( W H I TE PAPE R

The Cloud Signaling

Coalition
ISPs AND ENTERPRISES WORKING TOGETHER TO BLOCK
THE EVOLVING DDoS THREAT
 The Cloud Signaling Coalition

Executive Summary
As distributed denial of service (DDoS) attacks escalate in size and complexity, their detection and mitigation requires the
collaboration of all stakeholders—from the customer premise to the service provider cloud. The Cloud Signaling Coalition (CSC) from
Arbor Networks® enables this collaboration. It provides an infrastructure that facilitates local and upstream mitigation of edge-based,
application-layer DDoS attacks as well as cloud-based, volumetric DDoS attacks in an automated and real-time manner.

This white paper examines how cloud signaling works and how its faster, automated approach to DDoS mitigation benefits
both enterprise data centers and managed security service providers (MSSPs).

From the Edge to the Cloud: The Call for Comprehensive

DDoS Protection
Why Participate
The WikiLeaks controversy heightened awareness of how DDoS attacks can
Managed Security Service
compromise the availability of critical Web sites, applications and services. For
Providers (MSSPs) benefits:
many large companies and institutions, the WikiLeaks-inspired DDoS attacks and
- More comprehensive DDoS
counterattacks have been a sobering wake-up call. On the same weekend that
service offering from the edge
WikiLeaks released 250,000 classified diplomatic cables, its main site was knocked to the cloud
offline by a major denial of service (DoS) attack. - Competitive differentiator that
drives customers to existing
Days later, when hosting companies and financial institutions cut ties with the site, DDoS services
pro-WikiLeaks “hactivists” launched retaliatory DDoS attacks.
- Increased revenue
The WikiLeaks attacks, while very high profile, only represent a small percentage Enterprise data centers benefits:
of the overall DDoS attack problem. Arbor Networks’ sixth annual Worldwide
- Increased effectiveness
Infrastructure Security Report shows that DDoS attacks are growing rapidly and of DDoS protection
can vary widely in scale and sophistication. At the high end of the spectrum, large
- Faster DDoS identification
volumetric attacks reaching sustained peaks of 100 Gbps have been reported. These and mitigation
attacks exceed the aggregate inbound bandwidth capacity of most Internet service - Reduced operational costs
providers (ISPs), hosting providers, data center operators, enterprises, application
- Brand/reputation preservation
service providers (ASPs) and government institutions that interconnect most of the
Internet’s content.

At the other end of the spectrum, application- and service-layer DDoS attacks focus not on denying bandwidth but on degrading
the back-end computation, database and distributed storage resources of Web-based services. For example, service- or
application-level attacks may cause an application server to patiently wait for client data—thus causing a processing bottleneck.
Application-layer attacks are the fastest-growing DDoS attack vector.

Detecting and mitigating the most damaging attacks is a challenge that must be shared by network operators, hosting providers
and enterprises. The world’s leading carriers generally use specialized, high-speed mitigation infrastructure—and sometimes the
cooperation of other providers—to detect and block attack traffic. Beyond ensuring that their providers have these capabilities,
enterprises must deploy intelligent DDoS mitigation systems (IDMS) to protect critical applications and services.

Until now, no comprehensive threat resolution mechanism has existed that completely addresses application-layer DDoS attacks
at the edge and volumetric DDoS attacks in the cloud. True, many data center operators have purchased DDoS protection services
from their ISP or MSSP. But they lack a single dashboard to provide the visibility to stop targeted application attacks as well as
upstream volumetric threats that can be distributed across multiple providers.

The Cloud Signaling Coalition (CSC) launched by Arbor Networks offers the next evolutionary step in addressing this complex
challenge. The CSC provides an infrastructure that facilitates both local and upstream DDoS mitigation in an automated and
real-time manner. It is an efficient and integrated system coordinating DDoS mitigations from the customer premise to the
service provider cloud. Participation in the CSC enables data center operators to reduce the time and increase the effectiveness
of DDoS protection—resulting in major operational cost-savings and preserving their company’s reputation.

