Quality Certificate for Kaspersky DDoS Prevention Software

Transcription

1 Quality Certificate for Kaspersky DDoS Prevention Software

2 Quality Certificate for Kaspersky DDoS Prevention Software Table of Contents Definitions 3 1. Conditions of software operability 4 2. General interaction as part of Kaspersky DDoS Prevention service 4 3. Sharing of responsibilities between Kaspersky Lab and the Licensee 4 4. Technical support limitations 5 5. Force majeure 5 6. Operating parameters General operating parameters of software and technical support Notifications about anomalies detected, and getting the system ready for filtering Establishing a dedicated filter bandwidth Traffic filtration time covered by the tariff Incident response time Incident resolution time Request response time Traffic filtering parameters Continuity of software operation Duration of attack information storage in the System Incident and anomaly resolution monitoring Quality of service monitoring Evaluated criteria of software performance quality Methods of evaluating the quality of software performance and technical support Anomaly notification time Traffic filtering parameters Continuity of software operation Agreed interruptions in software availability Technical support service Licensee's obligations to participate in incident resolution Procedure for interaction during software operation Telephone System web portal Conditions of work at the Licensee's site 13 2

3 Definitions «System», «Application» Kaspersky DDoS Prevention components, processes, and service personnel. «Attack» an action aimed at destabilizing resource operability, causing denial of service or distracting the administrator from an attempt at seizing control over a remote or local computing system (by escalating access privileges). «DoS attack» Denial of Service attack. An attack at a computing system aimed at causing its denial: a situation where legitimate system users are unable to access system resources (servers) or such access is complicated. System denial can be an end in itself (for example, an attempt at making a popular website inaccessible) or one of the steps in seizing control over a system (for example, an emergency can cause software to release certain critical data, such as its version, a portion of program code, etc.). An attack originating from a large number of computers at once is called a DDoS attack (Distributed Denial of Service attack). «Traffic» volume of data transmitted over communication channels over a certain length of time. «Legitimate traffic» inbound traffic of a computing system from users intending to use the computing system for its intended purpose (for example, users of an online banking system or website visitors). «Parasite traffic» traffic that does not match the designated and approved statistical criteria of legitimate traffic. «Traffic filtering», «Traffic purging» a process of detecting parasite traffic and removing it from the traffic of the protected resource. «Anomaly» a deviation of statistical characteristics of inbound traffic of a resource from the design characteristics. «Resource» a network service of the Licensee defined by a domain name or IP address. «Collector», «Purging center», «Filtering router», «Proxy server», «Sensor» components of the Kaspersky DDoS Prevention system. «Traffic redirection» a process of delivering traffic of the protected resource to the purging center. «Tunnel» a method of delivering traffic from the purging center to the protected resource, which involves arranging address resolution (if necessary) and traffic encapsulation on the side of the purging center, redirecting encapsulated traffic to the protected resource, removing the encapsulation and (if necessary) repeatedly resolving addresses on the side of the protected resource. «Request» an or call reporting a problem, from an authorized representative of the Licensee to Kaspersky Lab. «Incident» any event involving the Kaspersky DDoS Prevention system or personnel, which adversely affects resource performance or may do so in the future. «Problem» the primary unknown cause of an incident. «Significant incident» an incident that has a significant effect on resource performance. «Critical incident» an incident that renders the Licensee's resource completely non-operational or causes a significant deterioration in its performance. «Non-critical incident» all the remaining incidents that do not have a significant adverse effect on resource performance. «Registration time» a length of time between a request and the confirmation of incident acceptance for review by Kaspersky Lab representatives. «Response time» a length of time (from the time when an incident is registered) during which incident processing is started. The duration of the response time directly depends on the level of incident criticality. «Resolution time» a length of time (from the end of the response time) during which a permanent or temporary solution for the incident is found. «Quality of service» a manifestation of system performance in certain quantifiable criteria. «Licensee's site» sites (buildings, premises) hosting Kaspersky Lab hardware and software complexes serving the resource. «Activation code» a unique alphanumeric code generated by Kaspersky Lab, which enables the Licensee to use the system. «Application activation», «System activation» entry of the activation code in the system interface, which marks the start of system use by the Licensee. 3

