managed ddos service - service...

Managed DDoS Service – Service Description and SLA

Created by: Ian Nice

Document Version: 2.1

Document Publication Date: 1st June 2017

Document Classification: Public

NCC Group | Document Version 2.1 – 01/06/2017

Copyright and Confidentiality Statements

This document is Copyright NCC Group. All rights reserved.

The contents of this document may not be copied or duplicated in any form, in whole or in part, without the prior written permission of NCC Group.

The information in this document is subject to change without notice. NCC Group shall not be liable for any damages resulting from technical errors or omissions which may be present in this document, or from use of this document.

This document is an unpublished work protected by the United Kingdom copyright laws and is proprietary to NCC Group. Disclosure, copying, reproduction, merger, translation, modification, enhancement, or use of this document by anyone other than authorised employees, authorised users, or licensees of NCC Group without the prior written consent of NCC Group is prohibited.

Control Information

Customer Name

Document Title Managed DDoS Service – Service Description and SLA

Version 2.1

Publication Date 01/06/2017

Prepared By Ian Nice

Classification Commercial in Confidence

Version Date Author QA Change Summary

1.6 01/07/2015 Ian Nice Lee Driver Removed Juniper references

2.0 18/05/2016 Ian Nice Lee Driver Migration to NCC Group service description format.

2.1 01/06/2017 John Saunders Jon Shallow Grammar corrections


1. Introduction

Purpose

The purpose of this document is to set out a clear description of the NCC Group Managed DDoS protection service, and the capabilities delivered to customers.

Service overview

Denial-of-service (DOS) or distributed denial-of-service (DDOS) attacks are an attempt to make a machine, application or network resource unavailable to its intended users by overwhelming the resource with valid and invalid requests. The nature of DDoS attacks have evolved over recent years to be highly complex; and can be used in isolation, or as a component within a series of events used by an attacker to breach a networks integrity.

The service is designed to stop DOS and DDOS attacks and respond to changing network conditions. Should the NCC Group Distributed Denial of Service Secure (DDOS Secure) technology identify an unusual trend in traffic activity or that a protected service’s performance begins to degrade, an alert will be generated and the solution can optionally automatically take defensive steps to resist against resource exhaustion.

Analysts in NCC Group 24/7 Security Operations Centre (SOC) will monitor alarms generated by the platform and undertake agreed remediation actions, which can include DDOS Secure local traffic cleaning and using BGP Flowspec to send notification to your ISP to block traffic. Our analysists will also escalate incidents to you, using a pre-agreed escalation process for all incident notifications.

Figure 1 – Managed DDOS Protection Service

The managed service is underpinned by NCC Group DDOS Secure technology which provides DDoS protection mechanisms. If a protected server is subjected to a DOS attack then its ability to serve valid traffic will be affected; for example, the TCP backlog queues may reach its capacity and the server may start to drop network traffic. This drop in performance is identified by DDOS Secure and defensive measures can be applied.

At this point only those IP Addresses with a good behavioural pattern will receive a sufficiently high rating to be allowed to communicate with the protected device. Using this approach, NCC Group DDOS Secure actively defends against network traffic based flood attacks.


Overview Table 1 shows the key features of the managed DDoS protection service:

Description Feature

Design, installation and configuration

Service initiation meeting

Site to SOC VPN implementation

On premise DDOS protection

24/7 security monitoring

Around the clock health monitoring

Support for issue resolution

Vendor ticket management

Proactive patching and upgrade

Service reporting

Configuration backup and restore

Access to managed service portal

Monthly service reporting

Table 1 - Service features

Supported platforms

The NCC Group managed DDoS protection service supports virtual and appliance based installations of:

NCC Group DDOS Secure

Juniper DDOS Secure (now known as NCC Group DDOS Secure)

2. Service commissioning

This section describes the service commission phase for the managed DDoS protection service.

Design, installation and configuration

NCC Group maintains a structured approach to service design and delivery, which is determined by the network design and applications that are being protected by the service. This might include discussion of high availability requirements, network throughput and device placement. NCC Group professional services engineers will work with the customer to design solution and implement the DDOS Secure configuration and rule set.

Figure 2 - Commissioning

Our professional service team will also work with the customer to agree how the defensive


technologies should react when an attack is identified. The DDOS Secure appliances can provide automatic delivery of defensive techniques, or can simply alarm the NCC Group SOC so that our customers to make informed decisions.

