BT to make DDoS mitigation affordable
ISPs could provide the answer to combatting DDoS attacks according to BT, providing customers with DDoS mitigation at a price far cheaper than buying it in directly.
According to Mick Creane, Head of Managed Security Strategy at BT, ISPs are in a unique position to be able to make DDoS mitigation affordable for its customers, and it’s something BT is already considering. ‘We’re looking at technology in the core of our network that would direct traffic through a “scrubbing centre”. This terminates requests, checks if they are valid and if they are not, drops them. Where they are valid, they are forwarded to the original destination,’ said Creane. ‘It’s expensive, but with BT you have economies of scale. So we would divert traffic as necessary [rather than route everything through the “scrubbing centre”].’
Creane said it’s somethin that its customers have been asking for, so offering such a service would simply be responding to the market, and the threat. He said DDoS mitigation would be sold as an add-on to its business packages, and the effectiveness of it would be written into a service level agreement.
‘I think that’s the way it’s going to go,’ he said. ‘You’ve got to go down the path of having cleaning at the core of the network…
It’s certainly in our plans.’
Commercial websites are very much on their own when it comes to protecting themselves against a flood of traffic that can deliberately knock their business offline for days at a time during a distributed denial of service, or DDoS, attack.
What ISPs currently offer as standard is stone-age in terms of sophistication and more centred on protecting the ISP’s network than cleaning out DDoS traffic and ensuring that legitimate traffic reaches the affected sites.
Creane told us: ‘We want to protect the customer, but we also have to protect our own infrastructure. DDoS attacks are not a problem at the core, where we have acres of bandwidth, but as it gets out to the edge, where the routers and switching hardware is less substantial, then it can be quite damaging. A DDoS attack may not only affect that customer but also other customers on the same equipment, for example.’
Many ISPs use two methods to mitigate against DDoS attacks, said Creane. ACLs, or Access Control Lists, summarily block access to the network from ranges of IP addresses containing DDoS traffic, or to the target URL. But this blanket approach makes no allowance for legitimate traffic, and partially accomplishes the DDoS attackers’ goal, in rendering the target site unavailable or unusable.
‘The other thing you can do is weight limiting, where you throttle the amount of data directed at the target to a manageable pipe,’ he said. But this too results in legitimate visitors having a poor experience of the targeted website.
And that’s if the ISP notices the attack in the first place. ‘The first thing you have to do is to be able to detect the attack as soon as it happens,’ said Creane. We have a range of monitoring systems looking at IP traffic flow on our network, so we’re alerted almost instantaneously. We work with Arbor Networks for this… But you also have be aware that there may be surges of traffic that are genuine, so you have to make a judgement before dealing with it.’
The problem with this is that it’s no way to deal with the problem. Neither the ISP or victim are satisfied with the results. And without a benchmark for dealing with this, victims have no expectation of support from their ISP or recourse through them when they get hit. ‘There are similarities in how ISPs deal with DDoS attacks on their networks, but there’s not an industry standard as such,’ said Creane.