1
The Cloud Signaling Coalition

The Growing and Evolving DDoS Threat

The DDoS threat landscape has been dominated by volumetric attacks usually generated by Internet bots or compromised
PCs that are grouped together in large-scale botnets. This type of DDoS attack is generally high bandwidth and originates from
a large number of geographically distributed bots. The size of these volumetric DDoS attacks continues to increase year over
year, and they remain a major threat to enterprises and ISPs alike.

In addition, a new type of DDoS attack has emerged that threatens the business viability of service provider customers. These
new application-layer DDoS (a.k.a., appDoS) attacks threaten a myriad of services ranging from Web commerce and domain
name system (DNS) services to email and online banking.

I S P CLEAN I NG LARG E D DoS ATTACKS

CE NTE R

DATA CE NTE R

ISP Firewall

Load Balancer

Firewall

Target Applications
and Services
IDS/IPS IDS/IPS

Attack Traffic APPLICATION LAYE R

Legitimate Traffic ATTACKS

Multiple layers of defense required for comprehensive DDoS protection

An application-layer DDoS attack is often more challenging to detect using traditional flow-based techniques in the cloud
because it usually does not produce a significantly higher traffic rate. Yet it can still bring down the targeted services. Today’s
enterprises and IDC operators are very concerned with the availability of the critical services running in their data centers.
So it is imperative that they take steps to reduce their risk of damage from potential application-layer DDoS attacks—and
critical for cloud providers to mitigate such attacks effectively in real time.

Why Existing Security Solutions Can’t Stop DDoS Attacks

Intrusion prevention systems (IPS), firewalls and other security products are essential elements of a layered-defense strategy.
However, they are designed to protect the network perimeter from infiltrations and exploits and to be policy enforcement points
in the security portfolio of organizations. Each of these solutions leverages stateful traffic inspection technologies to enforce
network policy and integrity. This makes these devices susceptible to state resource exhaustion, which results in dropped traffic,
device lock-ups and potential crashes. As a result, they have become a major vulnerability point of the DDoS attack surface.
The most scalable versions of these devices can be overwhelmed by most moderate-size DDoS events.

2
 The Cloud Signaling Coalition

The application-layer DDoS threat amplifies the risk to data center operators. That’s because IPS devices and firewalls become
more vulnerable to the increased state demands of this emerging attack vector—making the devices themselves more susceptible
to the attacks.

Moreover, there is a distinct gap in the ability of existing edge-based solutions to leverage the cloud’s growing DDoS mitigation
capacity, the service provider’s infrastructure or the dedicated scrubbing capacity deployed upstream of the victim’s infrastructure.
Current solutions do not take advantage of the distributed computing power available in the network and cannot coordinate
upstream resources to deflect an attack before saturating the last mile. No existing solution enables both DDoS mitigation at
the edge and in the cloud.

Why Existing On-Premise Solutions Fail to Address DDoS Security

Vulnerable to DDoS attacks • Targets of DDoS attacks.

• First to be affected by large flood or connection attacks.

Complicated to use • Require skilled security experts.

• Demand knowledge of attack types before attacks.

Failure to ensure availability • Built to protect against known (versus emerging) threats.
• Designed to look for threats within single sessions, not across sessions.

Protection limited to certain attacks • Address only specific application threats.

• Do not handle attacks containing valid requests.

Deployed in wrong location • Very close to servers.

• Too close to protect upstream router.

Incompatible with cloud DDoS • Fail to interoperate with cloud DDoS prevention solutions.
protection systems • Increase time for response to DDoS.

Cloud Signaling: A Faster, Automated Approach to Comprehensive DDoS Mitigation

The Cloud Signaling Coalition enables MSSPs to offer comprehensive DDoS services, including the power to mitigate the
application-level DDoS component at the data center edge and stop the volumetric component in the ISP cloud. After stopping
the application-layer DDoS attack using the customer premises equipment (CPE)-based security product, the data center
engineer can send a cloud signal to IDMS devices in the provider cloud to stop the volumetric attack-thus mitigating the
upstream congestion.