This setup process might include:

Setup of initial alerting options from the DDOS Secure Appliances

Setup of management access from the NCC Group SOC

Configuration to allow any known penetration testing networks configured

Configuration and CHARM boosting of any preferred administration client, or networks

Setup of access control list for traffic by protocol per host

Configuration of maximum connections per server/per IP

Configuration of maximum connections per second per server/per IP

Configuration of backlog queue per server/per IP

Configuration or port or IP bandwidth limits

Configuration of port or IP packets per second

Configuration of DDOS Secure thresholds for alerting

Configuration of network interface speeds

Establishment of threat response limits

Configuration of BGP Flowspec to enable up stream blocking to protect your network link (where supported by your ISP)

Configuration of the optional cloud based scrubbing service.

Service initiation meeting

Following completion of the initial service setup tasks, the NCC Group service management team will arrange a service initiation meeting. The aim of this meeting is to provide a smooth transition into live service of the client’s service. The meeting will be attended by the client and NCC Group service manager, who will be responsible for the ongoing management.

Following the meeting these documents will be agreed:

Client contact and escalation matrix

Authentication passphrase

Contact and escalation matrix

Incident handling and escalation procedure

Service reporting schedule.

Process for gaining approval to work with Clients ISP to mitigate attacks.

Site to SOC VPN implementation

NCC Group will work with the customer to implement resilient site to site Internet Protocol Security (IPSEC) VPNs. NCC Group will provide customer hardware and installation support where required (as specified in the customer order form or proposal document). The VPN establishment allows the commencement of the managed service and is used for forwarding of events to the SOC.

3. Service features

On premise DDoS protection

A typical DDOS outage occurs when resources are unable to handle the volume of connection requests at a particular time. This might be through an induced malicious attack using a botnet or it could be a legitimate ‘flash crowd’ effect during peak traffic periods. To the end user there is no difference; at best degradation in response times, at worst, a disruption in the resources availability resulting in an outage with potentially serious repercussions.

The managed DDoS protection service is underpinned by on premise deployed NCC Group DDoS secure technology, which provides DDoS detection and defence capabilities.


Figure 3 - DDOS Secure Detection

More details of the NCC Group DDoS secure technology can be found in the DDoS Datasheet, available from your account manager on request.

BGP Flowspec ISP Notifications The DDOS Secure on-premise solution is installed on the customers’ network, and is designed to identify DDoS traffic patterns and provide defensive capabilities. However, the challenge with an on-premise DDoS mitigation solution is that it cannot prevent volumetric attacks from saturating the customer’s Internet bandwidth capacity. Whilst targeted attacks focused on a specific server may only utilise a relatively small amount of available network bandwidth, often modern attacks may use a very large number of attacking machines which can saturate the entire bandwidth of the organisations.

The DDOS Secure appliance supports injecting BGP Flow Spec which can provide upstream information to your ISP to enable ISP filters using the BGP protocol. With Flowspec, the SOC has the ability to make granular decisions about what traffic to ask the ISP to drop. By operating with FlowSpec mitigation, routers within the ISP can be instructed to add Access Control List (ACL) blocks to prevent or limit traffic from specific IP Addresses from traversing your ISP link, effectively black-holing volumetric attack traffic at the ISP.

The NCC Group DDOS Secure appliance supports two BGP Flowspec ACL injection modes which can be configured by NCC Group professional service consultants during initial setup. The appliance can automatically inject BGP Flowspec ACLs to the ISP to ask for the traffic to be dropped when an attack is detected. Alternatively, the DDOS Secure can simply provide recommended Flowspec ACLs which have to be manually approved using the DDOS Secure interface by analysts in the NCC Group SOC, once an appropriate approval have been received from your security team.


Figure 4 - BGP Flowspec Volumetric Protection

Note: Not all Internet Service Providers (ISPs) support BGP Flowspec ACL requests. NCC Group professional services team will work with your network engineers and your ISP to identify if this service feature can be enabled.

24/7 security monitoring

When unusual traffic patterns are detected by the DDOS Secure appliance, an alarm will be raised to the NCC Group 24/7 SOC for triage. Security events will be escalated to the customer in line with the escalation process defined during the service initiation meeting and governed by the security triage SLA.

Where possible, NCC Group analysts will also use correlation logic to attempt to identify attackers who have attacked any of our other Managed DDoS prevention customers. We use this information to raise the severity of attacks when they begin, and provide context to allow us to quickly focus on high severity threats.

Where specified within the device configuration, NCC Group analysts will evaluate the events reported by the DDOS Secure appliance and work with you to take appropriate action to reduce the effects of either attack or excess traffic on the protected systems. Any actions recommended will be based on best practice and the Security Analysts professional opinion and will be based upon:

Severity of the attack

Nature of the attack

Information from other DDOS Secure devices

Professional experience of other events.