4 Quality Certificate for Kaspersky DDoS Prevention Software 1. Conditions of software operability The Kaspersky DDoS Prevention system can effectively filter traffic only on condition: The Licensee makes it possible to connect sensors to resources for the purposes of monitoring anomalies and building a statistical profile of resources using one of the following methods (the most appropriate method is determined by Kaspersky Lab specialists after examining the network infrastructure of the Licensee's resource): deployment of hardware of the sensor component in the immediate vicinity of the resource traffic mirroring from the resource to the sensor channeling aggregated traffic data to the network sensor (NetFlow) The Licensee is able to administer DNS accounts of his resources in real time and/or manage the announcement of autonomous systems (blocks of provider-independent addresses) 2. General interaction as part of Kaspersky DDoS Prevention service Kaspersky Lab representatives monitor the traffic of protected resources for anomalies Kaspersky Lab representatives notify designated employees of the Licensee about the presence of persistent anomalies in traffic Designated employees of the Licensee evaluate the workload on their resources and decide to start the filtering Designated employees of the Licensee perform a sequence of steps to route the traffic of protected resources to the purging system Kaspersky Lab representatives launch the filtering and monitor the degree of traffic purging, making adjustments to system settings, if necessary Once the attack has stopped, Kaspersky Lab representatives notify the designated employees of the Licensee accordingly Designated employees of the Licensee decide to stop the filtering and take steps to return the traffic routes to the protected resources to their original status 3. Sharing of responsibilities between Kaspersky Lab and the Licensee Table 1 Scope of responsibility Kaspersky Lab Licensee Operability of the Kaspersky DDoS Prevention service, including operability of the software side of the sensor + Operability of the infrastructure of protected resources, including operability of the hardware side of the sensor + Support of service operability through a distributed filtration system + + Monitoring the traffic of the protected resource for anomalies + Notifying employees of the Licensee about anomalies detected in the traffic of the protected resource + Notifying employees of the Licensee about the possibility to stop the filtering + Deciding to start or stop the filtering process + Monitoring the quality of service of the purging system with the filtering mode enabled + + Managing accounts of protected resources (DNS accounts) or routing (BGP) + 4

5 4. Technical support limitations Technical support of Kaspersky DDoS Prevention software does not cover resolution of: Incidents involving the inoperability of any hardware and software that is not a part of System equipment Incidents during which the Licensee fails to honor the Licensee's Obligations to Participate in the Resolution of Incidents (see the relevant section) Incidents that cannot be reproduced by either the Licensee or Kaspersky Lab Incidents that are not consequences or components of DDoS attacks As part of Kaspersky DDoS Prevention software support and assistance, Kaspersky Lab does not perform: Security and performance analysis of software and hardware complexes of the Licensee Configuration and administration of software and hardware complexes of the Licensee Administration of hardware of Internet service providers used by the Licensee Interaction with the personnel of Internet service providers used by the Licensee Repairs and recovery work on software and hardware of the Licensee Other work that is not directly related to the operation of the software and its components 5. Force majeure The parties agree to classify as routine the following situations involving disruptions of software operation if such disruptions have resulted from: Сhanges made by the Licensee to the settings that directly or indirectly affect software components within the scope of responsibility of Kaspersky Lab, without the approval of Kaspersky Lab An interruption in software operation caused by scheduled hardware maintenance coordinated with the Licensee in advance or associated with software upgrades requested by the Licensee An interruption in software operation caused by the Licensee's failure to honor Licensee's Obligations to Participate in the Resolution of Incidents (see the relevant section) An interruption in software operation caused by the need to eliminate factors hindering software operation, which arose through the Licensee's fault Interference by the Licensee or a third party with the operation of hardware or software located at the Licensee's site and ensuring System operation, without the consent of Kaspersky Lab Redirection of traffic to the purging subsystem without the approval of Kaspersky Lab technical personnel Failures affecting hardware of the Licensee or the Licensee's Internet service provider, which is outside the scope of responsibility of Kaspersky Lab Instances of the telecom service provider blocking communication channels between components of the infrastructure of the Licensee and Kaspersky Lab An extraordinary situation. An extraordinary situation shall mean an interruption in software operation in routine mode for more than 8 hours caused by one of the following events: failure of infrastructure components of Internet service providers to Kaspersky Lab for more than 8 hours for reasons beyond the control of Kaspersky Lab partial destruction, fire or flooding of the premises of the data center hosting Kaspersky Lab hardware In the event of an emergency situation, Kaspersky Lab undertakes to restore minimal service operability within 4 hours. Other force majeure circumstances (as stipulated in the Agreement). 5

