ddos protection service - swisscom€¦ · document white paper ddos version 3.1 file...
Post on 25-Apr-2020
9 Views
Preview:
TRANSCRIPT
Effective protection of your
infrastructure against attacks
off the Internet – highly
available Internet access
White Paper
DDoS Protection Service Distributed Denial of Service (DDoS)
Technical Product Information
Version 3.1
DDoS Protection Service
(Distributed Denial of Service)
Swisscom (Switzerland) Ltd.
Corporate Business
P.O. Box
CH - 3050 Bern
Free phone 0800 800 900
Free fax 0800 800 905
E-mail info.corporatebusiness@swisscom.com
Internet http://en.swisscom.ch/corporatebusiness
Document White Paper DDoS
Version 3.1
File BIS_IPP_WP_DDoS_mm03104-en.doc
Date 01/03/2016 Page 2/18
Contents
1 DDoS Attacks – a really existing risk ..................................................................................................................... 3
2 Problem description ................................................................................................................................................... 3
2.1 Background ............................................................................................................................................................... 3
2.1.1 Intentions of the attacker and kinds of attacks ............................................................................................ 3
2.1.2 Development of DoS attacks ............................................................................................................................. 3
2.1.3 DDoS attacks from a regular IP address ......................................................................................................... 4
2.1.4 Motivation for DDoS attacks ............................................................................................................................. 4
2.2 Prerequisite for a DDoS attack ............................................................................................................................. 5
2.3 The sequence of a DDoS attack ............................................................................................................................ 5
2.3.1 General sequence of a (malicious) attack ...................................................................................................... 5
2.3.2 Preparation and sequence of a (malicious) attack ....................................................................................... 6
2.4 Developments and the effects of DDoS attacks .............................................................................................. 7
3 Protective measures against DDoS attacks ....................................................................................................... 10
3.1 Blackhole defence .................................................................................................................................................. 10
3.2 Current protective measures with the DDoS Protection Service ............................................................... 11
3.2.1 General features ................................................................................................................................................. 11
3.2.2 Traffic anomaly detection ................................................................................................................................ 12
3.2.3 Threat Management System........................................................................................................................... 12
4 DDoS Protection Service from Swisscom ............................................................................................................ 13
4.1 Filtering process of an DDoS attack .................................................................................................................. 13
4.2 Option DDoS Protection enhanced ................................................................................................................... 15
5 Summary ..................................................................................................................................................................... 16
5.1 Solution alternatives............................................................................................................................................. 16
5.2 Danger and damage potentials ......................................................................................................................... 17
5.3 Managed Service .................................................................................................................................................... 17
6 Glossary ....................................................................................................................................................................... 18
This White Paper was created on the basis of currently known parameters. The technical solution may still be subject to last-minute
changes during the implementation. We are available for questions or comments about this White Paper.
DDoS Protection Service
(Distributed Denial of Service)
Swisscom (Switzerland) Ltd.
Corporate Business
P.O. Box
CH - 3050 Bern
Free phone 0800 800 900
Free fax 0800 800 905
E-mail info.corporatebusiness@swisscom.com
Internet http://en.swisscom.ch/corporatebusiness
Document White Paper DDoS
Version 3.1
File BIS_IPP_WP_DDoS_mm03104-en.doc
Date 01/03/2016 Page 3/18
1 DDoS Attacks – a really existing risk
The risk management of an enterprise lies in the responsibility of the top management. It has to check
potential security risks regularly and preventatively. Especially in fully cross-linked IT environments
threatening situations really do exist which are continuously change taking new forms over and over again.
DDoS attacks (Distributed Denial of Service) belong to these risks. This White Paper takes these security risks
in detail into consideration and describes effective defence mechanisms.
DDoS attacks have to flow into the risk analysis of an enterprise like any other threat (location and access to
the building, fire protection, electrical power supply, access to internal documents etc.). Due to the
enormous potential of threat and damage they have to be treated equally. Current risk analysis and
recommendations can be found at the web page of the registration and analysis office
“Informationssicherung” at http://www.melani.admin.ch/dokumentation.