In the event that an attack is ongoing, NCC Group engineers will apply approved configuration changes to the DDOS Secure appliance which will be implemented in an expedient manner, in line with the security triage – target remediation SLA. In the event that the Customer’s ISP has the capability to support up-stream blocking and NCC Group SOC has received explicit authority to block a specific attack, we will work with the ISP to block significant attacks up-stream to prevent bandwidth exhaustion attacks. This may include use of Border Gateway Protocol (BGP) Flowspec to request that the ISP black-hole of some internet addresses.

Important note: The response times set out in our SLAs apply to remediation settings being applied to the DDoS Secure appliance or requesting a change from the Customer’s ISP. Actual remediation of DDoS is reliant on the appliance, ISP and BGP peering time on the Internet and is therefore out of scope of the SLA.


During the period of the managed service contract, the NCC Group SOC will work with the customer to provide ongoing baselining of the configuration, and tune out alerts associated with approved activities such as vulnerability scans or application testing. By working with the customer to tune the system, the SOC are working to keep false positive alerts to a minimum, allowing customers to focus on genuine high severity incidents when they occur.

Around the clock health monitoring

Our 24/7 SOC will monitor the appliance to validate that it is operating within normal boundaries. Our service will monitor:

Device throughput

DDOS Secure availability

Network, CPU and Memory capacity.

All incidents of this type will be classified using the ticket severity levels and SLA targets defined in the health, availability and capacity monitoring SLA section

Support for issue resolution

In the event that a DDoS system availability or performance incident is identified by our availability monitoring solution, NCC Group administrators will work to begin remote remediation of that incident.

All incidents of this type will be classified using the ticket severity levels and SLA targets defined in the health, availability and capacity monitoring SLA section. Please note: where hardware support is required, the health, availability and capacity monitoring SLA shall not apply.

In some instances the NCC Group SOC will contact the customer to ask for the appliance power and network connections to be checked. In the event of hardware replacement, the customer shall be responsible for receiving, installing and applying a basic configuration to the device with remote support from an NCC Group engineer. We will then apply the latest configuration backup remotely and restore service.

Proactive patching and upgrade

In the event of a software upgrade becoming available, NCC Group managed service customers will receive a notification, containing details of the changes available in the software. Customers can then request the update to be applied by opening a change ticket on the NCC Group managed service portal.

NCC Group will prioritise the installation of any security or vulnerability related patch(es), these shall be applied by our engineers in agreement with the client.

NCC Group engineers will follow internal managed service change and release procedures, with full regression built into each change wherever practical; the customer will be responsible for completion of with any internal change management processes required.

Service reporting

The service will be reported on monthly, and is distributed via the managed service portal. The report is split in to two sections, described below:

Service Health The service health section gives customers an indication of service availability and performance and capacity broken down by device. The following table shows the reports generated as part of the service:


Report section Frequency of production

Monitoring period Report description

Device Health Monthly / Real-Time Dashboard

30 seconds Report shows key measurements of capacity on system resources over the previous calendar month:

Memory usage

Data throughput

CPU utilisation

Availability Monthly / Real-Time Dashboard

30 seconds Report shows key measurements of availability of managed device(s) over the previous calendar month

Recorded Tickets Monthly / Real-Time Dashboard

n/a Report details all tickets logged for the client over the previous calendar month.

Table 2 - Service reporting

Threat Analysis The threat analysis section gives a summary of how the on-premise DDOS Secure equipment has been protecting the customer over the reporting period. This includes:

Threat Analysis

Attack status

Throughput vs dropped - Please note that is a device is in analyse mode, no traffic has been dropped. This is an indication of what action would have taken place if the device was in defensive mode

Top worst offenders

Top incidents.

All reports are distributed via the managed service portal.

Configuration backup and restore

Before any change to configuration, NCC Group engineers will make a configuration backup in line with a change management process; the device configuration settings are stored in the NCC Group managed services Configuration Management Database (CMDB) using version control. In the event of hardware failure or a change needs backing out then the previous version can be restored from the NCC Group CMDB.

Secure Client Portal Customers will have access to the NCC Group managed service portal, which will shows health and security alarms sent to the SOC for analysis. Customers can and review events, statistics and incidents.


In addition to ticket status, customers also get access to a near real time DDOS Secure dashboard which shows significant alarms and attack status information, as well as information on availability, throughput and performance.

Figure 6 – DDOS Dashboard

4. Service boundaries

The following section outlines features that are not in scope of the managed service.

Not Included

Hardware costs and maintenance unless otherwise specified in the customer order form or proposal

SOC interactions with systems outside of the in scope DDoS appliances and management systems

Changes to the deployment architecture, once the service has been deployed.