The following scenario demonstrates the need for cloud signaling from the customer perspective. A data center engineer
notices that critical services such as corporate sites, email and DNS are no longer accessible. After a root cause analysis, the
company realizes that its servers are under a significant DDoS attack. Because its services are down, the entire company—along
with its customers—is suddenly watching every move. The data center engineer must work with customer support centers from
multiple upstream ISPs to coordinate a broad DDoS mitigation response to stop the attack. Simultaneously, the data center
engineer must provide constant situational updates internally to management teams and application owners. To be effective,
the engineer must also have the right internal tools available in front of the firewalls to stop the application-layer attack
targeting the servers. All of this must be done in a high-pressure, time-sensitive environment.

3
 The Cloud Signaling Coalition

The same scenario would be quite different if the data center engineer had the option of cloud signaling. Once he or she
discovered that the source of the problem is a DDoS attack, the engineer could choose to mitigate the attack in the cloud by
triggering a cloud signal to IDMS infrastructure in the provider network. The cloud signal would include details about the attack
to increase the effectiveness of the provider’s response. This would take internal pressure off the engineer from management
and application owners. It would also allow the engineer to communicate with the upstream cloud provider to give more
information about the attack and fine-tune the cloud defense.

The Value of Cloud Signaling to the MSSP

The addition of cloud signaling to the MSSP portfolio strengthens the overall managed DDoS service offering. By allowing edge
devices to signal cloud solutions, it provides a single dashboard for all DDoS attacks. Any MSSP can add cloud signaling as a
service feature by participating in the Cloud Signaling Coalition and using Arbor’s Peakflow® solution as the basis of an existing
in-cloud service offering. Participating MSSPs do not have to sell or manage Arbor’s edge product, Arbor Pravail, to realize the
value of cloud signaling. In the future, third-party vendors will be encouraged to hook into Peakflow-based cloud DDoS service
offerings through a public, documented API.

Data Center Under Attack Data Center Fully Protected

SU B SCR I B E R N ETWOR K SU B SCR I B E R N ETWOR K SU B SCR I B E R N ETWOR K SU B SCR I B E R N ETWOR K

I NTE R N ET I NTE R N ET S E RVICE

S E RVICE PROVI D E R
Arbor Peakflow PROVI D E R Arbor Peakflow
SP-based DDoS SP-based DDoS
Service Service

CONG E STION
Cloud Signal

Arbor Pravail APS Arbor Pravail APS

Firewall/IPS/WAF Firewall/IPS/WAF

Attack Traffic Attack Traffic

c

Legitimate Traffic Legitimate Traffic

affic Public Facing Servers Public Facing Servers

DATA CE NTE R N ETWOR K DATA CE NTE R N ETWOR K

Operational Steps Operational Steps

1. Data Center under attack. 5. Attack mitigated by Arbor Peakflow SP in the Cloud.
2. Attack immediately stopped by Arbor Pravail APS. 6. Data Center now protected.
3. Attack grows, exceeding bandwidth.
4. Cloud signal launched upstream.

The Value of Cloud Signaling to the MSSP

4
 The Business Value of DDoS Protection

How Cloud Signaling Works

Let’s assume an MSSP is offering a comprehensive DDoS service, including detection and mitigation capabilities, to a data
center customer. The service offering includes a cloud-based DDoS component, as well as a CPE-based application-aware
DDoS component. The cloud-based DDoS service is based on Arbor Peakflow SP solutions and the edge-based product is
the Arbor Pravail APS (Availability Protection System) appliances.

First, the MSSP must provision the cloud-based service to accept cloud signals from the edge-based Pravail appliance or software.
The customer’s edge product is provisioned into a Peakflow SP deployment that includes Arbor Peakflow SP Threat Management
System (“TMS”) appliances using the Peakflow SP user interface. The MSSP can then allow customers to either automatically start
a TMS mitigation in the cloud or manually issue an alert when they want to initiate cloud signaling. In the manual option, the MSSP
can decide either to accept the customer cloud signal to start a mitigation event or to create a mitigation event manually.

To ensure end-to-end cloud signaling, the edge-based device must be configured with the MSSP’s Peakflow SP information,
including IP address and customer authentication information.

Auto-Mitigation via Cloud Signaling

When the Pravail appliance detects an attack, the operator can manually signal the Peakflow SP cloud deployment about the
attack or preset Pravail to automatically send a cloud signal upstream when a threshold is reached.