6 Quality Certificate for Kaspersky DDoS Prevention Software 6. Operating parameters 6.1 General operating parameters of software and technical support Table 2 lists the general operating parameters of software and technical support. Table 2 Anomaly monitoring and filtering Technical support and assistance 6.2 Notifications about anomalies detected, and getting the system ready for filtering Table 3 lists the relevant indicators. Table 3 Deviations from statistical parameters Statistical parameters exceeded considerably (by no more than 50%) Statistical parameters exceeded significantly Time, GMT+3 24х7 24х7 Time it takes to notify about anomalies and get the system ready (method of notification about anomalies) 2 business hours (via ) 30 minutes (via or by phone) 15 minutes (by phone) Language Russian Russian Percentage of timely completion 80% 80% 80% 6.3 Establishing a dedicated filter bandwidth Kaspersky Lab shall allocate to the Licensee an inbound traffic bandwidth in a volume that does not exceed that provided by the selected rate plan. The relevant indicators are listed in Table 4. Table 4 Rate plan Limitation (OR logical operator) Data volume Packets per second Basic Edition 0 0 Basic Edition (conditional on the purchase of an additional license) 2 Gbps 300,000 Standard Edition 2 Gbps 300,000 Advanced Edition 5 Gbps 600,000 Ultimate Edition 5 Gbps 600,000 Where the filtering system receives traffic in a volume exceeding the aforementioned characteristics, Kaspersky Lab may choose not to process such surplus volume of traffic. 6

7 6.4 Traffic filtration time covered by the tariff Kaspersky Lab undertakes to filter attacks targeting the Licensee's resource for the length of time provided by the selected rate plan. Table 5 lists the duration of traffic filtering covered by the rate plan. Table 5 Rate plan Where the duration of an attack (or several attacks) exceeds the specified time limit, the Licensee shall pay for the volume of surplus traffic against an invoice of Kaspersky Lab. 6.5 Incident response time Protection time (days per calendar month) Basic Edition 0 Standard Edition 3 Advanced Edition 3 Ultimate Edition Kaspersky DDoS Prevention Service, Extended Cover Option (1 day) No limitations 1 day 6.6 Incident resolution time Table 7 lists incident resolution times. Table 7 Non-critical Significant 6.7 Request response time Table 8 lists request response times. Table 8 Resolution time Within 3 business days Within 1 business day Response time Percentage of timely completion 80% 80% Critical Within 12 hours 80% Percentage of timely completion Non-critical 4 business hours 80% Significant 2 business hours 90% Critical 1 business hour 95% Table 6 lists incident response times. Table 6 Response time Percentage of timely completion Non-critical 4 business hours 80% Significant 2 business hours 90% Critical 1 business hour 95% 7