2 Problem description
2.1 Background
Since the early days of the Internet, "denial-of-service" (DoS) attacks have been a fact of life. The goal of
these attacks is to restrict on a grand scale the availability of certain online systems and/or services or to
deny service completely. Usually, in this type of attack, an attempt is made to cause the attacked systems to
crash by exploiting vulnerabilities in operating systems, programs and services or basic design flaws in the
network protocols in use via the Internet.
2.1.1 Intentions of the attacker and kinds of attacks
The online systems can also be overloaded to an extent that they no longer work properly. The goal of pure
DoS attacks is therefore not to steal confidential data or circumvent user authentication mechanisms but to
disrupt or immobilise the service platforms of online provider such as E-shops, content providers, financial
service providers (e.g. e-Banking), government agencies (e.g. e-Government) etc. severely. The web sites
and/or services that are attacked may then not be available for a period of a few minutes or up to a few
days.
Unlike other attacks, the perpetrator does usually not infiltrate the computer networks and therefore does
not need any passwords (or similar information). However, a DoS attack can be part of an attack on a
system. For example, one online system is rendered inoperable by a DoS attack to cover up the actual attack
on one of the customer’s other systems. The IT staff tasked with administration is distracted by the increase
in data traffic, allowing the actual attempted attack to go unnoticed.
2.1.2 Development of DoS attacks
The DoS attacks are increasingly honed and therefore for ordinary persons difficult to recognise. E.g. since
more than 10 years, instead of single PCs a multitude of different PCs are used for large-scale co-ordinated
attacks of single online systems or networks. The individual PC user whose PC is part of a so-called botnet
normally doesn’t notice any loss of performance when working or surfing the Internet while an attack is
underway. The number of PCs involved in an attack can range from several hundred to several hundred
thousand PCs attacking at any one time. The PCs involved in an attack can be linked nationally,
internationally or inter-continentally on the global Internet. Within such a "Distributed Denial-of-Service"
DDoS Protection Service
(Distributed Denial of Service)
Swisscom (Switzerland) Ltd.
Corporate Business
P.O. Box
CH - 3050 Bern
Free phone 0800 800 900
Free fax 0800 800 905
E-mail info.corporatebusiness@swisscom.com
Internet http://en.swisscom.ch/corporatebusiness
Document White Paper DDoS
Version 3.1
File BIS_IPP_WP_DDoS_mm03104-en.doc
Date 01/03/2016 Page 4/18
(DDoS) attack the attacker takes advantage of the capacity of several PCs. Thus, even sites with high-
performance online systems with broadband network connections can be successfully disrupted. And it is
ironically the broadband networks themselves that supply the necessary bandwidth.
2.1.3 DDoS attacks from a regular IP address
One special type is the “Distributed Reflected Denial of Service” (DRDoS) attack. In this type of attack, the
attacker does not address his data packets directly to the victim of the attack but to Internet services.
However, he enters the IP address of the victim as the sender. Using this method, it is practically impossible
to determine the origin of the attack. These types of forged connection requests are also referred to as “IP
spoofing”. The respond to these requests and the resulting system overload represent the actual DoS attack
for the victim.
2.1.4 Motivation for DDoS attacks
The origin of and the motives for these types of attacks vary widely. They range from computer geeks
without monetary interests over revenge or protest against a particular company or organisation up to
professional hacker organisations. They can be retained to run a DDoS attack by everyone via online portal
with payment via credit card. For little money managed attacks are offered e.g. as a 24-hour stress test.
Quite often iniquitous menaces are placed or attempts at extorting protection money are made.
Professionally active organisations carry them out with a clear intention for their own self-interest or on
behalf of a third-party.
Figure 1: Motivations for DDoS attacks (© ARBOR Networks)
DDoS Protection Service
(Distributed Denial of Service)
Swisscom (Switzerland) Ltd.
