Attacks/Breaches
11/4/2011
01:53 PM
50%
50%

Will Cloud Signaling Contain DDoS Attacks?

Arbor Networks' "Bat-signal" for distributed denial of service attacks culls your network service provider's resources to help stop it.

Is a distributed denial of service (DDoS) attack crippling your corporate network? Then signal your upstream service provider so it can filter out the attack using carrier-grade equipment.

That's the premise of "cloud signaling," which is a set of technical capabilities and mitigation strategies offered by network security vendor Arbor Networks. Announced in May, Arbor released the first related product in August, named Pravail, which it bills as an availability protection system.

A business that's already purchased DDoS defenses can typically mitigate small attacks, but those that flood the network pipe, or target the application level--including intrusion prevention systems and firewalls--may be much more difficult to stop. That's where cloud signaling comes in. "You can either set it to automatically signal your upstream provider, kind of like a Bat-signal--help me--and it will send help, sending all of the [attack] parameters" to the carrier, said Rob Malan, CTO of Arbor Networks, in an interview. Alternately, Pravail users can trigger the signaling manually.

[Businesses aren't ready to defend against the rising tide of sophisticated cyber attacks. Learn more: Advanced Threats Touch Two-Thirds Of Enterprises.]

Calling in the service provider brings carrier-grade packet-scrubbing power to bear on attacks, which means the attacks can be more easily eradicated by the service provider. "So maybe you've got one to 10 gigs of mitigation protection at the enterprise edge, but you have hundreds of gigs of mitigation protection at the carrier," said Malan.

He said the idea for cloud signaling arose during a late-night Denny's discussion he had with his Arbor co-founder, Farnam Jahanian, who now heads the National Science Foundation's computer & information science & engineering directorate. They hit upon the idea of "being able to hit a 'big red button' at the target of the DDoS attack, and signal all the way back upstream to the sources of the attack, automatically protecting the target."

But that discussion happened in 1999; what took 11 years for the idea to become reality? "While we always wanted to do this, you can't make a living selling a promise that it will be great in 10 years. So we needed to get a large install base," said Malan.

"The first major problem was getting the tool into all the carriers' hands so they could do coordinated troubleshooting. The second was getting it into the hands of the enterprise, so they could do coordinated troubleshooting back to the carrier. Once you have that infrastructure covered, you can hook them all together, all the way back to the carrier," he said.

One related step along this path was the Fingerprint Sharing Alliance, launched in 2002 as a way for network providers to share information with each other about large-scale attacks in progress. From there, it wasn't a big leap to having downstream customers share information about attacks that targeted their specific infrastructure.

Recent changes in DDoS attacks have also created an impetus for such information sharing. "The attacks changed in the last couple of years," said Malan. "Some kinds of attacks, you have to see the packets in line, and the only scalable way to do that is at the enterprise or data center edge--you can't sit up in the cloud and look at every packet, it's too packet-intensive; you've got to distribute that to the enterprise."

But when those defenses located at the edge of a business' infrastructure detect an attack, they can't always stop it. Notably, research from Arbor has found that the average DDoS attack bandwidth increased by 102% during 2010, and rose by 1,000% from 2005 to 2010.

When attackers do attempt to DDoS a business, it typically wouldn't take a data center operator long to pick up the phone and call their carrier, seeking a way to mitigate the attack. But with Pravail, said Malan, the process can be entirely automated, and attack signatures passed upstream at the first hint of trouble. That increases the chance that not only will the attack get quickly blocked, but also that the business won't even see an outage.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.