Securing data centres: How we are positioned as your ISP provider to prevent online attacks.
Executive Summary In today s technologically-demanding world, an organisation that experiences any internet data centre (IDC) downtime will no doubt notice the significant impact it has on their bottom line. It is no surprise then that the increasing scale and frequency of distributed denial of service (DDoS) attacks are now having a much greater impact on the business continuity and profitability of these companies. On top of this, while DDoS attacks may have been driven by non-economic reasons in the past, they now have major monetary drivers including extortion, competitive advantage and corporate revenge. DDoS threats that impact the availability of services represent a significant opportunity for Internet service providers (ISPs). Enterprises and their IDC operators are more concerned about DDoS than ever before, and ISPs can help them combat these threats. Growing managed security market from ISPs According to research by Frost & Sullivan, the managed security service provider (MSSP) market is expected to grow to around $4 billion in North America alone by 2016. It is expected that the managed security and security monitoring services segment will continue to yield the highest percentage of total revenue in the MSSP market. Frost & Sullivan Research Analyst Martha Vazquez said, despite budget cutbacks, more companies were looking to upgrading their security. Although budget cutbacks have resulted from the economic slowdown, companies are continuing to implement measures to upgrade security, Ms Vazquez said. Outsourcing security to an MSSP will free up time for organisations to focus on core business processes. Enterprises will spend more on network-based security services from ISPs as they become more comfortable with ISPs providing these services. Many factors such as better support, more mature options, improved service control and faster services will increase this comfort level.
The evolving DDoS threat The market demand for managed security services is real and growing. Service providers have some inherent advantages that enable them to capitalize on this demand because they own the pipes that transmit data across the Internet. This makes ISPs uniquely wellpositioned to deliver a comprehensive solution that can combat the two primary types of DDoS attacks volumetric DDoS attacks and the newer application layer DDoS attacks. The volumetric DDoS attacks are those generated by internet bots, or compromised personal computers that are grouped together in large-scale botnets. Examples include the DDoS attack against UK-based online betting sites, where the hackers extort the betting firms, and the politically-motivated DDoS attacks against the Georgian government. They are generally high-bandwidth attacks and originate from a large number of bots that are geographically distributed. Because of the high-bandwidth and geographically-dispersed nature of these attacks, the congestion might occur upstream in the provider s network and cannot be stopped at the enterprise or data-center edge. In addition to the volumetric attacks, a new type of application layer DDoS attack has emerged that threatens the business viability of service provider customers. Two days before Christmas in 2009, last-minute shoppers could not access some of the world s most popular Internet shopping sites including Amazon, Expedia and Walmart. A targeted DDoS attack against UltraDNS3 a leading provider of domain name system (DNS) services took these major retail sites offline. The attack could have dramatically affected the Christmas shopping season and, more importantly, the profitability of these retailers if UltraDNS had not been able to detect and stop the attack very quickly. The Christmas of 2009 attack revealed the potential impact of DDoS to online commerce. More importantly, it revealed this new type of application-layer DDoS attack that targets specific services and consumes lower bandwidth. These new applicationlayer DDoS attacks threaten a myriad of services ranging from web commerce and DNS services to email and online banking. Enterprise customers are very concerned with the availability of critical services running in their data centers. At the same time, attackers view these Internet-facing data centers as new prime targets and are launching DDoS attacks to wreak havoc on these companies. The convergence of volumetric and application-layer DDoS attacks poses a significant threat to online services, with more customers looking for better solutions.