For the new mitigation in Peakflow SP, the solution applies the mitigation template configuration that has been assigned in the
Pravail customer configuration in Peakflow SP. Then it reports back to Pravail that a mitigation event has been started. Pravail
will display the mitigation status in the user interface, showing an active mitigation is taking place. If Peakflow SP already has a
mitigation running for the resource under attack, it will convey that to the Pravail appliance and disregard the mitigation request.

Operator-Assisted Mitigation via Cloud Signaling

If Peakflow SP is configured for manual cloud-signaling mitigation for a Pravail customer, it will create an alert when it receives
a cloud signal from the Pravail appliance and report back to the appliance that the request was received. A Peakflow SP operator
would be required to initiate a mitigation based on the cloud signal.

An active heartbeat exists between the Peakflow SP cloud deployment and the Pravail appliance on the customer premise.
This assures that both products are available and operational at all times.

Real-Time Analysis and Reporting

The operators of both the cloud-based Peakflow SP solution and the edge-based Pravail appliance can monitor the progress
of the mitigation in real time.

Both products also provide post-incident reports with details of the attack and the steps taken to mitigate it.

Operational Considerations
The Pravail appliance is designed to maintain operational and management capabilities when the network is under attack.
In many cases, it can detect the attack before the stateful firewall is overwhelmed. Many availability attacks only flood the
downstream communications while upstream communications are still available. However, it is very possible that an attack could
consume most of the bandwidth available to the data center. To limit the impact of this, the cloud signaling protocol makes use
of state-less protocols for communication, with persistent retries performed by the application layer if congestion is noted.

The best practice to ensure cloud signaling integrity is to provision a separate out-of-band management network between the
data center and the cloud provider so that the cloud signaling component remains available even when the entire data center
link is saturated in both directions or completely offline.

5
The Cloud Signaling Coalition

The Cloud Signaling Coalition: Why Join?

For MSSPs and other managed DDoS providers, the Cloud Signaling Coalition can be an
immediate competitive differentiator and can increase the revenues of existing service offerings.

By joining the coalition, MSSPs can drive more data center customers to their existing DDoS
service. Many enterprise customers are looking for ISPs to reduce the risk posed by DDoS
attacks. The Cloud Signaling Coalition provides a means to accomplish this. As an added benefit,
the MSSPs can gain goodwill in the market by participating in a global security initiative.

Conclusion
As the techniques to conduct DDoS attacks advance and motivations to launch
them increase, data center operators and service providers must find new ways
to identify and mitigate evolving DDoS threats. The Cloud Signaling Coalition For more information on the
empowers data center operators to quickly address both high-bandwidth attacks Coalition and how to participate,
and targeted application-layer attacks in an automated and simple manner, while visit www.arbornetworks.com
enabling MSSPs to significantly grow the revenue generated by their managed
DDoS protection offering.

6
 Corporate Headquarters
6 Omni Way
Chelmsford, Massachusetts 01824
Toll Free USA +1 866 212 7267
T +1 978 703 6600
F +1 978 250 1905

Europe
T +44 208 622 3108

Asia Pacific
T +65 6299 0695
www.arbornetworks.com
Copyright ©1999-2011 Arbor Networks, Inc.
All rights reserved. Arbor Networks, the Arbor
Networks logo, Peakflow, Pravail and ATLAS
are all trademarks of Arbor Networks, Inc.
All other brands may be the trademarks
of their respective owners.
WP/CSC/0311
About Arbor Networks
Arbor Networks, Inc. is a leading provider of network security and management solutions for
converged carrier networks and next-generation data centers, including more than 70 percent
of the world’s Internet service providers and many of the largest enterprise networks in use
today. Arbor’s proven network security and management solutions help grow and protect
customer networks, businesses and brands. Through its unparalleled, privileged relationships
with worldwide service providers and global network operators, Arbor provides unequalled insight
into and perspective on Internet security and traffic trends via the Active Threat Level Analysis
System (ATLAS®). Representing a unique collaborative effort with 100+ network operators
across the globe, ATLAS enables the sharing of real-time security, traffic and routing information
that informs numerous business decisions.