Automation Puts Time on Your Side During a DDoS Attack

During a DDoS attack, time is unforgiving. A few seconds can mean the difference between a successful mitigation and costly network downtime. Anything that accelerates your mean time to detect (MTTD) and respond (MTTR) to an attack is to your advantage.

That’s especially true in today’s cloud and enterprise environments, where the combination of greater dependence on internet connectivity, distributed applications and a wide range of evolving threats can overwhelm network and security operations teams. Security teams are under increasing pressure to make critical, on-the-fly judgements about which threats are real and which mitigation measures to deploy — all while the clock is ticking.

That makes automation a high priority in the selection of a DDoS defense solution. The right solution can buy you precious time by detecting attacks early and automatically deploying the appropriate countermeasures before the attacks impact network services. But automation must fundamentally block attacks while not blocking legitimate traffic, and it must inform the operator what was blocked and why. In other words, to be effective it must lead users to the right answer, provide context and supporting analytics and, most importantly, be human-guided — not ‘black box’.

Arbor Networks DDoS Solutions Leverage Automation in Three Ways

Built-In Countermeasures – Arbor Networks APS, our inline, always-on DDoS mitigation solution for enterprise and datacenter applications, incorporates more than 30 built-in automated countermeasures, each designed to detect and automatically engage on specific types of attacks based on our deep experience and knowledge of the attack landscape. When APS detects a particular attack, such as a TCP Syn flood, blacklisted hosts or multiple connection attempts from a single host, it will automatically enable/disable the right countermeasures to surgically mitigate those attacks without impacting legitimate traffic and provide detailed analytics and reporting on the events.

If an attack happens to be in progress when the APS is initially deployed, its countermeasures can still activate immediately because it doesn’t require learning times or baselining. Although these built-in countermeasures are designed to work effectively right out of the box, many can also be custom-configured to trigger based on the user’s specific security policies and risk thresholds.

Dynamic Threat Intelligence – Arbor’s Active Threat Level Analysis System (ATLAS) is the world’s most extensive threat intelligence gathering platform, delivering near real-time visibility into global Internet threat activity. More than simply collecting and analyzing data, the Arbor Security Engineering and Response Team (ASERT) curates and operationalizes this threat intel into threat policies and countermeasure templates delivered via the ATLAS Intelligence Feed (AIF) directly into the Arbor APS and SP/TMS intelligent DDoS mitigation systems.

AIF contains a list of rules associated with different threat types, as well as risk levels (high, medium or low) associated with each type, and continually updates the Arbor deployment as new threat policies, rules, etc. are developed. If APS, for example, detects suspicious traffic flows that match active threat policies, it will automatically block the traffic and indicate what it blocked and why in real-time reports.

Cloud Signaling – Security experts are increasingly recommending a layered or hybrid DDoS protection strategy combining on-premises and cloud-based mitigation capabilities for maximum effectiveness. This gives the organization a scalable defense solution that can adapt to different types and sizes of attacks.  Arbor offers a comprehensive portfolio supporting this hybrid approach.

On-premises protections can immediately detect and mitigate the majority of smaller-scale, ‘low and slow’ attacks that typically target firewalls, IPS systems and network perimeter devices, whereas larger-scale volumetric attacks are best mitigated at the service provider level in the cloud. Effectively thwarting these multi-layer attacks requires the two defensive components to work in synchronization.

Cloud Signaling is Arbor’s mechanism by which the on-premises component (Arbor APS) communicates in real-time with the service provider’s cloud component (SP/TMS, Arbor Cloud) to synchronize attack data and mitigation actions. If attack traffic volume at the premises escalates to a user-specified threshold, Cloud Signaling can automatically trigger the cloud-based DDoS mitigation countermeasure(s) and share attack data such as blocked IPs and misuse types. Security operators can also initiate Cloud Signaling manually when they see a growing threat. Arbor’s hybrid solution gives network and security teams substantial flexibility to configure and fine-tune their Cloud Signaling policies.

Intelligent Countermeasure Automation

It’s all about speed of detection and mitigation. Automation can put you out in front of an attack and multiply the effectiveness of your security team – but only if it provides the right level of network visibility.

Many DDoS solutions on the market rely heavily, if not entirely, on “set and forget” automation that requires extensive baselining and learning yet in many cases still cannot distinguish between a genuine attack and a spike in legitimate traffic – and offer little to no attack analytics. The downside of this approach is threefold: triggering false positives, blocking valid customer sessions and no visibility.

It’s important to select an intelligent DDoS mitigation solution that can rapidly and automatically distinguish actual attacks from traffic spikes and dynamically enable/disable the relevant countermeasures as the attack unfolds. It’s equally important to have the flexibility to update, reconfigure and refine automated response capabilities as the sophistication and techniques of DDoS attackers evolve and organizations learn more about the nature of attacks launched against them. Arbor’s intelligent yet human-guided countermeasures, near real-time threat intel feeds and cloud signaling technologies are based on the industry’s most in-depth understanding of DDoS threats, both known and emerging. By capitalizing on these three pillars of DDoS best practices, enterprises and service providers can more effectively and expediently protect their networks than ever before.

Click here to learn more about Arbor’s DDoS solutions.