Let’s assume an MSSP is offering a comprehensive DDoS service, including detection and mitigation, to a data center customer. The service includes a cloud-based DDoS component and a CPE-based application aware DDoS component. The cloud-based DDoS service is based on the Arbor Networks SP solution and the edge-based product is Arbor Networks APS.
First, the MSSP must provision the cloud-based service to accept cloud signals from the edge-based APS appliance. Using the SP user interface, APS is provisioned into an SP deployment that includes SP Threat Management System (TMS) appliances. The MSSP can then allow customers to either automatically start an SP TMS mitigation in the cloud or manually issue an alert when they want to initiate cloud signaling. In the manual option, the MSSP can decide either to accept the customer cloud signal to start a mitigation or to create a mitigation manually.
To ensure end-to-end cloud signaling, the edge-based APS appliance must be configured with the MSSP’s SP information, including IP address and customer authentication information.
Auto-Mitigation via Cloud Signaling
When APS detects an attack, the operator can manually signal the SP cloud deployment about the attack or preset APS to automatically send a cloud signal upstream when a threshold is reached. For the new mitigation, SP applies the mitigation template configuration that has been assigned in the APS customer configuration. Then it reports back to APS that a mitigation has begun. APS displays the mitigation status in the user interface, showing an active mitigation is taking place. If SP already has a mitigation running for the resource under attack, it conveys that to the APS appliance and disregards the mitigation request.
Operator-Assisted Mitigation via Cloud Signaling
If SP is configured for manual cloud-signaling mitigation for an APS customer, it creates an alert when it receives a cloud signal from the APS appliance and reports back to the appliance that the request was received. An SP operator would be required to initiate a mitigation based on the cloud signal.
An active heartbeat exists between the SP cloud deployment and the APS appliance on the customer premise. This assures that both products are available and operational at all times.
Real-Time Analysis and Reporting
The operators of both the cloud-based SP solution and the edge-based APS appliance can monitor the progress of the mitigation in real time. Both products also provide post-incident reports with details of the attack and steps taken to mitigate it.
How to Get Involved
For MSSPs and other managed DDoS providers, the Cloud Signaling Coalition can be an immediate competitive differentiator and can increase the revenues of existing service offerings. To inquire about participation, please complete and submit the request information form.