Preparing for 'Cyber Pearl Harbor'

 

Neustar and Arbor Networks analyzed recent large-scale DDoS attacks and the implications that they have for DDoS mitigation solutions. In addition to looking at why some solutions work better than others, discussion points include:

  1. Challenges of maintaining business continuity
  2. Trends in DDoS attacks and the impact on businesses
  3. A technical look at the pros and cons of DDoS mitigation solutions: appliances, CDNs, firewalls, and cloud-based services
 

Video Transcript

Steve Kovsky:

Good morning, good afternoon, or good evening, depending on where in the world you happen to find yourself right now. Welcome to today’s webcast “Preparing for Cyber Pearl Harbor: Recent Trends and Options to Mitigate DDoS Attacks.” It’s sponsored by Neustar and broadcast by Information Week, UBM Tech, and United Business Media, LLC. I’m Steve Kovsky and I’ll be your moderator today.

We have just a few announcements before we start. Now you can participate in the Q&A session by asking questions and you can do so at any time during this webinar. Just type your question into the Ask a Question area and then click on the Submit button. And at this time, we do recommend that you disable any pop-up blockers that you have running in your environment. The slides will advance automatically throughout the event. You can also download a copy of the slides. Just click on the Information button which you’ll find located at the bottom of your screen.

This webcast is being broadcast through a flex console and this means that you have more control over your view and over the webcast tools. So you can resize the presentation window by dragging the windows from the corners. You’ll notice buttons at the bottom of your screen. You can feel free to click on any of these to open the supporting content and user tools and those will come up in different panels. And if you need any technical assistance, just submit a question and you can open the Q&A panel to see any written responses back to you. Finally, we value your feedback and we use this to ensure that our webinars improve to meet your needs, so please at some point click on the Feedback form in the Information button.

Now onto today’s presentation, “Preparing for Cyber Pearl Harbor: Recent Trends and Options to Mitigate Attacks.” Discussing today’s topic, we have with us Miguel Ramos, who is the DDoS expert and product manager for Site Protect. Good morning, Miguel.

Miguel Ramos:

Good morning, Steve.

Steve Kovsky:

Good to have you with us. Also joining us is Gary Sockrider, who is a solutions architect at Arbor Networks.

Good morning, Gary.

Gary Sockrider:

Good morning, Steve. Thank you.

Steve Kovsky:

And finally joining us today, Jim Pasquale, who is security operations manager at Neustar. Good morning, Jim.

Jim Pasquale:

Good day, all.

Steve Kovsky:

And with that, I’m going to hand things over to you to get things started, Miguel.

Miguel Ramos:

Thank you, Steve, and thank you for joining us, everyone. It’s great to be able to be here and be able to share what we’re seeing out there with you. We’re going to speak about the state of the market when it comes to DDoS attacks, where we are today, the increase in complexity, the attacks on the financial industry, and what protections people have in place. After that, we’re going to shift focus a little bit and talk about what options are available for DDoS mitigation, such as the different types of gear that are being used for mitigation, ISPs, CDN services, and client-based DDoS mitigation services. Then we’ll wrap up and summarize and take some questions from you.

Let’s talk about the state of the market for a little while here. As you may have heard in the news, DDoS attacks have been increasing. Those are driven by two factors, the first being more reasons for attacking. We’re now seeing geopolitical attacks, online protests where groups of people have specific issues with particular companies, for example, and extortion attempts. The geopolitical and protest aspects of DDoS make the news a lot, but extortion is a significant factor in DDoS and it doesn’t get reported much. This is because organizations don’t really want to admit that they’ve been affected. Couple the increase in scope of attack motivations with an increase in availability of botnets you can write them very easily these days or control with one click and you can see how DDoS has become an extremely serious issue.

These two things have led to increased volume. We’ve seen DDoS attacks grow from the 10-gigabit range to the 100-gigabit range in the last five years. We have seen more complex application-based attack vectors targeting both websites, DNS, and even mail servers, and we’ve seen an increase in the frequency of these attacks.

You may have seen mentions of attacks on the financial industry in the news recently. These attacks caused significant issues for the effected parties. They were actually downright scary. The perpetrators were smart enough to exploit vulnerabilities in widely deployed open-source software on computers connected to enterprise networks with big Internet pipes to amplify the size of the attacks. There were major real world implications during these attacks. You probably actually know someone that wasn’t able to get to their online banking that day, so significant impacts.

These attacks were reported to be in response to an anti-Muslim video, so in protest.

The banks that were going to be affected were actually announced ahead of time and there was really an unprecedented level of industry cooperation, which was really great to see. But even with the advanced notice, the damages were not actually fully mitigated.

As I mentioned earlier, computers with big Internet connections were compromised and used. The attacks were able to take advantage of the fact that enterprises are not necessarily diligent when it comes to updating to the latest versions of Chapee, WordPress, Juma, with the latest security patches and that leaves them open. Sometimes it’s hard for organizations to schedule software upgrades because the application needs to be fully regression tested, et cetera, so they’re kind of left out there to be vulnerable.

Having this arsenal of compromised hosts with big pipes, the attackers were able to also switch up attack vectors, so we saw get and post application-level attacks on both HTTP and secure HTTPS traffic. We saw DNS query application layer attacks. We saw UDP plugs. We saw SIM plugs, et cetera, all with extremely high packet-per-second rates. It truly was multi-vector DDoS at an entirely new level. It was just amazing.

At this point, it’s really not a matter of if you’re going to be attacked by when. Adding to what I said earlier, there’s even software out there that you can download to launch a DDoS from your cable modem with one click and you can easily get a few people together and you can cause some damage. People are using social media like Twitter, Facebook, et cetera, to organize.

Here are some examples of one-click tools that people are using. The Low Orbit Ion Cannon, which is a popular one, Silent DDoSer, twBooter. There’s tutorials you can Google on how to better hide your IP address, et cetera, that’s really leaving DDoS capacity at the tip of your hands, but obviously please don’t try this at home, folks.

People are actually advertising their DDoS abilities on forums and asking to be hired. It’s really crazy. They’re even running advertising videos on YouTube. You can actually search for Gwapo’s Professional DDoS Service on YouTube to view the wonderful advertisement on this slide and definitely feel free to do that.

So are we headed for a cyber Pearl Harbor? Leon Panetta referred to the bank attacks as a foreshadowing of the cyber Pearl Harbor. It’s a brand new world out there, folks. These attacks have entered a dangerous new phase of size and sophistication. It really doesn’t actually matter who did it. What matters is that it was done. What matters really is that people know it can be done and that other people out there have a blueprint for how to do it which is downright scary.

In August 2012, we worked with UBN Tech on a survey that explored the state of DDoS protection to gauge how organizations were protecting themselves against the threat. The data collected from 124 business technology professionals who work at companies that have been a target of a DDoS attack forms the basis of this report. Survey respondents worked in a variety of industries in companies of all sizes. More than 60 percent of respondents were IT management staff and 20 percent had senior level IT executive or corporate management titles. A significant number of organizations reported customer service issues, 69 percent. Damage to brand equity, revenue losses, and decreased customer experience were also significant factors. Two-thirds experienced bandwidth flood attacks, 41 percent experienced request floods, and 27 percent saw application level attacks. According to the survey, 54 percent of the attacks targeted the company website and revenue losses between $50,000.00 and $100,000.00 were reported.

So clearly, this problem affects a lot of people, yet a significant number of organizations are actually not adequately prepared. So we asked IT staff and management what protection they had in place to handle these attacks. 52 percent of the respondents actually told us they had a firewall in place. 15 percent said they relied on their CDN. 15 percent said that they relied on their hoster. 11 percent had a special DDoS mitigation appliance and 7 percent said they had a cloud-based service and 17 percent unfortunately said that they had no protection in place at all.

The survey also focused on the types of protection used and the results from each type of protection. Of the companies that reported they were using firewalls for DDoS protection, 63 percent of them said that they actually became a bottleneck during the attack. 16 percent told us that they were not able to detect an application-layer attack, so people thought that their firewalls would protect them but overwhelmingly, the firewalls actually failed to do what they were expected to do.

DDoS appliances, we actually saw that just under half of the respondents with DDoS mitigation appliance were able to deal with the attack. More than half had issues with the mitigation but not because of the effectiveness of the appliance. These appliances are very good. It’s rather potentially a lack of training. With increased training, these DDoS appliances can help organizations effectively deal with a lot of attacks.

Of the 15 percent of companies that reported using a content distribution network, 58 percent of them actually experienced downtime due to application-level attacks. So these attacks are dynamic in nature and are designed to bypass CDN caching and go right to the origin server, and of the 15 percent of the organizations that reported using ISPs, 30 percent of them reported that they were limited to a gigabit-per-second protection, which is a big issue now because attacks are in the 10-gigabit or 100-gigabit plus range.

So I just wanted to share some snippets of the survey with you to sort of outline how organizations are not properly prepared and we’ll be sending you an e-mail with a link to the full survey and report after this event. But for now, we’ve asked Jerry Sockrider from Arbor Networks to take us through the effectiveness of DDoS mitigation hardware and Jim Pasquale will follow up and talk about how cloud-based solutions can help mitigate the threat.

Gary Sockrider:

Thanks, Miguel. So quickly I just wanted to provide an overview of Arbor Networks for those you who may not be familiar with us. We provide DDoS mitigation appliances to over 90 percent of the world Tier 1 service providers. We operate in over 107 countries. We have a view of over 37 terabits per second of Internet traffic, which we use proactively to analyze the threat landscape and of course to improve our products and help our customers. And then last couple of bullet points, we are the No. 1 provider in all of our market segments for carrier, enterprise, and mobile DDoS protection. We’ve been in business for 12 years and we have backing by a large company, Danaher Corporation.

So let’s talk a little bit about traditional security hardware. As Miguel mentioned before, what we’ve seen as a trend over the last several years are that the current DDoS attacks are specifically designed to thwart the general _____ that these IPS and firewall and ACL and the typical types of security mechanisms that people have been using. They do this in a couple of different ways, using very large distributed botnets with tens of thousands of hosts perpetrating the attack. They’re also employing low and slow application-layer attacks, which are not high volume, not high bandwidth, and they’re essentially designed to sneak under the radar. And then they’re combining those two for obfuscation. So we’re seeing that combination. An analogy I like to use is that if someone’s pounding on your door with a sledgehammer, while you’re busy trying to defend that door and barricade it, someone else is slipping in the window at the back of the house, and that’s these low and slow application-layer attacks.

So let’s talk specifically more about why firewalls and IPS are not capable of defending against these DDoS. Now they are a very important part of your security strategy. They’re designed for different purposes, however. So let’s look at some of the reasons they are unable to defend against these DDoS attacks.

First of all, they’re really designed to allow many of these protocols through. A firewall has to pass things like HTTP and DNS so that the end users can get to the applications, and of course attackers are leveraging these very same protocols for their attacks because they understand that they’re going to be able to penetrate firewalls and IPS with these protocols.

Secondly, inline devices maintain state information and that’s why we see attacks using methodologies like TCP SYN floods which are specifically designed to exhaust the state tables with these devices and compromise them.

Third, signature-based detection. So signatures that are not designed to match a specific threat are not gonna be able to stop it and really the idea behind IPS signatures is to protect the integrity of the devices. They’re not necessarily looking for the application malformed packets, those kinds of things that are used in these types of attacks. They’re really more focused on the server and not on the application track.

And then lastly, the detection of distributed attacks. These massively distributed attacks makes even correlation difficult in these types of devices.

So for these reasons and others, these devices really are actually targets of the DDoS attacks themselves.

