When every second counts, you need to make your response to a Distributed Denial of Service (DDoS) attack fast and decisive. A recent paper from NETSCOUT Arbor, which specialises in advanced DDoS protection solutions, clarifies how AI and automation can help to power faster and smarter responses to cyberattacks.
DDoS attacks aim to make an online service unavailable by overwhelming it with traffic from multiple sources. Bryan Hamman, territory manager for sub-Saharan Africa at NETSCOUT Arbor, explains, “Today’s DDoS attack is complex, as it frequently deploys a dynamic combination of at least three different attack vectors, all targeting different sections of your network. Volumetric attacks, like the memcached attacks that can reach terabits in size, are designed to saturate bandwidth; TCP state exhaustion attacks target your first lines of defence, such as firewalls or IPS devices; and low and slow, difficult to detect application-layer attacks are targeted against critical applications.”
According to NETSCOUT Arbor’s 13th Annual Worldwide Infrastructure Report (WISR) of 2018, 52 percent of attacks are volumetric, 16 percent are TCP state-exhaustion and 32 percent are application layer, which is up from 26 percent the previous year.
Hamman continues, “If your business should be affected by a DDoS attack, you need systems that can act fast to identify the problem – which attack vector is being used, or are you fighting against a combination of different vectors? – and then be able to address it. The power of an intelligent, automated solution is that it can detect attacks early and deploy the appropriate response instantly. In this regard, NETSCOUT Arbor offers a number of different solutions.”
Hamman clarifies that NETSCOUT Arbor DDoS solutions leverage automation in three ways, namely the use of built-in countermeasures, a built-in threat intelligence feed, and cloud signalling.
Built-in countermeasures
Arbor Networks APS is the DDoS solution for enterprise and datacentre applications. When APS detects a particular attack, such as a TCP Syn flood, blacklisted hosts or multiple connection attempts from a single host, it will automatically enable or disable the right countermeasures to mitigate those attack types, further providing detailed analytics and reporting on the events. If an attack is in progress when the APS is initially deployed, its countermeasures can still activate immediately, because it doesn’t require learning times and baselining. These built-in countermeasures are designed to work effectively right out of the box, but many can also be custom-configured to trigger on the basis of user security policies and risk thresholds.
Threat intelligence feed
Arbor’s Active Threat Level Analysis System (ATLAS) is the world’s most extensive threat intelligence gathering platform, delivering near real-time visibility into threat activity across the internet worldwide. The Arbor Security Engineering and Response Team (ASERT) curates and operationalises this threat intelligence into threat policies and countermeasures delivered via the ATLAS Intelligence Feed (AIF) directly into the Arbor APS and SP/TMS intelligent DDoS mitigation systems. The ATLAS Intelligence Feed contains a list of rules associated with different threat types, as well as risk levels (high, medium or low) associated with each type, and is continually updating the Arbor deployment as new threat policies, rules, and so on are developed.
Cloud signalling
A layered or hybrid DDoS strategy, which combines on-premises and cloud-based mitigation capabilities, gives an organisation a scalable defence solution that can adapt to different types and sizes of attacks. The on-premises device (Arbor APS) can immediately detect and mitigate the majority of smaller-scale, ‘low and slow’ attacks that typically target firewalls, IPS systems and network perimeter devices, whereas larger-scale volumetric attacks are best mitigated at the service provider level in the cloud (using SP/TMS, Arbor Cloud). ‘Cloud Signaling’ is the mechanism that NETSCOUT Arbor uses to make sure that these two defensive components work in synch to thwart multi-layer attacks. If attack volume at the premises level escalates to a user-specified threshold, Cloud Signaling can automatically trigger the cloud mitigation countermeasures. Security operators can also initiate Cloud Signaling manually when they see a growing threat.
“Today’s security teams are under great pressure in terms of making critical, speedy judgements about which threats are legal and which corresponding defence measures to deploy. Cloud and enterprise environments present a combination of greater dependence on internet connectivity and a wider range of security threats, and this can overwhelm network and security operations teams. The beauty of automated solutions is that they buy you time by detecting attacks early and then automatically deploying the appropriate countermeasures. Intelligent automation goes one step further: by blocking attacks while not blocking legitimate traffic, as well as informing the operator regarding what was blocked and why. This presents users with context and supporting analytics,” concludes Hamman.
The précis version on NETSCOUT Arbor automation:
- Arbor Cloud detects and mitigates volumetric attacks upstream before they can hit the organisation.
- Arbor APS stops ‘low and slow’ application layer attacks.
- Arbor Cloud Signaling intelligently routes traffic to secure clouds, thereby preventing on-premise infrastructure protection from being overwhelmed.
- Arbor ATLAS Intelligence Feed sends continual alerts to security teams to inform them of developing threats and trends.
Staff Writer