Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Executive Summary
As distributed denial of service (DDoS) attacks escalate in size and complexity, their detection and mitigation requires the
collaboration of all stakeholders—from the customer premise to the service provider cloud. The Cloud Signaling Coalition (CSC) from
Arbor Networks® enables this collaboration. It provides an infrastructure that facilitates local and upstream mitigation of edge-based,
application-layer DDoS attacks as well as cloud-based, volumetric DDoS attacks in an automated and real-time manner.
This white paper examines how cloud signaling works and how its faster, automated approach to DDoS mitigation benefits
both enterprise data centers and managed security service providers (MSSPs).
At the other end of the spectrum, application- and service-layer DDoS attacks focus not on denying bandwidth but on degrading
the back-end computation, database and distributed storage resources of Web-based services. For example, service- or
application-level attacks may cause an application server to patiently wait for client data—thus causing a processing bottleneck.
Application-layer attacks are the fastest-growing DDoS attack vector.
Detecting and mitigating the most damaging attacks is a challenge that must be shared by network operators, hosting providers
and enterprises. The world’s leading carriers generally use specialized, high-speed mitigation infrastructure—and sometimes the
cooperation of other providers—to detect and block attack traffic. Beyond ensuring that their providers have these capabilities,
enterprises must deploy intelligent DDoS mitigation systems (IDMS) to protect critical applications and services.
Until now, no comprehensive threat resolution mechanism has existed that completely addresses application-layer DDoS attacks
at the edge and volumetric DDoS attacks in the cloud. True, many data center operators have purchased DDoS protection services
from their ISP or MSSP. But they lack a single dashboard to provide the visibility to stop targeted application attacks as well as
upstream volumetric threats that can be distributed across multiple providers.
The Cloud Signaling Coalition (CSC) launched by Arbor Networks offers the next evolutionary step in addressing this complex
challenge. The CSC provides an infrastructure that facilitates both local and upstream DDoS mitigation in an automated and
real-time manner. It is an efficient and integrated system coordinating DDoS mitigations from the customer premise to the
service provider cloud. Participation in the CSC enables data center operators to reduce the time and increase the effectiveness
of DDoS protection—resulting in major operational cost-savings and preserving their company’s reputation.
1
The Cloud Signaling Coalition
In addition, a new type of DDoS attack has emerged that threatens the business viability of service provider customers. These
new application-layer DDoS (a.k.a., appDoS) attacks threaten a myriad of services ranging from Web commerce and domain
name system (DNS) services to email and online banking.
DATA CE NTE R
ISP Firewall
Load Balancer
Firewall
Target Applications
and Services
IDS/IPS IDS/IPS
An application-layer DDoS attack is often more challenging to detect using traditional flow-based techniques in the cloud
because it usually does not produce a significantly higher traffic rate. Yet it can still bring down the targeted services. Today’s
enterprises and IDC operators are very concerned with the availability of the critical services running in their data centers.
So it is imperative that they take steps to reduce their risk of damage from potential application-layer DDoS attacks—and
critical for cloud providers to mitigate such attacks effectively in real time.
2
The Cloud Signaling Coalition
The application-layer DDoS threat amplifies the risk to data center operators. That’s because IPS devices and firewalls become
more vulnerable to the increased state demands of this emerging attack vector—making the devices themselves more susceptible
to the attacks.
Moreover, there is a distinct gap in the ability of existing edge-based solutions to leverage the cloud’s growing DDoS mitigation
capacity, the service provider’s infrastructure or the dedicated scrubbing capacity deployed upstream of the victim’s infrastructure.
Current solutions do not take advantage of the distributed computing power available in the network and cannot coordinate
upstream resources to deflect an attack before saturating the last mile. No existing solution enables both DDoS mitigation at
the edge and in the cloud.
Failure to ensure availability • Built to protect against known (versus emerging) threats.
• Designed to look for threats within single sessions, not across sessions.
Incompatible with cloud DDoS • Fail to interoperate with cloud DDoS prevention solutions.
protection systems • Increase time for response to DDoS.
The following scenario demonstrates the need for cloud signaling from the customer perspective. A data center engineer
notices that critical services such as corporate sites, email and DNS are no longer accessible. After a root cause analysis, the
company realizes that its servers are under a significant DDoS attack. Because its services are down, the entire company—along
with its customers—is suddenly watching every move. The data center engineer must work with customer support centers from
multiple upstream ISPs to coordinate a broad DDoS mitigation response to stop the attack. Simultaneously, the data center
engineer must provide constant situational updates internally to management teams and application owners. To be effective,
the engineer must also have the right internal tools available in front of the firewalls to stop the application-layer attack
targeting the servers. All of this must be done in a high-pressure, time-sensitive environment.