Corporate Business
P.O. Box
CH - 3050 Bern
Free phone 0800 800 900
Free fax 0800 800 905
E-mail info.corporatebusiness@swisscom.com
Internet http://en.swisscom.ch/corporatebusiness
Document White Paper DDoS
Version 3.1
File BIS_IPP_WP_DDoS_mm03104-en.doc
Date 01/03/2016 Page 5/18
2.2 Prerequisite for a DDoS attack
DDoS attacks as a means to extortion are usually initiated via so-called bot networks. They comprise from
several dozen up to several hundred thousand computers infected with Trojan horses or worms. The fact
that most computers connected via broadband networks have a fixed IP address and are usually online
makes DDoS attacks even easier. Therefore, the user doesn’t usually notice that the computer is infected or
has become a part of a bot network because most computers connected to the Internet have inadequate or
non-existent protective measures. The owners of these computers don’t even recognise that they are part of
a bot network. The performance of a PC involved in a DDoS attack and the connection bandwidth are
generally not affected in any perceptible way for the user. These bot networks are made up of several
hundred to several thousand infected PCs. These PCs can be time-activated arbitrarily for attacks by the bot
network administrator/controller. There has also been a noticeable increase in the misuse of networked
computers now that TCP/IP protocols are very widespread and have become practically common knowledge.
Figure 2: Globally active botnet sources (http://atlas.arbor.net/worldmap/index)
2.3 The sequence of a DDoS attack
2.3.1 General sequence of a (malicious) attack
Up to now, the following attack models have been subject to discussion in Internet blogs or forums:
Model 1
A company with an Internet presence receives an extortion letter demanding the payment of a specific
sum to be paid by a set deadline. If the deadline passes without payment, the attacks threatened in the
extortion letter are immediately initiated. The web servers are then attacked by an enormous number of
requests as a result. Depending on the bandwidth, it takes very little time for the web site and its e-
services (e-shop, e-banking…) to become inaccessible.
DDoS Protection Service
(Distributed Denial of Service)
Swisscom (Switzerland) Ltd.
Corporate Business
P.O. Box
CH - 3050 Bern
Free phone 0800 800 900
Free fax 0800 800 905
E-mail info.corporatebusiness@swisscom.com
Internet http://en.swisscom.ch/corporatebusiness
Document White Paper DDoS
Version 3.1
File BIS_IPP_WP_DDoS_mm03104-en.doc
Date 01/03/2016 Page 6/18
Model 2
A company’s online presence is blocked without warning by a DDoS attack for unknown reasons. During
the attack, the attacked party receives a letter claiming responsibility, e.g. by e-mail (e.g. via alternative
Internet access) or fax demanding either payment to an account by a certain deadline or another
condition that must be met. If this deadline passes without payment, the attacks are continued.
Model 3
The online platform of a company is under attack without any warning. The company should be
damaged sustainably whereat the attack can run between a few minutes up to several weeks.
2.3.2 Preparation and sequence of a (malicious) attack
As already mentioned, several computer systems are involved in a DDoS attack. The complex attack
sequence or the network of attackers could be described as follows:
An attacker (also called a client) commissions…
…one or more masters (also called handlers). They control…
…several daemons (also called agents). These then attack…
…a victim.
Analysis
The attacker communicates via an Internet connection (often from an illegally used IP address) with the
distributed masters. He then uses scanning tools to find out their IP address and/or which TCP or UDP ports
are open. Potential targets of attacks and their vulnerabilities are identified with the help of Internet
security scanners. The attacker also uses this same channel to get at the root rights on the server systems
and simultaneously checks which services and ports are active (and therefore “open”) on the systems.
Script creation
Once the security weaknesses have been revealed, the attacker generates a script (= a program that runs
automatically) and places it in the stolen accounts. He uses the scripts to attack precisely these security
weaknesses later on. Incidentally, existing toolkits are often used to create the script files, making them
much easier in their application. Now the attacker defines his subsequent daemon and master systems.
