Internet Service Providers to Deliver Security as a Service with Flowmon

02/12/15 Security

Some of significant present cyber threats are the attacks targeting government or finance institutions to cut them off the Internet, penetrations into protected systems or malware earning money for its creators. Most of these attacks come from computers of unsuspecting users that are under control of attackers and are part of botnet. What if an ISP protects end customers and connectivity provider protects ISP against cyber threats including DoS/DDoS?

Security As a Service via Flowmon Anomaly Detection System (ADS) allows customer to keep track of security incidents on their internet connectivity. The customer's Internet traffic is monitored with Flowmon Probes, and the collected data is evaluated by sophisticated behavior analysis using Flowmon Threat Intelligence and methods detecting security risks. Service provider gives the customer regularly reports of the security risks in their network (detected attacks against computers in the customer network, scanning computers, spam generation, etc.), enabling them to react promptly and minimize their impact on users.

What cyber threats are reliably detected?

  • Infected nodes in the network

  • Dictionary attacks to guess a username/password

  • Increased use of network services

  • Sending or attempting to send SPAM

  • Devices in the network attacking to the internet

  • Suspicious communication in DNS traffic

  • Communication with botnet command and control centers

An output from the Anomaly Detection is a report of detected events, which is automatically being sent to defined e-mail addresses of customer.

DDoS Detection as a Service

DDoS (Distributed Denial of Service) attacks are focused on restricting availability of a service. DDoS is based on mobilization of large number of sources simultaneously at the same timean aim to saturate all available bandwidth.
Effective protection against DDoS attacks requires application of deep traffic inspection methods and mitigation mechanisms.

Figure 2. DDoS Attack Detail

Figure 3: DDoS Attack List

When DDoS attack is detected, Flowmon initiates the mitigation process using Scrubbing Centre. Flowmon supports RTBH and BGP FlowSpec to redirection of defected traffic.

How does the DDoS protection work

Flowmon Collector equipped with DDoS Defender module continuously observes and profiles volumetric characteristics of network traffic to create and maintain dynamic baselines. In case of an unexpected increase of network traffic it triggers pre-configured actions including alerting (e-mail, syslog, SNMP trap), traffic diversion (policy based routing, border gateway protocol, remotely triggered black hole), execution of script or mitigation through specific out-of-band DDoS mitigation system. Flowmon DDoS Defender enables to define individual detection profiles that correspond with different IP ranges, subnets or network services. In case that DDoS attack is detected all the attack characteristics including top 10 source IP addresses, subnets, autonomy systems and countries, L4 protocols and interfaces are part of the attack details.

Figure 4: DDoS Protection Architecture
 

Flowmon DDoS Defender together with Radware DefensePro appliance and Vision management appliance represent DDoS protection ecosystem designed to protect largest infrastructures and internet backbones. Native integration of DDoS Defender with Vision via RESTful API enables to manage multiple DefensePro appliances via standard management interface and dynamically configure network protection profiles while providing DefensePro with details about the attack and baselines of standard network traffic. Traffic diversion capabilities of DDoS Defender include policy based routing for local ISPs and BGP support for Tier 1 networks, Telcos and transit operators to divert the traffic to DefensePro DDoS mitigation appliance deployed out-of-band.

ČD-Telematika (a prominent provider of wholesale internet, data and voice services, and a leading supplier of fibre-optic infrastructure management, maintenance and construction services) offers anomaly detection and DDoS protection for their customers using Flowmon. They have become a pioneer in the Security as a Service field in Czech Republic and proved, that whole process of mitigation DDoS attack takes from 3 to 10 minutes. Moreover, reducing the granularity of flow statistics to 1 min batches (planned for Q1/2016) will shorten the whole mitigation process to only 1-3 minutes.