All right, so let’s talk about how to protect against DDoS. First, I’m gonna go through the six phases of security practice. These should be familiar in some form to most of you. They do bear repeating. It’s something that we need to keep constantly vigil about.

So first of all and most important is preparation. As Miguel mentioned earlier, we’ve heard from customers that have deployed effective tools, however perhaps their team hadn’t been practicing enough, wasn’t well prepared enough in order to be able to adequately defend and react rapidly. So preparation is always key.

Next, identification. If you can’t see an attack then you can’t defend against it, so you have to make sure you have visibility.

Third is classification. You need to understand the nature of the attack in order to know how to react to it.

Then of course trace back, knowing where it’s coming from, what parts of your network are affected.

Course reaction. That’s the mitigation. That’s putting a stop to the attack and understanding how to deal with it.

And of course the post mortem, which is how effective were we? What could we do different? How could we do better in the future? Of course, this is all a continuing process. We have to continue to be vigilant.

A few industry current best practices. Again, these should be some familiar data points but they bear repeating. The real lesson here is that you have to combine a defense in-depth or a layered approach in order to be fully effective. All of these things are important in order to be successful and beat off mitigation. There’s really no single silver bullet. We know that we can deploy these practices and we know that they can be deployed in a number of places. They can be deployed in the network. They can be deployed in the cloud. They can be deployed on premise. And really the best advice is to make sure you’re deploying all of the best practices at every layer wherever possible.

So how do we do intelligent DDoS mitigation? This is basically how does the technology of mitigating these attacks work? So what you’re seeing on the right-hand column are a list of countermeasures. These are just samples. This is not a complete list by any means. Examples of specific countermeasures that stop specific types of attack behaviors, so this is behavioral-based identification of attacks and then these countermeasures can be layered as you can see in the graphic at the bottom on the left. We’re layering different countermeasures to stop different types of bad traffic so that we can allow the good traffic to get through.

The real point here is this is about availability. One of the problems that we see with traditional security when it comes to these DDoS attacks is that they have a very defensive posture. In other words, they’re all about keeping bad stuff out but with DDoS mitigation, it’s really more about acceptability. It’s making sure that the applications stay up, that they’re accessible. So it’s sort of a different approach. You want to fail open in the case of a DDoS attack whereas a firewall would want to fail closed, and that’s why when those stake tables get overwhelmed and the device fails closed, well, you’ve just completed a DDoS attack. So it’s a different approach, different technology. They are very complimentary and should always be used together.

Quickly, I just want to talk about our solutions and how we deploy those. So we have two different methodologies. One is network-based DDoS mitigation. The other is premise-based or appliance-based DDoS mitigation. So in the network, what we would do is deploy these devices, have a broad view of the network, have the ability to stop attacks before they reach their intended target, so stopping them in the cloud before they reach their destination. And then secondly, we have the ability to do inline, on prem appliances which can also stop attacks and they can have potentially a better view of the traffic closest to the target devices. They can also signal back to the network-based mitigation devices. So we have the ability to have more detailed information back to the service provider as well as to have a fail over if the premise-based device is overwhelmed so that mitigation can be pushed up and completed in the cloud.

So that’s it for me and now I’ll hand it over to Jim.

Jim Pasquale:

Thank you. Good day, all. What I’d like to spend a few minutes on is talking about a DDoS attack has taken your website down. Obviously the financial distress on your business is great as well as brand reputation damage. You do have options to mitigate these attacks today. What I want to do is talk about the three options that exist today and then spend a couple of slides taking you through our cloud-based solution.

So from a teleco perspective or from a carrier ISP perspective, you have the option of simply adding it on to your current system or service. This will give you limited DDoS attack expertise. This is not a core competency for your carrier or for your ISP so they have limited staff that can handle DDoS attacks. This is also available just for network-based attacks. They will not handle the sophisticated attacks such as application layer, something to keep in mind, as well as if you have more than one ISP or more than one carrier, you’ll need to get filters implemented across all of those and that can take time. This is really a best effort approach for dealing with those attacks.