Other storage locations are used to store the pre-compiled binaries of the daemons on the master systems.
Then the attacker creates a script that uses the list of computers that have been “taken possession of” and
creates another script which automatically performs the installation in the background.
DDoS Protection Service
(Distributed Denial of Service)
Swisscom (Switzerland) Ltd.
Corporate Business
P.O. Box
CH - 3050 Bern
Free phone 0800 800 900
Free fax 0800 800 905
E-mail info.corporatebusiness@swisscom.com
Internet http://en.swisscom.ch/corporatebusiness
Document White Paper DDoS
Version 3.1
File BIS_IPP_WP_DDoS_mm03104-en.doc
Date 01/03/2016 Page 7/18
Script installation
Because this process is automated, a widespread denial-of-service network can be created without the
knowledge of the actual system owners. The master programs which play a key role in the attacker’s
network are then installed with extreme care. Optionally, a root kit (an “administrator kit”) that conceals the
presence of the programs, files and network connections may also be installed. The master programs are
installed, preferably on so-called “primary name server hosts”. Because they are designed for an extremely
high volume of network traffic, a large number of network connections run on these types of server systems.
This has two key advantages for the attacker. On the one hand, the basic load (processors and network)
camouflages the additional network traffic on the master very well. On the other hand, such server systems
are not prematurely disconnected from the network even if a DDoS is suspected because the role they play
in the company’s network is too great
Start of the attack
At a later time, the attacker sends the attack command including the data of the victim (IP address, port
number, type of attack, start- and stop time) to the masters. During the attack, this is the only outgoing
traffic. Once the attack got started, its continued control and coordination lies under the complete
responsibility of the masters (= computers acting as servers), which control a set number of daemons
(daemons are processes running in the background). To ensure that not all daemons are rendered
immediately unusable when a master is discovered by a network sniffer, the attackers distribute the
masters into functional sub-areas. The daemons in turn run on other computers and can be globally
dispersed in the network. Only the daemon systems carry out the actual attack when instructed by the
master. This can be, for example, a SYN flood attack where the attacker sends a packet to the victim system
to establish a TCP connection (SYS packets). This reserves a port and sends back what is known as a SYN-ACK
packet. However, because the attacker has spoofed his own IP address (i.e. he’s not using his own IP
address), the sender does not receive any confirmation. The victim system tries again and finally rejects the
reserved connection after a set time period that can last several minutes depending on the operating
system. If not just one request is sent to establish this connection but many in parallel, the computer
becomes overloaded with answering the requests, blocking it for all practical purposes.
2.4 Developments and the effects of DDoS attacks
Ongoing investigation by ARBOR Networks since 2002 in collaboration with the most important Internet
Service Provider (ISPs) show a significant increase of the bandwidth intensity of DDoS attacks at a
continuously high occurrence. Primary attacking targets are commercial Internet and network services (e.g.
Domain Name Server, DNS). Most commonly used are UDP flood (sending a large quantity of UDP packets to
randomly selected ports until they become inaccessible) and TCP SYNC (delay of the handshake procedure
when establishing a TCP connection) while other known vulnerabilities in the application protocols also
support the attack. The number and intensity of DDoS attacks are continuously rising since then.
DDoS Protection Service
(Distributed Denial of Service)
Swisscom (Switzerland) Ltd.
Corporate Business
P.O. Box
CH - 3050 Bern
Free phone 0800 800 900
Free fax 0800 800 905
E-mail info.corporatebusiness@swisscom.com
Internet http://en.swisscom.ch/corporatebusiness
Document White Paper DDoS
Version 3.1
File BIS_IPP_WP_DDoS_mm03104-en.doc
Date 01/03/2016 Page 8/18
Figure 3: Development of DDoS attacks (© ARBOR Networks)
Practical experiences and observations
Unfortunately and despite their enormous threat potential, DDoS attacks
normally are not or only secondarily considered in risk analyses of
enterprises.
