mitigation Systems (IDMS)” means a device installed on Customer’s Premises, and is deemed Service Equipment, as defined in the Service Agreement. It can do traffic monitoring, DDoS detection and trigger traffic diversion.
“Internet-facing Asset” means the IP Network(s) (e.g. 5.5.5.5/24) or website domain(s) (e.g. www.abc.com) which is or are accessible by the public Internet users by identification via IP address (e.g. 5.5.5.5) or domain name (e.g. www.abc.com).
“IP” means the Internet protocol which is the transmission protocol for communicating with the Internet.
“IP Address” means the unique public address used by the Internet and is controlled and assigned by the Regional Internet Registry.
“IP Network” means the data telecommunications network delineated by edge routers operated by the Company and used by the Company to provide the IP Transit Services, based on the TCP/IP protocol suite, using any form of transmission medium.
“IP Port” means an Internet access port on the Company Edge Router which is connected to the Customer’s router and which is the demarcation point for delivery of the IP Transit Services to the Customer.
“IP Prefix” means an IP network address that indicates the number of bits (left to right) that constitute the network number.
“IP Transit Services” means the internet access services(s) provided also by the Company and as defined in the Specific Terms for IP Transit Service and Global Internet Access Service.
“Legitimate Traffic” means the normal and non-DDoS-attack traffic volume from the Internet to the Customer Protected Asset. It is measured based on 95th Percentile Usage. .
“Mbps” means megabit per second which is a unit of data transfer rate equal to 1,000,000 bits per second or 125,000 bytes per second.
“Mitigating Time” means the the minutes which the Company’s Scrubbing Centres take to filter the DDoS attacks successfully after the corresponding DDoS traffic enters the Company’s Scrubbing Centres.
“Online Service Portal” means an information site operated by the Company and accessible by the Customer via internet to enable the Customer to check the service performance of IP Transit Services. The internet address of the Online Service Portal is http://www.pccwglobal.com/en/customer-support
“Pipe Saturation Attack” means a flooding attack that saturates the Customer’s Link of IP Transit Services, and affects the normal Internet traffic flow to the Customer network or specific assets. It usually generates a huge amount of attack traffic, e.g. 10G bps, 100G bps, to the DDoS attack target. Example of such attacks includes UDP /ICMP flooding.
“Protected Asset” is the Customer’s Internet-facing Asset, which is protected against DDoS attack by the Service.
“Resource Exhaustion Attack” is type of attack that aims to disrupt an application server, a router, a firewall or other equipment by flooding it with more requests than they can process. As such, they will drop legitimate requests. Usually, a small volume of traffic size (e.g. 20M bps) can include million requests per second, which is powerful enough to disrupt a normal application server.
“Scrubbing Centre” means the part of the Service system where potential malicious DDoS traffic is redirected to, and filtered, and from where the filtered traffic is routed to the Customer network.
“Service Provisioning Point” means the interconnection point on the IP Network’s router for connecting Customer’s equipment or Customer’s network for America Zone, Asia Pacific Zone and Europe Zone; whereas Service Provisioning Point for China Zone means the interconnection point between the IP Network and the network of the Company’s peering partner in China.
“Suspicious DDoS Traffic” means the traffic flowing towards the IP Address(es) of the Protected Asset that includes potential DDoS attack and the legitimate (non-DDoS) traffic.
“Tbps”means terabit per second which is a unit of data transfer rate equal to 1,000,000,000,000 bits per second or 125,000,000,000 bytes per second.
“US” means the United States of America.
“95th Percentile Usage” means the mechanism for calculating the Legitimate Traffic. The 95th Percentile Usage is measured as the number of Mega-Bit-Per-Second (Mbps or Mbits/s, 1 Mega-Bit means 1,000,000 Bits) sent from the Scrubbing Centre(s) to the Customer’s Protected Asset or received from the Customer’s Protected Asset to the Scrubbing Centre(s). The Customer Traffic is measured every 5 minutes collecting a sample containing both incoming and outgoing bits over the period of the Scrubbing Centre usage.