Downtime by DDoS: Taking an Integrated Multi-Layered...

Arbor Solution Brief

Downtime by DDoS: Taking an Integrated Multi-Layered Approach

Arbor Solution Brief: Downtime by DDoS: Taking an Integrated Multi-Layered Approach

1

Arbor Networks Inc., the cyber security division of NETSCOUT, helps secure the world’s largest enterprise and service provider networks from DDoS attacks and advanced threats. Arbor is the world’s leading provider of DDoS protection in the enterprise, carrier and mobile market segments, according to Infonetics Research. Arbor’s advanced threat solutions deliver complete network visibility through a combination of packet capture and NetFlow technology, enabling the rapid detection and mitigation of malware and malicious insiders. Arbor also delivers market-leading analytics for dynamic incident response, historical analysis, visualization and forensics. Arbor strives to be a “force multiplier,” making network and security teams the experts. Our goal is to provide a richer picture into networks and more security context—so customers can solve problems faster and reduce the risk to their business.

To learn more about Arbor products and services, please visit our website at arbornetworks.com. Arbor’s research, analysis and insight, together with data from the ATLAS global threat intelligence system, can be found at the ATLAS Threat Portal.

About Arbor Networks


1

If you care about downtime risks, you care about security. DDoS attacks are the primary threat to the availability of your network. In 2013, the number of DDoS attacks continued its trend upward in both size and complexity. In fact, the number of attacks over 20 Gbps in 2013 increased more than eight times over the number in 2012 , and this trend looks to continue throughout 2014. The average size of a DDoS attack has also been consistent in its growth with verified attacks reaching more than 245 Gbps (Figure 1).1

Not all DDoS attacks require high bandwidth saturation to deny access to a site or a service. More complex threats such as application-layer attacks continue to grow particularly with DNS and encrypted Web services (Figure 2, page 2).1 And multi-vector attacks which combine volumetric, state-exhaustion attacks that target existing security infrastructure, such as Firewalls and IPS, and application-layer attack vectors continue to tax enterprises.

Your DDoS Protection Is Not Good Enough

Companies who suffer an outage experience losses in revenue and productivity, face potential compliance and regulatory violations, and lower customer satisfaction. Increased duration or frequency of outages will ultimately affect the company brand. One of the leading reasons organizations experience network and application outages is from network/security issues like Distributed Denial of Service (DDoS) attacks.

1 Arbor Networks Worldwide Infrastructure Security Report (Volume IX)

ATLAS Peak Monitored Attack Sizes Month-By-Month (January 2009 to Present)

Source: Arbor Networks, Inc.

Gbp

s

2009J J JF M A A N DS OM





0

50

100

150

250

200

300

245

Figure 1 ATLAS® peak monitored attack sizes month-by-month (January to present)


2

DDoS attacks can last anywhere from minutes to 24 or more hours, however smaller-duration attacks can still cause significant harm. In fact, 88% of the attacks from 2013 lasted less than an hour.2 This raises a key concern since most mitigation practices are not agile enough to react to these short and sharp attacks. Combined with the fact that 87% of companies that experienced a DDoS were actually victims of multiple attacks,3 you can realize that the total time under attack can be much greater than just an hour or two. This can represent significant business challenges. Enterprises must look at integrating a multi-layered protection approach for high-capacity attacks, low-band-width attacks, and for the more complex attacks such as application-layer and state-exhaustion attacks.

Mastering Complex Attack ProtectionWith technological advancements come increasingly sophisticated threats and attack campaigns. DDoS attacks are no exception, and have actually grown in size, frequency and scope. In some instances, DDoS attacks can often be part of a larger campaign where it is used to distract network and security operations teams so that far more nefarious activities can breach the network without notice. Low and slow DDoS attacks have evolved to evade flow-based detection from your ISP while targeting specific components of a network infrastructure, such as security devices, DNS servers and web applications.

Meanwhile, volumetric-based attacks continue to be used—and are still very effective in crippling enterprise networks. The sheer size, frequency, and abrupt impact of these types of attacks are make them effective. Even enterprises with large bandwidth struggle to keep their networks running and available when facing volumetric-based attacks in the range of a few hundred gigabits per second.