Due to the obviously existing threat level DDoS attacks have to be
equalised with the commonly known risks in general risk analyses of
enterprises.
DDoS Protection Service
(Distributed Denial of Service)
Swisscom (Switzerland) Ltd.
Corporate Business
P.O. Box
CH - 3050 Bern
Free phone 0800 800 900
Free fax 0800 800 905
E-mail info.corporatebusiness@swisscom.com
Internet http://en.swisscom.ch/corporatebusiness
Document White Paper DDoS
Version 3.1
File BIS_IPP_WP_DDoS_mm03104-en.doc
Date 01/03/2016 Page 9/18
Figure 4: Number of DDoS attacks per month (© ARBOR Networks)
Non-operable e-services can result in huge losses in revenue. In addition, the company’s reputation and
customer confidence in the company that has been attacked are influenced seriously and strongly. This is
particularly the case if the company has a large portion of its business online. Thus, convenient DDoS
protection tools and appropriate services of professional Internet Provider are indispensable to recognise
and stave off DDoS attacks. They represent the fastest and most secure method to sustain the operation of
the own Internet service platform. One the one hand it strengthens the confidence of the own customers
and on the other hand it ensures constant business volumes of the platform.
Figure 5: Average duration for staving off DDoS attacks (© ARBOR Networks)
DDoS Protection Service
(Distributed Denial of Service)
Swisscom (Switzerland) Ltd.
Corporate Business
P.O. Box
CH - 3050 Bern
Free phone 0800 800 900
Free fax 0800 800 905
E-mail info.corporatebusiness@swisscom.com
Internet http://en.swisscom.ch/corporatebusiness
Document White Paper DDoS
Version 3.1
File BIS_IPP_WP_DDoS_mm03104-en.doc
Date 01/03/2016 Page 10/18
3 Protective measures against DDoS attacks
3.1 Blackhole defence
Effectively protecting against attacks on the accessibility of both secured and unsecured systems is generally
only possible to a very limited extent using IT resources. Unsecured systems are designed for the express
purpose of allowing for communication with practically any system and responding dynamically to
fluctuations in load. Almost all known measures focus on preventing a company’s own systems and net-
works from being misused for a DDoS attack. There is only a small number of effective protective measures
that can diminish the effects of an attack. The protective measures up to now have made use of black hole
or sinkhole technology to disable the attacked services. The undesirable data streams are completely
rerouted to router ports of the backbone gateways (->Route to Null0) and neutralised.
Figure 6: Principle of blackhole technology
Advantages: Blackhole technology protects the web infrastructure from attacks, but only to a limited
extent.
Disadvantages: All data streams are deleted meaning that the company can no longer receive data from
specific sections and regions of the network. Combating undesired data streams in the
backbone of the ISP on the basis of black hole technology is complex and requires in-depth
routing knowledge.
DDoS Protection Service
(Distributed Denial of Service)
Swisscom (Switzerland) Ltd.
Corporate Business
P.O. Box
CH - 3050 Bern
Free phone 0800 800 900
Free fax 0800 800 905
E-mail info.corporatebusiness@swisscom.com
Internet http://en.swisscom.ch/corporatebusiness
Document White Paper DDoS
Version 3.1
File BIS_IPP_WP_DDoS_mm03104-en.doc
Date 01/03/2016 Page 11/18
3.2 Current protective measures with the DDoS Protection Service
3.2.1 General features
The DDoS Protection Service is an option to the IP-Plus Business Internet Service from Swisscom and
features the following characteristics:
Effective protection of the Internet infrastructure from DDoS attacks (can currently be filtered up to 40 Gbit/s)
Pro-active alert system when DDoS attacks occur via e-mail, SMS, SNMP Traps and Syslog
Access for “friendly users” permitted during DDoS attacks
Full access to the management platform including monitoring and reporting during DDoS attacks
Direct defence against DDoS attacks via management platform by the security or network administrator
Dynamic identification and blocking of DDoS attacks
7x24h helpdesk/support by the DDoS experts team
No hardware installation at the customer’s site required
Figure 7: Function of the DDoS Protection Service (option to the IP-Plus Business Internet Service)
Advantages: The traffic streams in the backbone are continuously monitored based on the DDoS
Protection Service. If a deviation from the baseline (= bandwidth development continuously
recorded over 24 hours) occurs, a low, medium or high alert depending on the type of
deviation is proactively sent right to the individual responsible for the system via e-mail,
SMS, SNMP Traps or Syslog. Based on the alert information, the customer can
systematically fight the DDoS attacks either himself or with 2nd or 3rd level support from
the Swisscom helpdesk.