Similar on the CDN side or your content delivery network side. There’s benefits, but they’re extensive, the overages you pay by using a CDN when you suffer a DDoS attack are significant, so significant financial investment needed on the CDN.

And then finally, there’s a cloud-based service which requires no investment upfront. You can get the skills that you need by leveraging cloud-based dedicated service around DDoS detection or mitigation. This will direct the dirty traffic to a scrubbing center and I’ll get into that, what that means, in a minute but really scrubbing the dirty traffic and keeping your website up by delivering clean traffic back to your customers.

Next slide, please. The target of these attacks, as we’ve talked about, are varied, but it starts with attacking a specific web application or DNS service. When that gets mitigated, the attacker moves on. What we’ve seen recently and what Miguel had alluded to is some very complex attacks that are volumetric in nature, not just trying to fill the circuit or fill the pipe but also going after the gear that’s in back of the circuit, whether that’s a firewall, an IPS, or maybe it’s an Arbor network appliance. But all of those attacks are plentiful these days.

Now the approach there is just enough is good enough. They’ll keep going back and forth across packets per second and across gigabits of traffic, mixing in some application-layer web DNS attack until they reach the desired result, which is a down website and an impacted service for you.

Next slide, please. I want to highlight our solution, the Neustar SiteProtect product, which is an on-demand, cloud-based, DDoS mitigation service that scrubs the website traffic and returns to your customers clean, legitimate traffic. So as the picture shows you, on the left side of the picture you’ll see malicious traffic coming towards your web server on the right side and in the middle there is a SiteProtect scrubbing center and we will cleanse the traffic, putting the bad aside and funneling to your websites clean, good, legitimate queries and traffic for your customers.

Next slide. What we do with SiteProtect is we can deploy it in two different architectures today. The first one speaks to a proxy DNS proxy service, and as you walk through this slide going through our ultra DNS cloud and into the DNS resolution of a query would be redirected through the Neustar SiteProtect cloud in this case where your website might be under attack. The good traffic is passed to the web server and responses back to customers around the world. The bad traffic is offloaded into the bit bucket. And I say that but that means that there’s a 24 by 7 staff expert sock that’s in the cloud as well looking at that traffic as the attack is happening, making recommendations, putting in mitigations and counter measures and assessing that traffic in real time, a big benefit of the cloud-based approach.

The next slide talks about another paradigm we can bring together for customers and this is a DNS redirect using CDNs and you’ll see the CDN cloud is inserted into the same workflow that I just took you through. Your DNS requests go through the ultra DNS cloud destined for the consumer webs content, is redirected through the Neustar SiteProtect cloud where malicious traffic is discarded. Good traffic is passed on to your CDN to your web server. It’s hosted in the CDN and the good return traffic goes back to your customers keeping the service up.

That’s a quick look at our SiteProtect offering. I’m going to turn it back to Miguel now to bring us home.

Miguel Ramos:

Thank you, Jim. Appreciate that. Hopefully what we’ve spoken about today has given you a little food for thought, so to speak. The size and scope of the problem has increased and attackers are getting smarter and smarter. We talked to you a little bit about some of our survey results and they really showed that organizations think they have a strategy in place but that the strategy actually is not as successful as what was hoped when they put it in practice. As you plan out your business continuity strategy and examine how to mitigate the risk, purpose built applications for DDoS mitigation offer, along with a cloud-based approach, offer the best protection. So a combination of on-premise hardware and leveraging cloud-based DDoS solutions or infrastructure as a service, if you will, adding cloud capacity and specific expertise when you need it, make a lot of sense.

But remember, it’s really key for you to be prepared. It’s very key for you to be proactive and it is also very important to review and update your plans regularly.

So with that, I’d like to take some questions from people.

Steve Kovsky:

Okay, fantastic. Thank you, Miguel. Thank you to all of our presenters. Now before we start with the Q&A, please fill out the feedback form that you’ll find located in the panel on your console and I want to thank you in advance for filling that out. Your participation in the survey allows us to better serve you in the future.

Now onto the question and answer portion of the event. As a reminder, to participate in the Q&A, just type your question into the text box and click the Submit button and we will address as many questions as we can in the time that we have remaining. Now a couple of questions have come in already for several of our presenters and the first one up, I believe this is from I’m sorry, my screen is switching around Susan in the audience and the question is directed at Gary. Why is prem or premises-based device necessary when DDoS attacks happen at the ISP level? Arbor has a cloud-based solution but why would a customer prem-based box also be required?

Gary Sockrider:

Sure, I’m happy to answer that. So a couple of different reasons. First of all, having a device on prem allows for you to have visibility into your own network and to see it as close to the applications that are under attack as possible. Secondly, having that view can facilitate a quicker response, quicker notification, quicker realization there’s a problem. And then third, it’s going to make it easier to get the telemetry you need to more effectively defend against application layer attacks. So it is complimentary with a network-based solution but it will provide an overall enhanced level of mitigation capacity and improved reaction time.

Steve Kovsky:

Okay. I think that’s very helpful for Susan.

Now a question came in for Miguel. Is this really an arms race? Can an organization win in this kind of a scenario we find ourselves in?

Miguel Ramos:

That’s a really good question. The answer to that I would say yes on both questions. It is an arms race but an organization can actually win. I think the key here is to know and recognize and understand your limits and mitigate the risk with additional protection where necessary. So what I’m speaking about here is, yes, attacks get larger and larger as an example and yes, it doesn’t necessarily make sense for an organization to keep buying bandwidth to be able to take in even the largest of attack traffic and mitigate it in house. The key is going to be to ensure that you’ve got that on-premise solution to deal with it up to the capacity that is available with your bandwidth.

It doesn’t really make sense to over provision bandwidth and have hundreds of gigabits of capacity just to use when there is an attack. It’s not economically feasible.

So if you look at combining your perimeter devices and mitigation capacity with the additional cloud-based fail over, you can really use the additional capacity on a non-demand basis when you need it. It is an arms race but at the same time, you don’t necessarily need to be focused on winning it. There are services that you can use for that additional protection to deal with the problem when it gets very large.

Steve Kovsky:

Okay, very good. A question has come in for Gary. This is from Vernon in the audience. Do you think that the attacks are more facilitated by individuals or governments?

Gary Sockrider:

That’s an interesting question and there has been a lot of speculation on that.

What I can tell you is we don’t have any solid evidence at this point to easily differentiate those and let me explain what I mean by that. When you hear comments, for instance, I think there has been a U.S. politician saying that attacks are coming from Iran. Well, it’s accurate to say that attacks came from Iran because some of the compromised servers were hosted in a web hosting facility in Iran. But does that mean that the government of Iran was behind the attacks or does that mean that individuals or organizations within Iran were behind the attacks? Well, the answer is not necessarily because a server that’s compromised could be compromised from anywhere.

From our perspective, we don’t actually put too much effort into attribution, in other words, who’s behind the attacks. We hand that off to law enforcement. We do see a lot of clues and indicators that tell us various things. We see attacks come from lots of different sources. We see different attack tools being used. We know for instance in these latest financial attacks, they were custom built attack tools just for the attacks. But in order to say whether it’s more from individuals or governments, it’s not something that I can speak well to today. What I can tell you thought is that the attacks are escalating. They’re getting more sophisticated and they’re getting more frequent.

Steve Kovsky:

A quick follow-up question. Are there some best practices that you recommend for people to help facilitate law enforcement to do their job, for them to do the forensics and go after the perpetrators?

Gary Sockrider:

Well, certainly we encourage cooperation with law enforcement when these events happen and of course we do the same. Providing as much information as you can to law enforcement, providing upon request and again, depending on the sensitivity and the nature of the data, but providing logs, providing post mortem, doing debriefs. These can all be very helpful for law enforcement.

Steve Kovsky:

Okay, very good. A question’s come in for Jim. Is it realistic or important to have offensive capabilities as well as defensive strategy?

Jim Pasquale:

Yes. I think it’s important to have both and I think there needs to be a program in place to look at the tactical alerts that are coming into your enterprise every day and the real threat that they pose, but also be looking at the landscape of these new attacks and looking at ways to prepare before you get hit by those attacks, so it’s important. We talked about planning and we talked about being proactive. There’s certainly a big piece to anyone’s program that has to be part of that, but also the reactive piece is never going to go away. The attacks continue to change. But your best defense in a lot of ways, is a good offense.

Steve Kovsky:

Okay, excellent. A question for Miguel. How is DDoS mitigation actually performed?

Miguel Ramos:

That’s a good question and I’d like to say that it’s a combination of art and science. So the science aspect of it is having the right infrastructure in place to help detect DDoS attacks or at least a significant slice of the attack vectors that are out there. There’s those out there that build great gear like Arbor Networks to help in this. The art aspect of it is in some cases, especially with the application-level attacks that can potentially be custom designed for the attacked infrastructure or against the attacked infrastructure, what you really need beyond the hardware is operations staff that knows how to deal with these attack vectors.

So it’s a key to really have the capability of the people that have been in the trenches for a while, have seen DDoS attacks, have lived and breathed DDoS attacks and DDoS mitigation and know what to do when they see a very complex application-level DDoS attack. So it’s a combination of having the right infrastructure and having the right team and obviously the infrastructure and then the cloud-based _____ where you have the additional capacity from a vendor who specializes in DDoS mitigation is very important.

Steve Kovsky:

Okay, Miguel, thank you. A question has come in for Jim. How would a cloud-based DDoS mitigator handle an SSL Layer 7 DDoS attack?

Jim Pasquale:

Yeah, as Miguel said there’s a lot of art and trained eye to the work of looking at the payload that’s coming across the wire and making that determination of what is the malicious piece to this. Because at the end of the day, you want to do as surgical a job as you can by stripping off the bad and preserving the good traffic. So while we do have some purpose built technology that helps with some of the heavy lifting, it does require the trained eye to look and find those needles in a haystack and to find an application-layer attack and to very surgically mitigate it. It’s really the art of security, as we say.

Steve Kovsky:

Okay. Very good. Another question and I think this might be a good question for Miguel. Do Neustar and other mitigation vendors use the same ISPs globally or how do they alleviate carrier saturation?

 

Miguel Ramos:

Sure, that’s a good question. With a DDoS mitigation cloud, you want to make sure that your provider has diversity in its carriers, so you want to make sure that their attack capacity, so their available bandwidth to handle even the largest attack, is spread out across multiple providers so that the traffic can come in through multiple doors and not just potentially through one door. You definitely don’t want to be in situations where you saturate carriers. Typically, the DDoS mitigation provider has very extensive partnerships and deep partnerships with their upstream carriers to be able to plan in advance and ensure that saturation does not happen.

But absolutely, diversity in carriers is very important and ensuring that you have high level relationships with carriers is very important and your DDoS mitigation should have both of those things.

Steve Kovsky:

Okay, excellent. Reminder to the audience, if you have a question, get it in now. We’ll get to as many as we can during the course of this live webcast. If for any reason we can’t get to your question during the webcast, you can rest assured that somebody is going to follow up with you and make sure you get the answers that you need.

Now another question has come in. If making a DNS change takes 24 hours, wouldn’t it be too late to turn on a cloud-based DDoS mitigation solution, and secondarily, is traditionally free DNS a security vulnerability as well? And Miguel, maybe you could address that.

Miguel Ramos:

I can. So DNS changes are one way to redirect the traffic through a cloud-based DDoS provider. So without getting too technical, there’s a thing called time to live and you can or the customer in question should hopefully for their critical pieces of infrastructure have their DNS TTL set extremely low, hopefully under five minutes. And the idea there is that if your time to lives are low, if you make a DNS change to an alternate IP or an alternate provider, that change will spread across the Internet quite quickly. So you want to make sure that as an organization, it is probably good for you to proactively ensure that your DNS time to lives are set low for crucial pieces of infrastructure that you don’t want to tolerate a lot of downtime on. So that’s one thing.

The second part of that question which is is DNS a security vulnerability as well, I’ll say that we’ve certainly seen an increase in attacks at the DNS level and it is an oft forgotten piece of the infrastructure pie for a lot of organizations. It’s something that they tend not to think about. But these days, if your web infrastructure is being attacked, the attackers might switch and try to attack your authoritative DNS. These are things that are happening. DNS attacks are on the rise.

Beyond that, you want to make sure that your DNS infrastructure is a part of your business continuity plan. If your DNS is down, you’re down professionally, so it’s something you want to give some thought to, definitely.

Steve Kovsky:

Okay, very good. Well, what I’d like to do is start kind of wrapping up here and if I could ask each of our presenters to give us the one or two take aways, the one or two points that you really would like the audience to take home with you. I’m gonna go back in sort of reverse order and start with Jim Pasquale. And Jim, as you look at the message from today’s webcast, what would you really like to drive home and make sure that the audience walks away with an understanding of today?

Jim Pasquale:

Sure, thanks. I would make sure everyone understands these attacks are growing. They’re growing in sophistication and complexity. You can no longer ignore the risks to your business. You need a solution, hopefully a cloud-based solution like SiteProtect.

Steve Kovsky:

Okay, very good. Short and sweet. I like that. Gary Sockrider, what would you like to make sure the audience takes home with them today?

Gary Sockrider:

I’d just like to reinforce the message that this really requires vigilance. It requires sense and depth. It requires a well-prepared response team and this is not something that we can just flip a switch or throw in a single piece of equipment and think that we have this problem solved. It’s ever evolving and changing and we need to be constantly vigilant.

 

Steve Kovsky:

Okay, thanks very much, Gary. And Miguel, if you would, kind of bring it home for us. What would you like to have as our parting words on today’s webcast?

Miguel Ramos:

Thank you, Steve. I’d like to piggyback on some of the things that both Jim and Gary said and say to our audience be prepared. Take a look at your plan. If you don’t have a plan currently, take a look at building a plan. If you have a plan now, take a look at it and review it and see if there are any gaps. See if there are things that you’re missing. See if potentially you’re relying on things like firewalls, et cetera, where you might think that you’ve actually got a level of protection that you may not necessarily have.

So review your plans. If you don’t have them, make a plan and be proactive and be prepared. I think those are the key take aways for me.

Steve Kovsky:

Okay, obviously a growing problem when we have our Secretary of Defense giving us a warning that we could be looking at a cyber Pearl Harbor situation, something to take very, very seriously and something that should be top of mind as we transition into the new year.

I would like to thank our audience today. I would also like to thank our guests. Now if you would like more information related to today’s webcast, please visit any of the resource links that can be opened by clicking on the Information icon at the bottom of your screen. Within 24 hours, you’ll receive a personalized follow-up e-mail with details and a link to today’s presentation on demand.

With that, I’d like to thank you for attending today’s presentation, “Preparing for Cyber Pearl Harbor: Recent Trends and Options to Mitigate DDoS Attacks.” It was brought to your by Neustar and broadcast by Information Week. This webcast is copyright 2012 by United Business Media, LLC. The presentation materials are owned by or copyrighted, if that’s the case, by Information Week, UBM Tech, and United Business Media LLC., Neustar, also, who are all responsible for their content and the individual speakers who are responsible for their content and their opinions.

On behalf of our guests today, Miguel Ramos, Gary Sockrider, and Jim Pasquale, I’m Steve Kovsky. Thanks for your time and have a great day.

[End of Audio]