Prior to January 2014, a typical DDoS attack against our Net Access customers could easily be intercepted and mitigated by our well trained NOC staff. As an ISP, we have been dealing with DDoS attacks for many years. The first generation of attacks were small volumetric or packet attacks destined for IRC servers. Our staff would simply “blackhole” the server that was being attacked and eventually the attack would go away. We had plenty of capacity on hand to absorb these attacks and mitigate them, without customer impact.
Over the past several years, we built our own tools that hooked into industry-available traffic monitoring and analysis systems like that of Netflow. With the addition of Netflow we were able see who was being attacked and who was doing the attacking. Our monitoring systems would alert us to when a customer was being attacked and we could then use Netflow to find the source of the attack. We would then put an ACL (Access Control List) on the customers interface blocking the attack. The attackers would usually get frustrated at their lack of success and stop trying. Again, back then, we had plenty of capacity in the network on hand to absorb these attacks and other than the actual customer being attacked, there was no collateral damage to anyone else within our environment.
DDoS - A Game Changer
The game changed in the early part of this year, when we saw our first 40+ Gbps DDoS attack. A volumetric attack of this size can fill ports to 100% capacity in a matter of minutes. Events like this can cause latency and dropped packets across an entire network, negatively affecting Internet facing customers. We have spoken to many of our contacts, partners, suppliers, competitors and experts in the industry - they are all seeing the same rapid increases and growth in DDoS attacks and experiencing the same types of issues we are. These attacks are exceptionally large, UDP based and frequent. We all agree this is definitely an industry and Internet wide problem.
What Is Net Access Doing About DDoS Attacks?
In response to this rapidly growing problem, we have or are in the process of:
Expanding our network capacity with the addition of more ports, peering bandwidth, upstream bandwidth, new high capacity border routers and greater metro backbone capacity – in total spending over $1m on new equipment alone in the past few months.
Crafted many custom filters to lessen the impact of these large attacks by stopping the attacks at the borders, which in turn does not let the majority of the bad traffic reach, its destination (typically a customer).
Deployed an in-network advanced early warning system that provides Analytics and Monitoring with DDoS Mitigation to rapidly identify new attacks natively; and by referencing the DDoS Fingerprint database automatically alerting the NOC.
Implemented processes to deploy new filters at the borders using data provided by our early warning system to stop attacks with new signatures.
We understand our customers running critical applications need 100% network uptime, and even a couple minutes of congestion is completely unacceptable. These upgrades allow us to exponentially increase our network capacity which allows us to detect, absorb and mitigate these next generation attacks; limiting the impact to our Internet facing customers to an absolute minimum.
Application and protocol attacks destined for our customers have also increased in frequency and complexity. Attackers know they can easily defeat firewalls or servers by throwing a large number of packets at it. So in addition to the steps Net Access is taking to protect the borders, network and mitigate attacks, we have made our Arbor Networks based Analytics and Monitoring with DDoS Mitigation solution available to customers as a managed service; providing yet another line of defense.
The Managed DDoS Mitigation service will notify customers and our Network Operation Center (NOC) of an attack on their environment, as it starts. Customers can then choose to log into the our custom web portal and mitigate the attack themselves or let the Net Access NOC mitigate the attack for them, providing a completely hands-off solution.
How Good Is This?
As recently as last week, we intercepted a 40-60 Gbps DDoS attack targeted at one of our Internet facing customers. We identified the attack, mitigated and blocked it in under 4 minutes – and that’s before we have completed all the upgrades! So we are more than confident that we’ll do an even better job in the very near future!
Dan Spataro, VP of Engineering