Disadvantage: In-depth knowledge is required to assess traffic anomalies. If this knowledge is not present,
specialists are available around-the-clock.
DDoS Protection Service
(Distributed Denial of Service)
Swisscom (Switzerland) Ltd.
Corporate Business
P.O. Box
CH - 3050 Bern
Free phone 0800 800 900
Free fax 0800 800 905
E-mail info.corporatebusiness@swisscom.com
Internet http://en.swisscom.ch/corporatebusiness
Document White Paper DDoS
Version 3.1
File BIS_IPP_WP_DDoS_mm03104-en.doc
Date 01/03/2016 Page 12/18
3.2.2 Traffic anomaly detection
What is known as traffic anomaly detection is based on several Arbor Peakflow systems. With the help of
these systems, the data stream is recorded in the Internet backbone of IP Plus and analysed for anomalies.
The baseline data is continuously and dynamically recorded with the Peakflow systems. The day of the week,
the time and the bandwidth measured at this time is registered during this process along with the protocol
conformity. This baseline data is finally used as comparison data to alert the company of DDoS attacks. In
the event of an alert, the respective alert level (low, medium, high) is triggered on the basis of a deviation
between baseline and the actually measured data stream throughput. Using this information the traffic
related to the company’s own infrastructure can be continuously monitored and analysed.
Figure 8: Status view via customer portal
3.2.3 Threat Management System
To defend against DDoS attacks, Swisscom uses what is known as a Threat Management System (TMS). In
the event of an attack, the traffic and/or the data stream can be rerouted via TMS in the direction of the
attacked system. The TMS analyses this traffic and can efficiently distinguish between non-malicious and
malicious traffic and filter it out. The filtered ant therefore authorised traffic is then rerouted again to the
original destination.
DDoS Protection Service
(Distributed Denial of Service)
Swisscom (Switzerland) Ltd.
Corporate Business
P.O. Box
CH - 3050 Bern
Free phone 0800 800 900
Free fax 0800 800 905
E-mail info.corporatebusiness@swisscom.com
Internet http://en.swisscom.ch/corporatebusiness
Document White Paper DDoS
Version 3.1
File BIS_IPP_WP_DDoS_mm03104-en.doc
Date 01/03/2016 Page 13/18
4 DDoS Protection Service from Swisscom
4.1 Filtering process of an DDoS attack
The first four steps of the DDoS attack filtering process are:
1. Additional DDoS traffic (attack traffic)
2. Recognition of the malicious DDoS attack (malicious traffic recognition)
3. Automatic alerting via DDoS Protection Service (alerting/notification)
4. Manual activation via DDoS Protection Management Platform (DDoS filter activation)
Figure 9: Defence against a DDoS attack (1/2)
The next three and final steps of the DDoS attack filtering process are:
5. The malicious data traffic is rerouted via the TMS (malicious traffic rerouting)
6. Active filtering of the DDoS traffic (active DDoS filtering)
7. Normal forwarding of the legitimated data traffic (legitimated traffic)
DDoS Protection Service
(Distributed Denial of Service)
Swisscom (Switzerland) Ltd.