Consulting (other than that delivered as the professional services engagement included with the service commissioning phase as detailed in the customer order form or proposal)

Site visits, e.g. to install/cable/rack a RMA replacement

Formal training.

Obligation to provide a function or feature not already present or pre-identified.

Figure 5 - NCC Group managed service portal


5. Customer responsibilities

The Customer agrees to inform NCC Group of any network or infrastructure changes that may impact on the service. This might include but is not limited to:

Any projected increases in or abnormal usage of the service outside the established and agreed in this service description, customer order form or proposal.

Any changes that may impact on the service or NCC Group’s ability to operate the service.

Any change that may have an impact on the capacity or throughput of the service or system including changes to bandwidth and logging levels.

Any change that impacts the scope of the managed service and associated licences, including additional users, monitored device or throughput.

The customer shall supply contact details for a primary contact, who will communicate on a regular basis with NCC Group regarding any matter arising in connection with the operation and provision of the service to be provided by NCC Group.

The customer shall be responsible for all customer specific change processes and Change Advisory Boards (CABs), relating to changes and service requests raised.

6. Service variables

The customer order form or proposal document should record the following variable components of service supply:

Service commissioning professional services time

Number of VPN endpoints required and professional service time to configure

Quantity, make and model of each device to be managed

7. Supporting documents

This document should be read in conjunction with the NCC Group Master Service Level Agreement (MSLA) version 2.0 and the customer order form or proposal document.

8. Operating service hours

The NCC Group SOC operates 24 hours a day, 365 days a year. Health, availability and security alarms will be raised as per the service level targets.

9. Service levels

The following section provides an overview of the service level objectives for the managed DDoS protection service. This section should be read in conjunction with the NCC Group Master Service Level Agreement (MSLA) version 2.0.

Service availability

Operational effectiveness of the central NCC Group service (excluding hardware and software deployed to a customer’s site), exclusive of any planned maintenance and /or migration of the service

Objective Target

Service Availability Target 99.9% availability per calendar month

Emergency Outages Target Less than or equal to one Emergency Outage per month

Table 3 - Service availability SLA


Health, availability and capacity monitoring

Managed devices are monitored for availability. In the event of an outage, an incident ticket will be created by NCC Group and reported to you according to the pre-agreed incident escalation process. Support target start time are applicable for start of remote remediation only, for hardware related incidents the target fix time is governed by the appliance support agreement.

Severity Description Target response time (24/7)

Support target start time (24/7)

PE – Pending

Un-assessed tickets 15 minutes N/A

L1 – Emergency

Loss of connectivity, total service outage or severe impairment on performance that prevents service from operating within SLA boundaries

15 minutes 1 hour

L2 – Critical Critical component outage which impairs service capabilities or resilience, high severity capacity issue which will lead to an imminent outage

1 hour 4 hours

L3 – Priority Loss of critical event feed from the monitoring system or capacity issue which could affect service in next 72 hours

4 UK working hours

8 UK working hours

L4 - Normal Loss of non-critical event feed from monitoring system or early warning of capacity issues.

8 UK working hours

3 UK working days

Table 4 - Health and availability SLA

Security alert triage

NCC Group SOC analysts will triage and log all relevant and agreed security alarms and shall escalate to the client primary contact in accordance with the timeframes set out below.

Important note: The remediation times set out in the table below apply to remediation settings being applied to the DDoS Secure appliance or requesting a change from the customer’s ISP. Remediation of DDoS is reliant on the appliance, ISP and BGP peering time on the Internet and is therefore out of scope of the SLA.


Severity Description Target response time (24/7)

Target remediation time (24/7)

PE – Pending

An incident has occurred, the consequences of which have not been identified – a technician will be allocating the correct severity shortly

15 minutes N/A

L1 – Emergency

A major breach of security has occurred, which requires immediate attention as unauthorised access has been obtained, or a denial-of-service attack has been successful

15 minutes 1 hour

L2 – Critical A high-risk breach of security may have occurred, which requires immediate attention [OR] A protective device has denied legitimate activity and may be preventing critical business activities from occurring

1 hour 4 hours

L3 – Priority

An attempt has been made to breach security, which was unsuccessful either because the attack was not valid, or a protective device denied the activity [OR] A medium-risk breach of security may have occurred, which requires attention [OR] A protective device has denied legitimate activity and may be preventing normal business activities from occurring

4 UK working hours

8 UK working hours

L4 - Normal A low-risk breach of security may have occurred, which requires attention

8 UK working hours

3 UK working days

Table 5 – Security alert triage SLA

managed ddos service - service...

Documents