Financial losses caused by denial-of-service (DoS) attacks stand second only to the toll caused by viruses, according to a recent study by the Computer Security Institute and the US Federal Bureau of Investigation. We asked Thomas Arthur, CEO of Arbor Networks, about DoS attacks and whether service providers and their customers are doing enough to protect their networks. Arbor's PeakFlow SP product, a traffic and routing management platform that defends against DoS and worm attacks, is deployed by 70 service providers world-wide.
Are DoS attacks getting worse? Are your customers seeing new types? There are more attacks and different types than ever before. We have service provider customers that are actively mitigating and reconfiguring their networks due to three to five DoS attacks per day. They are mitigating DoS attacks on behalf of a customer, a peering partner or because they are worried about their own infrastructure. A DoS attack threatens all three. . . . What makes the DoS problem tricky is if you are an endpoint under attack and your uplink is flooded, there is virtually nothing you can do. You are dependent on your service provider to mitigate that attack as far upstream as they can get it or you are not available.
What is the source for most DoS attacks? Who's doing it is always an interesting question. These attacks are massively distributed. That's what makes them so nasty. The attacker, whoever they are, can be controlling thousands of machines halfway around the world. One recent anomaly is very targeted attacks. There are those that are blackmailing others. The MyDoom attack was specifically going after SCO because the attacker didn't like the company.
Are service providers doing enough to thwart attacks? They're really starting to step up. Service providers such as AT&T are offering DoS services. They are actively protecting the edge between themselves and other service providers, typically called private peering connections. And now they are starting to offer services to help customers protect their transport layer. (Editor's note: Sprint and MCI also offer DoS mitigation services the US, as Telus does internationally.) It's natural for the service providers to sell these services because they own the bandwidth and the upstream area where mitigation should be. They also own the network where detection and trace-back needs to be.
In the past carriers have talked about how they've been sharing information regarding large DoS attacks. Is that still going on, and how important is it? It's true service providers have been calling each other when DoS attacks strike because their networks are connected. Collaboration is absolutely important. They do help each other to get really bad attacks under control. It's a win-win. Also, Arbor is coming out with a product that will allow service providers to share in real-time a detailed description of these attacks. It's all about saving time and having a very efficient conversation between support engineers to get a DoS attack off-line.
If I'm a user shopping around for a new IP service provider, what should I ask so I know I'm getting the best protection against attacks?Ask if they have any assurances in their service-level agreement regarding DoS attacks. Ask what process they use when and if an attack occurs. Make sure the service provider can offer a solution. Customers need to understand that fighting DoS requires expense and manpower from the service provider, and customers should expect to pay a premium for it. And it's worth the premium.
What should companies be doing inside their own networks to reduce vulnerabilities? We're hoping large enterprises start segmenting the inside of their networks to boost the perimeters. The perimeters are not what they used to be so we want to create virtual perimeters on the inside of their networks.
Are corporations doing enough to thwart internal threats? For an enterprise, security has always been deployed at the DMZ. They have firewalls and VPNs and other gear to stop hackers trying to get to their network. All security has been around the DMZ. Actually securing the internal operating network is new. A worm isn't a threat to the DMZ. It's a threat because once it's inside there is no firewall to stop it, and a worm has free reign to infect everything. The worm may have come in through your firewall, but more likely it came in on a mobile computer that someone brought into the office and connected to the network. A worm requires a new approach to security.