Corporate Business
P.O. Box
CH - 3050 Bern
Free phone 0800 800 900
Free fax 0800 800 905
E-mail info.corporatebusiness@swisscom.com
Internet http://en.swisscom.ch/corporatebusiness
Document White Paper DDoS
Version 3.1
File BIS_IPP_WP_DDoS_mm03104-en.doc
Date 01/03/2016 Page 14/18
Figure 10: Defence against a DDoS attack (2/2)
The activation of the TMS filter function is always initialised by the customer. For the knowledge of his
network operations avoids false alarms released i.e. by a planned software upgrade, which can be
recognised as a traffic anomaly under certain circumstances.
The following activation options are available for selection:
Direct activation of the TMS using user name/password on a protected web site (->https) including
secure authentication by a client certificate
Activation or support via help desk 7 x 24h with the following response times:
Mon - Fri, 7 a.m. – 6 p.m. Mon - Sun, 7 a.m. – 6 p.m.
Via remote maintenance < 1 hr. < 2 hrs.
If the attack is currently utilising the full capacity of the customer’s Internet connection, the TMS can
alternatively be accessed via a Mobile Unlimited connection, a dedicated xDSL connection or another
Internet access technology via web browser.
DDoS Protection Service
(Distributed Denial of Service)
Swisscom (Switzerland) Ltd.
Corporate Business
P.O. Box
CH - 3050 Bern
Free phone 0800 800 900
Free fax 0800 800 905
E-mail info.corporatebusiness@swisscom.com
Internet http://en.swisscom.ch/corporatebusiness
Document White Paper DDoS
Version 3.1
File BIS_IPP_WP_DDoS_mm03104-en.doc
Date 01/03/2016 Page 15/18
4.2 Option DDoS Protection enhanced
For an even more efficient protection the option DDoS Protection enhanced can be implemented as an
additional enhancement. It is based on Hardware which is implemented near to the WAN-LAN-transition at
the customer location. The HW analyses the traffic flow permanently „inline“ up to and including the OSI
application layer (layer 7). A SSL inspection function allows the cognition and neutralisation of the
increasing attacks via encrypted IP sessions. Based on the rule setting, the anomaly level is ongoing
determined and unambiguous attack traffic is filtered automatically. If a pre-defined anomaly level is
exceeded, help from the cloud is requested via cloud signalling.
If an operator decides for a mitigation of the situation, a new anycast address is set via the DDoS Protection
Service as a new next-hop for the attacked IP address. The traffic flow will now be re-directed and filtered via
the Threat Management System (TMS) and rerouted via GRE-Tunnel without attack traffic directly to the
customer router.
Figure 11: Enhanced defence of a DDoS attack with DDoS Protection enhanced
The option DDoS Protection enhanced the security level onto all seven OSI layers. The most important
advantages are:
Immediate protection against DDoS attacks on the application layer which could endanger the
availability of services and applications.
Automatic recognition and lock-out of DDoS attacks prior to the disturbances of services. This
requires no respectively only a minimal user intervention which reduces the pressure onto the IT
safety officer.
DDoS Protection Service
(Distributed Denial of Service)
Swisscom (Switzerland) Ltd.
Corporate Business
P.O. Box
CH - 3050 Bern
Free phone 0800 800 900
Free fax 0800 800 905
E-mail info.corporatebusiness@swisscom.com
Internet http://en.swisscom.ch/corporatebusiness
Document White Paper DDoS
Version 3.1
File BIS_IPP_WP_DDoS_mm03104-en.doc
Date 01/03/2016 Page 16/18
5 Summary
5.1 Solution alternatives
Actually the customer has the choice between three different options:
1. The customer infrastructure does not have any DDoS defence mechanisms. Therefore an attack
quickly becomes effective and the web site is offline.
2. Right before the firewall at the customer’s site a DDoS device is integrated. If the bandwidth of the
DDoS attack exceeds the bandwidth of the access link, the web site falls into the offline modus, too.