Some of the most effective DDoS attacks enter your network without even being detected, and not even noticed until the damage is already done. These low and slow types of attacks are not meant to block or clog your primary Internet connections. These attacks are within your network environment and do not require the same type of traffic volumes because they are localized. These highly targeted attacks are just as crippling because they avoid detection from ISP and cloud-based services while denying access to critical applications and bringing a business to a screeching halt.

Figure 2 Targets of application-layer attacksSource: Arbor Networks ninth annual Worldwide Infrastructure Security Report

90%

80%

70%

60%

50%

40%

30%

20%

10%

0%

Sur

vey

Res

pond

ents

Targets of Application-Layer Attacks

HTTP

DNS

82%

77%

HTTPS

SMTP

54%

25%

SIP/VoIP

IRC

20%

6%

Other9%

2 Arbor Networks Worldwide Infrastructure Security Report (Volume IX)3 The Danger Deepens: Neustar’s Annual DDoS Attacks and Impact Report


3

The odds are not in favor of the defense because enter-prises view DDoS protection as reactive. Although attack mitigation is key to maintaining availability and reduc-ing downtown, you must look at incorporating a hybrid approach to your strategy. To address the multiple DDoS threats. Mitigation is only part of the solution. Successful DDoS defenses rely on:

• Real-time detection.

• Automated blocking of application and state exhausting attacks.

• Speedy escalation to cloud scrubbing center for the largest attacks.

Adopting an Integrated Multi-Layered Approach Understanding the current landscape of DDoS attacks is paramount when developing or enhancing your current security posture. Mapping the different DDoS threat types to your current capabilities, and identifying your gaps, will help in adopting an intelligent integrated approach. The threats today come in many sizes, speeds and from almost countless destinations (including within your own corporate network). The ability to identity, block, mitigate and prevent are all parts of an integrated multi-layered approach to DDoS protection (Figure 3).

Figure 3 Integrated approach from Arbor

Arbor CloudBlock the Attack

Mitigate the AttackIdentify the Attack

Prevent the Attack

Customer Portal

Cloud Signaling


4

High volume attacks or flood attacks can saturate Internet links to the data center and are best mitigated within a provider network or utilizing a cloud-based scrubbing center. Low-bandwidth attacks can cripple enterprises because they gain access into the network. Many low-band-width attacks fly under the radar of most-provider based, in-cloud DDoS solutions, so on-premise solutions are your best defense.

APS provides on-premise protection that serves as an enterprise’s first line of defense. Whether the attacks are complex in design, encrypted in an attempt to be disguised like important information, or low-and-slow, APS is designed to detect and prevent DDoS attacks with little to no user interaction–before services are degraded. APS offers proactive monitoring and blocking against application-layer DDoS attacks, state exhausting attacks and volumetric attacks.

As your business develops and deploys web-based services or utilizes the web for financial transactions, your reliance on encrypted traffic grows. Unfortunately nefarious traffic can also be encrypted, so inspecting encrypted traffic for such threats is required. APS, with in-box SSL Inspection, meets FIPS-140 Level 3 standards and secures the certifications within the device. This allows the solution to inspect data for embedded attacks and help block those threats from harming the network by decrypting the traffic that has corresponding SSL certifications. If the traffic is valid, the original decrypted packet is passed.

If the encrypted traffic does not have corresponding certificate, APS will provide traditional traffic inspection, or you can simply block the traffic.

Because the cost of downtime is high, your team must consider the use of on-premise capabilities in concert with cloud-based options to protect against low-and-slow as well as high-volume attacks. The on-premise APS solution enhances overall protection by communicating with ISP cloud-based scrubbing services as well as with Arbor CloudSM to provide seamless transition between on- and off-premise traffic scrubbing. Arbor’s Cloud Signaling™ capability allows you to establish thresholds within your on-premise inspection and scrubbing to ensure that traffic is off-loading without interruption ensuring availability. You can even enable cloud mitigation of DDoS attacks down to individual protection groups. Having an on-premise device to support these complex and lower-bandwidth attacks reduces the time to react to a threat, and minimizes the time to mitigation associated with off-loading traffic to an ISP or third-party cloud for inspection and scrubbing.

The Front Line Defense: Arbor Networks® APS

Availability attacks can be classified as either high volume attacks or low-bandwidth attacks.

Cloud Signaling™

Only Arbor integrates local on-premise protection with cloud and ISP-based DDoS services. Ask your DDoS service provider for Cloud Signaling or choose Arbor Cloud for DDoS services that integrate with your on-premise protection from Arbor Networks.

Value of Cloud Signaling• Faster response time with local identification and

alerting of attacks too large for on-premise mitigation.

• Local visibility on APS to attacks blocked upstream.


5

Here is how it works:

1. When Arbor’s on-premise solution detects an attack that cannot be mitigated locally, it triggers an alert to the Arbor Cloud scrubbing center using our unique Cloud Signaling technology.

2. The Arbor Cloud Security Operations Center (SOC) notifies your organization of the attack.

3. In the meantime, based on predefined reroute options, Arbor Cloud redirects traffic to one of our four global scrubbing centers (through DNS redirection or BGP routing).

4. Attack traffic is scrubbed and legitimate (“clean”) traffic is forwarded to its intended destination–limiting downtime and optimizing network availability.

5. Once an attack has subsided, Arbor Cloud reroutes clean traffic back to your enterprise network.

6. Arbor Cloud generates a report that details the attack in its entirety including expert analysis from SOC engineers and available ASERT™ data. To ensure understanding and transparency, this report is delivered during a one-on-one meeting between Arbor SOC engineers and your organization.

Arbor Cloud provides global scrubbing capacity and can handle today’s largest and most complex attacks that threaten the availability of critical resources and assets, while providing you with detailed visibility into its actions and processes while ensuring the availability of your network and web-based applications.

Through using Arbor on-premise APS and cloud-based scrubbing (Arbor Cloud) solutions, you reduce the time to mitigation and protection that occurs when utilizing a series of distributed devices and partners. Plus with DDoS protection from Arbor Networks, you are assured that our collective expertise is always available when you need it.

On-Demand Capacity for Mitigation: Arbor Cloud

When an attack occurs, speed and agility are critical to business continuity. In the event of a volumetric attack, the on-premise solution serves as a first line of defense-rerouting inbound traffic to one of four global scrubbing centers for cloud-based mitigation. When this occurs, Arbor Cloud’s 24x7 Security Operations Center (SOC) work hand-in-hand with your IT team to quickly redirect malicious DDoS traffic away from your infrastructure based on predetermined methods.


6

Arbor’s ATLAS threat monitoring infrastructure is a combination of Arbor traffic from 300 ISP deployments and a global network of sensors and data feeds, real-time visibility into 90 Tbps of global Internet traffic provides unmatched insight into emerging threats. This information is used to develop effective countermeasures against the latest attacks. The countermeasures are then provisioned into Arbor solutions such as APS and Arbor Cloud, along with the latest defenses to new threats as well as updated IP location data. These feeds provide information and capabilities such as:

Unlike other DDoS solutions, Arbor Networks protects against attacks using reputation-based data powered by ATLAS traffic analysis and our ASERT team’s research, which is scored and given a confidence level. Unlike other solutions, the confidence scoring is determined by events that reflect activity of active malware, botnets and campaigns in real-time. Arbor continues to measure the effectiveness of existing and new DDoS threats and adjusts the reputation score. This is different than traditional intelligence scoring where a single-time analysis is performed and a threat signature identified. In addition to understanding and mitigating from the identified threat, knowing where that threat comes from prepares you for future attacks from that origination point.

The ATLAS Intelligence Feed provides dynamic reputation feeds, which include details on known sites that operate as command control servers, sites that deliver drive by downloads and policies that are designed to keep network users from visiting those sites. Arbor’s feed is updated regularly to keep pace with the ever-evolving threat landscape, so you are provided the most up-to-date information to make informed decisions.

Intelligence to Fight and Win: ATLAS® Intelligence Feed

Arming customers with policies and countermeasures that enable you to quickly address potential and active threats increases your security posture for the now and unknown. ATLAS Intelligence Feed from Arbor Networks enables you to directly benefit from the expertise of Arbor’s respected and experienced research team: ASERT.

Botnets & DDoS Toolkits

Identifies and blocks malicious traffic from active botnets and the advanced toolkits used to launch DDoS attacks.

IP/Domain Reputation-Based Data

Provides insight to where traffic is coming from, and locations that are known to host command and control and malware tools.

IP Geo-Location Allows identification of location by country for sources of inbound and destination of outbound traffic.

Malware Identification

Allows identification of Malware and blocks it from gaining access providing a preventative measure to your security.

Web Crawler Identification

Identifies web crawlers to assure no impact to web site page ranking and search engine results while blocking malicious or irrelevant web crawlers.

Outbound Advanced Threat Protection

Filters outbound threats before increasing risk to your systems and data.


7

Smarter and Faster MitigationDDoS defense is no longer an either or proposition between deploying a solution on-premise or outsourcing to a cloud-based mitigation provider. Understanding the current landscape and the types of threats you and your industry face requires an integrated multi-layered approach. In the event of an attack, your solution should provide multiple countermeasures to ensure effective mitigation with little to no downtime. In order for improved and repeatable protection, intelligence around threats must be available. Having a safe path to access your websites, and transact against your services is single imperative to ensuring availability. If you are serious about mitigating your down-time risks from DDoS attacks, Arbor Networks can partner with you to ensure you are protected today and from future DDoS attacks. With an integrated multi-layered approach that works with your network and systems to ensure availability and reduce the attack timeframe, you are assured confidence. With global intelligence at your fingertips and the ability to block attacks of any scale and complexity while reducing your reaction times from hours to minutes, you can be assured that your availability will not be impacted from any DDoS threat.

With Arbor Networks, you have the most advanced, integrated multi-layer DDoS protection available.

Data Sheets• Arbor Networks APS

• Arbor Cloud

White Paper• DDoS for Enterprise

• Arbor Cloud for Enterprises


8

Forrester Research“ DDoS Requires A Two-Phased Mitigation Strategy: DDoS is a complex problem that requires a thoughtful solution. You will need a strategy that keeps your local connection up at the beginning of an attack and then cleans the upstream traffic prior to it reaching your network.”

Source: www.forrester.com/Develop+A+TwoPhased+DDoS+Mitigation+Strategy/fulltext/-/E-RES86101

Frost & Sullivan“ A hybrid solution is the only effective way to address volumetric and application-layer attacks.”

Source: www.slideshare.net/FrostandSullivan/uncover-the-burgeoning-mar-ket-for-ddos-mitigation

IDC“ Hybrid defense scenarios (on-premise equipment married with cloud services) will become more prevalent as organizations seek to defend against all vectors of DDoS attacks and as solution providers and product vendors work more closely together to deliver joint solutions.”

Source: www.idc.com/getdoc.jsp?containerId=239954

Infonetics“ We are starting to see strong customer demand for hybrid solutions that blend in-cloud or hosted DDoS mitigation with on-premise solutions and provide a single management, reporting, and forensics pane even as attack prevention moves back and forth from a provider’s cloud to the customer’s network.”

Source: www.arbornetworks.com/news-and-events/press-releases/recent-press-releases/5230-infonetics-research-report-identifies-arbor-networks-as-the-world-leader-in-on-premise-ddos-protection

Securosis “ DoS mitigations do not stand in isolation, rather on-premise devices and services are co-dependent to provide adequate protection.”

Source: securosis.com/assets/library/reports/Securosis_Defending-Against-DoS_FINAL.pdf

Ovum“ The future of protection looks hybrid, with on-premise and cloud working in tandem.”

Source: www.ovum.com/research/the-new-buzz-about-ddos/

Industry Analysts Agree: Multi-Layer Defense is Required for Comprehensive DDoS Protection


9

©2016 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, ArbOS, Cloud Signaling, Arbor Cloud, ATLAS, and Arbor Networks are all trademarks of Arbor Networks, Inc. All other brands may be the trademarks of their respective owners.

SB/DDoSDOWNTIME/EN/0516-LETTER

CORPORATE HEADQUARTERS76 Blanchard Road Burlington, MA 01803 USA

Toll Free USA +1 866 212 7267 T +1 781 362 4300

NORTH AMERICA SALES Toll Free +1 855 773 9200

EUROPET +44 207 127 8147

ASIA PACIFICT +65 6664 3140

www.arbornetworks.com

Downtime by DDoS: Taking an Integrated Multi-Layered...

Documents

Transcript of Downtime by DDoS: Taking an Integrated Multi-Layered...