Only ISPS can provide the comprehensive solution to protect data centres from DDoS ISPs can gain a unique advantage by providing a layered network an edge-based managed solution to combat both volumetric and application-layer DDoS attacks. The best place to stop volumetric DDoS attacks is in the ISP cloud (via a network-based DDoS protection) because the saturation happens upstream and can only be remediated in the provider s cloud. The best place to perform application-layer DDoS detection is in the data center itself because the attack can only be detected and immediately stopped at the data-center edge. Only ISPs can provide both a network-based service component to stop volumetric DDoS attacks and a CPE-based service component to stop applicationlayer DDoS attacks representing a distinct competitive advantage. There are cost efficiencies at work, too. When an ISP is already supplying a managed firewall, a secure socket layer virtual private network (SSL VPN), an intrusion detection system (IDS), an intrusion prevention system (IPS) and other security measures, adding a managed DDoS protection service can be relatively straightforward and cost-efficient. Why traditional security products fail to address the evolving DDoS Threat While Firewalls and IPS may be key elements of your customers security strategy, these solutions are designed to provide security functions that are fundamentally different from dedicated DDoS detection and mitigation products. For example, firewalls are essentially policy-enforcement points that are usually deployed at the network or datacenter perimeter. Their role is to establish and enforce the rules that govern what traffic is allowed in and out of a data center as defined by ports, protocols and destinations. Internet-facing data centers are open to Web traffic (TCP port 80/443) and other services such as video, voice and file transfer. DDoS attacks target the very services that firewalls have to allow through, so there is no inherent DDoS protection in the firewall layer. Due to the fact that firewalls maintain state information for every session established between a client on the internet and the corresponding server in the data center, the firewalls themselves are commonly the targets of DDoS attacks. On top of this, they are also potentially the single point of failure that disables the data center during large-scale DDoS attacks. In these cases it is best to provide DDoS protection in the ISP network or cloud before it reaches the data center, by which time it will be too late. IPS/IDS devices are also not designed to protect against some denial of service attacks. They are designed to inspect packets and remove network-based malware through signature matching. Many times, however, DDoS attack traffic is not a signature-based threat. Because all IDS/IPS devices are deployed in-line and suffer from the same resource and memory exhaustion problems that plague firewalls, they are also a potential single point-of-failure on the network and increase network latency. In these cases, the detection and removal of DDoS attack traffic is best done in the ISP s network either before it reaches the data-center edge or through off-ramping the malicious traffic. Some firewalls and IDS/IPS products offer DDoS detection using techniques such as statistical anomaly detection or malformed protocol detection. But since firewalls and IDS/ IPS products conduct anomaly detection on a per point basis, they have a very myopic view of the network. The very nature of a distributed denial of service attack means that the attack traffic is coming from different sources. Therefore, the solution must be able to recognise this behavior and stop the traffic as close to the source as possible. This is another reason why the distributed detection and mitigation of DDoS attacks are best done in the ISP network.
The Platform for Comprehensive Managed DDoS Services A complete DDoS protection solution must support the following: Both in-line and, more importantly, out-of-band deployment to avoid being a single point of failure on the network; True distributed DoS (DDoS) attack detection, which requires broad visibility into the network (not just from a single network perspective) and the ability to analyse traffic from different parts of the network; Attack detection using multiple techniques such as statistical anomaly-detection, customizable threshold alerts and fingerprints of known or emerging threats that are based on Internet-wide intelligence; and Mitigation that can easily scale to handle attacks of all sizes, ranging from low-end (such as 1 Gbps of mitigation, deployed in the data center) to high-end (such as 40 Gbps of mitigation, deployed in the ISP network). The solution must also feature managed security service enablers. These include application programming interfaces (APIs) for integration with existing systems, the ability to launch a customer portal easily, provisioning templates, fault tolerance, and redundancy. Lastly, the solution must be proven and backed by a company that is a known industry expert in Internet-based DDoS threats.
Our Solution Our solution is a complete platform that delivers a comprehensive managed DDoS services for customers. Our solution meets the key requirements of a comprehensive DDoS solution by providing: Ability to stop both volumetric and application-layer DDoS attacks our solution provides the tools to diagnose and stop both high-bandwidth DDoS attacks as well as targeted application-layer DDoS targets True distributed DoS attack detection our solution offers true distributed anomaly detection rather than simple point-based detection Multiple methods of threat detection and mitigation our solution provides multiple attack detection techniques ranging from statistical anomaly detection and thresholdbased flood detection, to fingerprint-based detection Scalability to handle all-size threats our solution can detect threats of all sizes by leveraging flow technology in existing network infrastructure equipment. The solution can also stop any size threat and provide surgical mitigation ranging from 1 Gbps to 40 Gbps Multiple deployment options our solution can be deployed out-of-band, in-line or passively. Conclusion DDoS attacks are continuing to rise, with both the public and private data centers now prime targets. Increasingly, more data center operators are seeking solutions to this pressing problem. We offer a unique opportunity to respond to this challenge by offering valuable network and edge-based services that protect our customers data centers against DDoS attacks.