3. In the third and most effective solution alternative the DDoS attack is detected already before its
ingress into the ISP backbone and it can be filtered accordingly. Within this setup the attack traffic is
filtered out and the legitimated traffic is continuously routed to the web service. Therefore the
online modus practically can be ensured completely.
Figure 12: Possible solution alternatives for defending DDoS attacks
The option DDoS Protection enhanced offers additional protection which includes a permanent local inline
traffic analysis up to and including OSI layer 7.
DDoS Protection Service
(Distributed Denial of Service)
Swisscom (Switzerland) Ltd.
Corporate Business
P.O. Box
CH - 3050 Bern
Free phone 0800 800 900
Free fax 0800 800 905
E-mail info.corporatebusiness@swisscom.com
Internet http://en.swisscom.ch/corporatebusiness
Document White Paper DDoS
Version 3.1
File BIS_IPP_WP_DDoS_mm03104-en.doc
Date 01/03/2016 Page 17/18
5.2 Danger and damage potentials
During the past 12 months an above-average growth rate of DDoS attacks on enterprises in different
branches and on political organisations was registered in Switzerland. Within a case study, a real DDoS
attack on an enterprise with an online platform and the progress and defence of the attack were
documented. The analysed attack traffic originated mainly from Peru, Chile, China, Taiwan, USA, Egypt and
Kenya. The progression of the attack clearly gave proof that it was actively leaded against the customer.
This circumstance was illustrated beneath others by the appearance of another traffic peak some two days
after the start of the first attack. By this, the offender proved if the online services can be disturbed by
intensifying the attack traffic. However, also this trial ended unsuccessfully due to the DDoS Protection
Service from Swisscom. Without its activation the online services would have been unavailable for at least
two days. The attack would have caused a large damage – on the one hand financially (sales shortfall), on
the other hand to the company’s image. The latter damage is hard to quantify, but so much sustainable.
5.3 Managed Service
The DDoS Protection Service is set up in the IP Plus Business Internet backbone as a Swisscom Managed
Service, using the IP address range requested by the customer. This setup allows the Internet access to be
continuously monitored for anomalies and the customer alerted depending on the defined bandwidth
limits. This direct access to the TMS provides an efficient tool that allows the customer to perform an in-
depth analysis of the data traffic aimed at his infrastructure and protect himself immediately in the case of
an attack. Of course, Swisscom also provides the customer with the best possible support in this process.
DDoS Protection Service
(Distributed Denial of Service)
Swisscom (Switzerland) Ltd.
Corporate Business
P.O. Box
CH - 3050 Bern
Free phone 0800 800 900
Free fax 0800 800 905
E-mail info.corporatebusiness@swisscom.com
Internet http://en.swisscom.ch/corporatebusiness
Document White Paper DDoS
Version 3.1
File BIS_IPP_WP_DDoS_mm03104-en.doc
Date 01/03/2016 Page 18/18
6 Glossary
Term Explanation
AS Autonomous System
ASN Autonomous System Number
BGP Border Gateway Protocol
Blackhole „Blackholes“ are used to route all IP packets sent to an offended system to the Null0
interface.
Botnet A Botnet can be described as a network of remotely controlled PCs which were
infected with worms, Trojan horses or others and which can be misused for specific
attacks on demand.
CPE Customer Premises Equipment
DDoS Distributed Denial of Service
DNS Domain Name System
GRE Generic Routing Encapsulation (serves the encapsulation of other protocols and their
transport via a tunnel over IP)
HTTPS Secure Hyper Text Transport Protocol
IP Internet Protocol
ISP Internet Service Provider
Mpps Mega packets per second
OSI Open System Interconnection (reference model for data networks; it consists of seven
communication layers with different tasks(
PC Personal Computer
SAP Service Access Point
SMS Short Message Service
SNMP Simple Network Management Protocol (is used for the management of network
elements like router, switches, printers etc.)
SSL Secure Sockets Layer (encryption protocol for a secure data transmission)
TCP Transmission Control Protocol
TMS Threat Management System
UDP User Datagram Protocol
top related