Missile defense is hard.
Attacks can come from anywhere. There are seconds to respond. Multiple incoming missiles can overwhelm defenses. Mistakes result in huge damage.
There is no margin for error.
Military strategists have refined missile defense systems over decades. Early attack visibility and fast countermeasures are essential.
When it comes to distributed denial of service (DDoS) attacks, Arbor Networks has found the lessons from missile defense apply.
Missile defense
The Department of Defense describes missile defense protection :
- Missiles have different ranges, speeds, size and performance characteristics.
- The defense system is an integrated, “layered” architecture that provides multiple opportunities to destroy missiles before they can reach their targets.
- It includes networked sensors and radars for target detection and tracking.
- A command, control and communications network provides commanders with the needed links between the sensors and intelligence on how to respond.
- International cooperation with other entities who share information and responses to improve overall defense.
DDoS and missile defense approaches share several similarities:
- Attacks could be launched from many devices at any time in different forms.
- A distributed network of sensors provides advance visibility on attacks.
- A layered defense with local defenses supplemented with centralized command analyzes threats to further refine defenses.
DDoS attacks don’t inflict physical damage like missiles. But their impact is just as devastating by disrupting infrastructure and making online resources unavailable. Financial, transport, logistics and healthcare systems are all affected.
The frequency of DDoS attacks has multiplied with IoT devices hacks. Hardening IoT devices security takes time. Network-based DDoS defense offers protection now.
Network-based DDoS protection
Network traffic visibility
Threat management starts with network visibility. The best source of this information is internet service providers (ISPs), which have network visibility from the edge of a network to data centers.
Arbor Networks collaborates with 330 ISPs to collect insights on over 140 terabits of data per second of anonymous traffic data. Arbor Networks operates the world’s largest distributed honeynet, actively monitoring internet threats around the globe via ATLAS, Arbor’s global network of sensors
Security experts and data scientists at Arbor analyze this information to refine the protections against botnet and DDoS attacks. Arbor shares threat assessments and enhanced security rules with ISPs, enterprises and governmental agencies. Arbor shares this intelligence with international Computer Emergency Response Teams (CERTs) and network operators via in-band security content feeds and their security blog ASERT.
DDoS visualization
The Digital Attack Map is a free service from Arbor Networks and Jigsaw. It combines both daily and historic details to display a global map with DDoS attacks.
Arbor Networks and Jigsaw Threat identification
Arbor applies global threat intelligence from ATLAS and reputation-based research from ASERT to block both inbound and outbound threats. Some of the protections include:
- Analyzing the source of the traffic using forensics, detailing blocked hosts, origin countries of attacks and historic trends.
- Scanning for and remediating abusable services on their networks and scanning for and alerting customers/users running abusable services—blocking abusable services until they are remediated, if necessary.
- Analyzing network data from tools such as NetFlow to determine the source and destination of traffic, class of service and the causes of congestion.
Arbor Networks Threat mitigation
DDoS protection is deployed on-site with APS while service providers deploy TMS in their cloud. The solutions are tightly integrated via Cloud Signal for immediate, multi-layered protection between the enterprise and cloud service provider.
Arbor TMS uses Border Gateway Protocol (BGP)-based diversion to dynamically steer traffic into itself in order to mitigate DDoS attacks on demand. It removes up to 160 Gbps of DDoS attack traffic with a single appliance.
Network traffic is “scrubbed” by an Arbor TMS or inline APS. DDoS attacks are mitigated by “diversion/re-injection.” This redirects malicious network traffic to a TMS appliance where it’s filtered. Legitimate network traffic proceeds undisturbed to its intended destination.
Security expertise
Implementing effective security requires personnel who have operational security (OPSEC) experience and who understand TCP/IP, DNS routing/switching and Layer 7. Such people are rare and aren’t cheap. Arbor has a central team of security experts whose expertise protects multiple accounts and service providers through security updates and alerts.
10 DDoS safety tips from Arbor Networks
- Factor network availability into the design of online applications.
- Make the logical connection between maintaining availability and business continuity.
- Stress-test applications/service stacks to determine their scalability/resiliency shortcomings.
- Develop and rehearse plans for DDoS mitigation.
- Check Open NTP Project for abusable NTP services and Open Resolve Project for abusable open DNS recursors on your networks.
- Ensure only authorized users can query recursive DNS servers.
- Ensure SNMP is blocked on public-facing infrastructure/servers.
- Disallow Level 6/7 NTP queries from the public internet.
- Deploy intelligent DDoS mitigation systems (IDMSes) in mitigation centers located at topologically appropriate points within your networks to mitigate DDoS attacks.
- Participate in the global operational security community.
A comprehensive Arbor Networks DDoS report is available here (pdf).
The potential damage from cyber attacks increases with smart cities and IoT-based services. Hospitals, power grids and transportation systems are all vulnerable.
Cyber defenses are as critical as missile defense. They deserve the same level of attention.
This article is published as part of the IDG Contributor Network. Want to Join?