inner_arborinaction

Fingerprint Sharing Alliance

A community for coordinated, rapid attack resolution

The Fingerprint Sharing Alliance is a coalition of telecommunications companies around the globe that are stamping out network/cyber attacks that cross company boundaries, continents and oceans.

Distributed denial-of-service (DDoS) attacks, worms, and other cyber attacks can paralyze even the most well structured network for days, costing millions of dollars in lost sales, freezing online services and crippling a company's reputation. Hacker-controlled botnets can be used to attack a Web site or network on command, requiring little effort to knock a company offline. According to a recent report published in Cisco Packet Magazine, more than 30,000 computers are "recruited" into botnets everyday.

To date, resolving these threats across service provider networks is reactive and relationship-driven, consisting of a combination of phone calls and emails between colleagues.

Attack resolution requires real-time cooperation and coordination between service providers to identify a compromised or infected system as close to the absolute Internet ingress as possible. The community of service providers that are participating in the Fingerprint Sharing Alliance will be sharing cyber attack profiles, or "fingerprints" to stop attacks more quickly and closer to the source. This is the first time worldwide telecommunications companies have been able to share attack profiles automatically, allowing providers to consistently protect one another and their customers from today's distributed threats.

With the formation of the Fingerprint Sharing Alliance, a formerly laborious and tedious process has been replaced with an efficient and automated process, and a larger community can be engaged to solve significant threats to the Internet.

How does it work?

Arbor Networks added the Fingerprint sharing capability to Peakflow SP to allow companies to share attack fingerprints automatically without revealing any competitive information.

Peakflow SP does this by collecting data from devices around the network, which is then correlated to allow service providers to baseline the network and detect any deviations from normal, which are then flagged as anomalous. It is then determined whether the anomaly is a legitimate flash crowd, for instance during an online event, or a malicious attack. Network operators are then able to decide whether to mitigate it or to leave it alone.

When it's determined to be a malicious attack, Peakflow SP will then generate the fingerprint the service provider would share automatically and securely with select peers. The network administrator has absolute control over who will receive the shared fingerprint and the networks do not need to be adjacent. The recipients of the fingerprint have the option to accept or reject the sharing request when the incoming fingerprint is received.

Image
  1. Using Peakflow SP , Service Provider A detects and mitigates a DDoS attack .
  2. Service Provider A automatically sends the attached "fingerprint" to the relevant upstream providers affected by the attack.
  3. After securely receiving the fingerprint, the information is used by the upstream ISP to traceback, analyze, and mitigate the attack, thereby identifying and removing compromised hosts as close to the internet ingress points as possible.
 

Who is involved in the alliance?
Some of the largest telecommunications companies in the world are participating, including: