DDoS detection and mitigation – in conversation with Tata Communications’ CSO Adam Rice
The day after the Russian embassy in London was taken out by a DDoS attack (was it Russians objecting to a visit by a UK prime minister who had declined to join the KGB; or the Blue Rinse objecting to him going there at all) I was speaking to Adam Rice, global chief security officer for Tata Communications. He had just announced that Tata’s DDoS detection and mitigation service is now available to any company operating on the internet irrespective of its network provider (ISP). Tata Communications is a tier 1 ISP, and the fourth largest in the world. “With this scale, we have successfully defended every DDoS attack levied against our customers. By expanding our offering to be network agnostic, we’re now making the capability available to a much larger community – a community that requires access to a high-capacity infrastructure where their traffic can be scrubbed rather than black-holed.” It was an opportune time to learn more about DDoS in general, and Tata’s detection mitigation service in particular.
“DDoS,” he told me, “by its very nature is an attack that overwhelms the target’s resources, so we’ll see an increase in traffic going to the customer. It might ramp up slowly or very quickly, but it draws our attention.” The key to this is a monitoring tool used for its customers. “The tool that we deploy becomes smarter and smarter over time. It analyses what is considered normal traffic for a site; and it does that for what is normal on a Tuesday at lunchtime, or what’s typical for a weekend, or what’s typical during Christmas. The longer we have these sites under management, the more the tool understands what is normal traffic.
“So when we begin to see variations against the mean,” he went on, “if the standard deviation goes beyond a certain point, left or right of normal, then an alert will occur. And that can be caused by either volumes or types of traffic. DDoS attacks come in several different flavours, and the tool will be able to see the kind of attack from the meta data of the packet. So we can tell whether it’s a UDP attack or a SYN flood attack or any other variety of DDoS attack. When the traffic crosses our threshold, then an alert is sounded and one of our security analysts will go in and, with the help of the tool, determine what type or types of attack is under way (usually the attacks can be mixed) and then we apply our filters which will scrub the bad out and deliver clean back.”
An attack, he told me, can build up pretty fast, but is detected before it can overwhelm the target. “We’ll see it coming from the four corners of our network. Although some of the traffic originates from within our network a lot of it comes from other networks, so we’ll see it coming through the peering points with other tier 1 ISPs [a peering point is the place where multiple networks meet and pass traffic from one to the other] – it doesn’t turn on like a light switch; we’ll see the traffic volume begin to build, build, build; and then depending on the SLAs that we’ve agreed with our customer, we do have thresholds that we watch. For a DDoS attack to be a DDoS attack it needs to have a certain volume, and once it crosses the threshold, we’ll alert the customer and let them know what’s going on and, with advice, ask them if they’d like us to mitigate. That’s typically how we do it.”
The next stage is to channel the traffic to Tata’s laundry sites. “We announce a route across our network that is advertised almost instantly across the entire internet. It draws in all the traffic destined for our customer to our scrubbing clusters that are situated globally near a peering point and we will scrub the traffic and then deliver it to the customer nice and clean.” Two things I wondered: how accurate is this scrubbing? and could the scrubbing clusters themselves be overwhelmed?
“We don’t start mitigating the attack,” he replied, “until after we’ve had a conversation with the customer. We do this every day, hundreds of times a month, with very large volumes of traffic. Before we start mitigating, customers have a hard time getting to their site, and after, we have no complaints. I am sure that legitimate traffic in some fashion now and then gets dropped. I think that’s inevitable. Any claim that we could get 100% accuracy on our filters would be wrong – but if we do drop good traffic it is an insignificant volume and would simply require the user to refresh the browser to get back.”
What about being overwhelmed? “That’s the big advantage – and one of the biggest advantages,” he said, “in having a very large network behind us. DDoS attacks are all about capacity; and we have the capacity. Tata Communications is the fourth largest ISP on earth. Theoretically, if we were to have a purely academic discussion, it is possible that any network could be overwhelmed; but there are a lot of reasons why that would be very unlikely. But if you were to buy your DDoS mitigation service from a provider that didn’t have such a large network then I think you are taking away one of those critical attributes of any DDoS mitigation service: having that huge network behind you to absorb the traffic, because that’s really what you need to do.”
But what about the future? How can we prevent DDoS attacks from happening rather than just mitigate against them succeeding? Adam didn’t specifically say so, but I got the impression that’s a long way off. “We think that the majority of the sources of the attacks are infected PCs or laptops,” he commented. And we all know how secure the average home computer tends to be. “Usually, the source address is fake. There are other clues that enable us to track back to the source so we can get a geographical idea – often Eastern Europe or Asia – but DDoS is generally truly global.” And that’s a problem in itself. “If one of our own users is knowingly or unknowingly participating in a DDoS attack, that user is violating our acceptable use policy and we will tell them that they have to stop that.” In other words, Tata can try to keep its own network clean. “But TATA Communications works in almost 200 international jurisdictions. The privacy laws in Europe are a great example of exactly why it is impossible for us to be proactive – whether we would want to or not doesn’t really matter, it is actually illegal in many countries and jurisdictions for us to even monitor our own networks for that kind of traffic if it is customer data.” And if the traffic is coming in via a peering point from another ISP, the problem just gets more difficult.
So since there’s no quick fix to the DDoS problem, I guess we’d better just carry on mitigating them. Pass it on to the Russian Embassy.