8 Quality Certificate for Kaspersky DDoS Prevention Software 6.8 Traffic filtering parameters Kaspersky Lab guarantees that in the process of traffic filtering during an attack, software will: Allow traffic from parties white-listed by the Licensee Block traffic from parties black-listed by the Licensee Purge the parasite component from the traffic at the level shown in Table 9 Table 9 Type of attack Average purging percentage * Average percentage of passage of legitimate requests ** 1. Illegitimate traffic to an unclaimed protocol and/or port (examples: UDP Flood, ICMP Flood) 98% 98% 2. Connection initiation over the TCP protocol (SYN-Flood) with random spoofing of the IP address of the data sender (IP-Spoof) 3. Establishment of a full-fledged TCP connection that is then reset without any data exchange inside the socket (TCP Connect Flood) 4. Denial of service / resource through an attack over the HTTP/1.0 or HTTP/1.1 protocol by sending data: 1) outside of the protocol specification; 2) within the protocol specification without following further redirection instructions (HTTP Redirect, JavaScript Redirect); 3) within the protocol specification while following further redirection instructions against protection at the level of the Turing test (captcha) 5. Denial of service / resource over the HTTPS protocol in the presence of an encryption certificate on the filtering resources 6. Denial of service / resource over the HTTPS protocol in the absence of an encryption certificate on the filtering resources 7. Traffic filtering in the presence of a large number of legitimate users of the resource with generation of traffic possessing different characteristics 98% 98% 98% 98% 98% 98% 98% 98% 80% 80% 80% 80% 8. DNS protocol attack with generation of legitimate requests 80% 80% 9. Other types of attacks 75% 75% * The purging percentage has been calculated using the following algorithm: if the IP address is malicious, the probability of it being blocked equals the percentage shown in the table after 10 minutes have elapsed from the start of attacks from this IP at the protected resource. ** The legitimate request passage percentage has been calculated using the following algorithm: if the IP address belongs to a legitimate user of the resource, the probability of its passage equals the percentage shown in the table after 10 minutes have elapsed from the start of requests from this IP to protected resource during an attack. 8

9 6.9 Continuity of software operation 6.11 Incident and anomaly resolution monitoring Kaspersky Lab undertakes to ensure uninterrupted software operation during the entire term of the Agreement. To prove software operation continuity, Kaspersky Lab shall furnish the Licensee with registration logs showing the characteristics of inbound and outbound traffic, resource response parameters, etc. at intervals of at least 5 minutes. Kaspersky Lab reserves the right to use its own technical methods of monitoring software operation continuity. Where the aforementioned registration logs lack information for a period exceeding 15 minutes, the Licensee may deem this to constitute a breach in software operation continuity. Where the loss of said data is due to technical causes and has not interrupted the continuity of software operation, Kaspersky Lab shall notify the Licensee accordingly within 30 minutes of detecting the fault Duration of attack information storage in the System Table 10 lists the durations of attack information storage in the system. Table 10 An incident can be managed by either the Licensee (i.e., the Licensee takes steps contributing to incident resolution by Kaspersky Lab) or Kaspersky Lab. An incident shall be considered to be managed by the Licensee where Kaspersky Lab has requested additional information from the Licensee or expects the Licensee to take steps to redirect traffic to the purging center. Once the Licensee has provided the requested information or performed the requisite technical measures and notified Kaspersky Lab representatives accordingly, management of the incident shall be deemed to have been handed over to Kaspersky Lab. Kaspersky Lab shall be responsible only for the time during which the incident or anomaly was managed by KL. While resolving incidents, Kaspersky Lab shall do whatever is necessary to provide timely information on the status of incidents managed by it to the Licensee according to the schedule provided in Table 11. Table 11 Non-critical Significant Critical Reporting schedule Daily (via ) Every 4 hours (via or by phone) Hourly (by phone) Rate plan Ordinary information Attack information Basic Edition 2 months Basic Edition (conditional on the purchase of an additional license) 2 months Standard Edition 2 months Advanced Edition 2 months 1 year Ultimate Edition 2 months 3 years Kaspersky DDoS Prevention Service, Logs Option, 1 year Kaspersky DDoS Prevention Service, Logs Option, 3 years 1 year 3 years 9

10 Quality Certificate for Kaspersky DDoS Prevention Software 6.12 Quality of service monitoring Kaspersky Lab shall store the following information on the registered incidents in progress and closed incidents: Total number of closed incidents Total number of incidents in progress Ordinal number of the incident and description Level of incident urgency Incident status Date and time of incident registration by Kaspersky Lab Response time relative to the specified level of service Time during which the incident was managed by the Licensee Time during which the incident was managed by Kaspersky Lab The party that is currently managing the incident (Kaspersky Lab / Licensee) 6.13 Evaluated criteria of software performance quality Parameters listed in Table 12 belong to the evaluated parameters of software performance quality. Table 12 Parameter Detection of the start of an attack Quality of traffic filtering Continuity of software operation Technical support Quality evaluation criteria Timeliness of notification about detected anomalies Percentage ratio between inbound and outbound traffic Duration of service operability, including completeness of Kaspersky Lab-furnished information about traffic statistics of the monitored resource, degree of traffic purging, and similar information Timely response to Licensee's requests and timely resolution of incidents that have arisen. Full name of the designated technical specialist on the side of Kaspersky Lab Date and time of actual incident resolution Kaspersky Lab shall furnish the Licensee with reports on closed incidents on a monthly basis. 10

11 7. Methods of evaluating the quality of software performance and technical support 7.1 Anomaly notification time Where software has detected anomalies in the Licensee's traffic, Kaspersky Lab shall notify designated employees of the Licensee within 15 minutes of detecting persistent signs of an attack. The Licensee can calculate the start time of an attack based on registration logs published by Kaspersky Lab. Table 13 lists the following degrees of quality violations in terms of this parameter. Table 13 Violated software parameter Timeliness of attack detection Degree of violation light medium severe Quantitative characteristic 30 minutes to 1 hour 1 hour to 3 hours Over 3 hours Where Kaspersky Lab has failed to ensure the availability of designated persons responsible for obtaining information, Kaspersky Lab shall not have the right to present claims over violations of this quality parameter. Blocking of traffic from parties black-listed by the Licensee has not been ensured The parameters of traffic purging to eliminate the parasite component differ from the declared parameters by more than 20% (deterioration in characteristics) 7.3 Continuity of software operation The base interval for calculating software operation continuity shall be 5 minutes. If, in the course of an attack, the following traffic purging characteristics as: Purging parameters Allowing / blocking of traffic from white-listed / black-listed senders Readiness of Kaspersky Lab to process traffic (passage of traffic through the purging center) Exceed the declared indicators for more than 15 minutes, the following degrees of quality violation in terms of this indicator are differentiated as shown in Table 14. Table 14 Violated software parameter Degree of violation light Quantitative characteristic 15 minutes to 30 minutes 7.2 Traffic filtering parameters Continuity of software operation medium 30 minutes to 1 hour The following degrees of quality violations in terms of this parameter are differentiated: severe Over 1 hour Passage of traffic from parties white-listed by the Licensee has not been ensured 8. Agreed interruptions in software availability With the Licensee's consent, Kaspersky Lab may interrupt software service for the purposes of hardware and communication link maintenance or emergency repairs. The parties agree to classify such interruptions, as shown in Table 15, as software operation in routine mode and exclude them from the time of unavailability when calculating software performance indicators. 11