3
The Cloud Signaling Coalition
The same scenario would be quite different if the data center engineer had the option of cloud signaling. Once he or she
discovered that the source of the problem is a DDoS attack, the engineer could choose to mitigate the attack in the cloud by
triggering a cloud signal to IDMS infrastructure in the provider network. The cloud signal would include details about the attack
to increase the effectiveness of the provider’s response. This would take internal pressure off the engineer from management
and application owners. It would also allow the engineer to communicate with the upstream cloud provider to give more
information about the attack and fine-tune the cloud defense.
CONG E STION
Cloud Signal
Firewall/IPS/WAF Firewall/IPS/WAF
4
The Business Value of DDoS Protection
First, the MSSP must provision the cloud-based service to accept cloud signals from the edge-based Pravail appliance or software.
The customer’s edge product is provisioned into a Peakflow SP deployment that includes Arbor Peakflow SP Threat Management
System (“TMS”) appliances using the Peakflow SP user interface. The MSSP can then allow customers to either automatically start
a TMS mitigation in the cloud or manually issue an alert when they want to initiate cloud signaling. In the manual option, the MSSP
can decide either to accept the customer cloud signal to start a mitigation event or to create a mitigation event manually.
To ensure end-to-end cloud signaling, the edge-based device must be configured with the MSSP’s Peakflow SP information,
including IP address and customer authentication information.
For the new mitigation in Peakflow SP, the solution applies the mitigation template configuration that has been assigned in the
Pravail customer configuration in Peakflow SP. Then it reports back to Pravail that a mitigation event has been started. Pravail
will display the mitigation status in the user interface, showing an active mitigation is taking place. If Peakflow SP already has a
mitigation running for the resource under attack, it will convey that to the Pravail appliance and disregard the mitigation request.
An active heartbeat exists between the Peakflow SP cloud deployment and the Pravail appliance on the customer premise.
This assures that both products are available and operational at all times.
Both products also provide post-incident reports with details of the attack and the steps taken to mitigate it.
Operational Considerations
The Pravail appliance is designed to maintain operational and management capabilities when the network is under attack.
In many cases, it can detect the attack before the stateful firewall is overwhelmed. Many availability attacks only flood the
downstream communications while upstream communications are still available. However, it is very possible that an attack could
consume most of the bandwidth available to the data center. To limit the impact of this, the cloud signaling protocol makes use
of state-less protocols for communication, with persistent retries performed by the application layer if congestion is noted.
The best practice to ensure cloud signaling integrity is to provision a separate out-of-band management network between the
data center and the cloud provider so that the cloud signaling component remains available even when the entire data center
link is saturated in both directions or completely offline.
5
The Cloud Signaling Coalition
By joining the coalition, MSSPs can drive more data center customers to their existing DDoS
service. Many enterprise customers are looking for ISPs to reduce the risk posed by DDoS
attacks. The Cloud Signaling Coalition provides a means to accomplish this. As an added benefit,
the MSSPs can gain goodwill in the market by participating in a global security initiative.
Conclusion
As the techniques to conduct DDoS attacks advance and motivations to launch
them increase, data center operators and service providers must find new ways
to identify and mitigate evolving DDoS threats. The Cloud Signaling Coalition For more information on the
empowers data center operators to quickly address both high-bandwidth attacks Coalition and how to participate,
and targeted application-layer attacks in an automated and simple manner, while visit www.arbornetworks.com
enabling MSSPs to significantly grow the revenue generated by their managed
DDoS protection offering.
6
Corporate Headquarters
6 Omni Way
Chelmsford, Massachusetts 01824
Toll Free USA +1 866 212 7267
T +1 978 703 6600
F +1 978 250 1905
Europe
T +44 208 622 3108
Asia Pacific
T +65 6299 0695 About Arbor Networks
Arbor Networks, Inc. is a leading provider of network security and management solutions for
converged carrier networks and next-generation data centers, including more than 70 percent
www.arbornetworks.com of the world’s Internet service providers and many of the largest enterprise networks in use
today. Arbor’s proven network security and management solutions help grow and protect
customer networks, businesses and brands. Through its unparalleled, privileged relationships
Copyright ©1999-2011 Arbor Networks, Inc.
All rights reserved. Arbor Networks, the Arbor with worldwide service providers and global network operators, Arbor provides unequalled insight
Networks logo, Peakflow, Pravail and ATLAS into and perspective on Internet security and traffic trends via the Active Threat Level Analysis
are all trademarks of Arbor Networks, Inc. System (ATLAS®). Representing a unique collaborative effort with 100+ network operators
All other brands may be the trademarks across the globe, ATLAS enables the sharing of real-time security, traffic and routing information
of their respective owners. that informs numerous business decisions.
WP/CSC/0311