12 Quality Certificate for Kaspersky DDoS Prevention Software Table 15 Item No. Item Indicators Notification of the Licensee Additional conditions 1. Maintenance work Total duration of interruptions: not to exceed 16 hours per year. Intervals between interruptions: at least 30 calendar days At least 2 calendar days prior to the start of an interruption The time of work to be coordinated with the Licensee 2. Emergency maintenance necessitated by the installation of vendor-released upgrades and/or patches of critical importance to software operability, performance, and safety The interruption time equals the actual time it takes to install upgrades and patches and run tests Directly before the start of work The Licensee must be notified about the anticipated duration of work 9. Technical support service The technical support service of Kaspersky Lab shall ensure communication between the Licensee and Kaspersky Lab and shall be responsible for receiving and processing the Licensee's requests. Receiving and processing of requests involves the following steps: Receiving the Licensee's requests, registering, classifying, and routing them to subsequent levels of support Notifying the Licensee about anomalies and other incidents detected Notifying the Licensee about the type of attack and issuing recommendations on how to counteract it (if possible) Notifying the Licensee about mass incidents / problems / operations, modifications and maintenance undertaken Monitoring the progress of work on a request, escalating the request if problems are encountered, notifying the Licensee about the progress of work, closing the request 10. Licensee's obligations to participate in incident resolution The Licensee shall: Furnish Kaspersky Lab with a list of persons (including their contact details) who are sufficiently qualified to ensure traffic routing and reception on the Licensee's side, replicate traffic and deliver it to the sensor, and persons responsible for performing the Licensee's obligations under this Agreement. In the absence of sufficiently qualified persons, the Licensee shall furnish Kaspersky Lab with information needed to arrange traffic routing and reception, as well as grant access to traffic receiving hardware with a level of privileges sufficient to configure settings of software used for receiving traffic Furnish Kaspersky Lab with a list of persons (including their contact details) who are authorized to initiate requests and tickets to Kaspersky Lab on behalf of the Licensee, respond to Kaspersky Lab queries, and take the necessary decisions in emergencies Furnish Kaspersky Lab with a list of persons (including their contact details) who are authorized to request technical support Keep an up-to-date list of resources belonging to Kaspersky Lab in accordance with the Agreement Ensure the deployment of the sensor on the Licensee's site or the mirroring of traffic from the Licensee's resource to the sensor, or transmission of flow data to KL Grant access to hardware hosted on the Licensee's site (sensor), which enables the provision of software services. 12

13 The procedure for granting access to hardware must be cleared with the Licensee depending on the network topology, security policies in place, etc. Create conditions necessary for the redirection of traffic to be purged, and ensure the redirection of such traffic to purging centers in the event of attacks Ensure reception of purged traffic by the Licensee's resources In addition, some incidents affecting system operability or interaction between system components and Licensee's hardware require modeling the conditions under which the incident arose to enable the localization of causes and troubleshooting. The Licensee shall furnish all information needed for work and assist Kaspersky Lab representatives involved in incident resolution with obtaining the information necessary for work as well as with obtaining access to the site being examined and software and/or hardware necessary to model the conditions under which the incident arose if Kaspersky Lab lacks the necessary software and/or hardware. Where an incident affects components located at the Licensee's site, the Licensee shall grant Kaspersky Lab representatives access to such components directly at the Licensee's site. 11. Procedure for interaction during software operation 11.1 Telephone Interaction over the phone is an urgent means of communication designed for informing Kaspersky Lab about critical incidents. Licensee's requests are accepted by phone at +7 (800) When submitting a request over the phone, the type of request must be specified as: «DDoS Prevention». Over the phone, the Licensee is able to receive urgent advice on steps to be taken in the event of critical incidents is the second primary means of communication with Kaspersky Lab designed for incident registration by authorized representatives of the Licensee. The Licensee's requests are accepted at: ddosprevention@kaspersky.com. The Licensee can use to: Register incidents, monitor registered incidents Receive advice on active counteraction steps 11.3 System web portal The web portal of the Kaspersky DDoS Prevention system is located at and is meant to supply the Licensee's personnel with service performance and event statistics. The Licensee can use the web portal to: Keep track of the performance of system components Analyze resource workload statistics Monitor anomalies Configure mechanisms for signaling anomaly levels achieved Notify Kaspersky Lab personnel about the decision to redirect traffic Edit white lists / black lists of addresses being filtered 11.4 Conditions of work at the Licensee's site Kaspersky Lab shall carry out a portion of work associated with the usage of software directly at the Licensee's site where a critical incident involving hardware hosted by the Licensee has been registered. The method of work (onsite or remotely) shall be determined by: Kaspersky Lab where a critical incident has been registered Licensee in other cases 13

14 Kaspersky DDoS Prevention 2012 Kaspersky Lab ZAO. All rights reserved. Registered trademarks and service marks are the property of their respective owners.