Darren Anstee, Solutions Architect for Arbor Networks talks us through the types of DDoS threats that pose a risk to business currently. Including discussions around motives, types of threat and the sorts of businesses most affected. Darren also offers advice and solutions from Arbor Networks.
Tell us a bit about the background of Arbor Networks. What you do and what you are showing here Infosecurity Europe 2013?
Arbor was founded in the year 2000 based on some research which was undertaken at the University of Michigan and we are best known for our network threat detection mitigation monitoring in the reporting solutions and historically our strongest market has been in the social provider space but as network threats have changed and as organisations have become more independent on the internet for their business continuity. We have now started to leverage some of the technology and expertise in the experience we have from providing threat detection and mitigation solutions to enterprise organisations around the world.
Firstly, lets talk about DDOS attacks, many people might not know that there is more than one type so describe what they are and tell us what the different types are first of all?
Many people when you talk about DDOS attacks tend to equate them with big bursts of packets that cause network or link congestion, and these are one of the types of DDOS attacks that we see going on out there but it is only one of the kinds of DDOS attacks that we see, the others are things like TCP state exhaustion attacks which aim to exhaust the state cables and firewalls and low balancers and the service we have deployed out there, Then we have application layer attacks and they are all about exhausting layer applications. Now the key differences between these three kinds of attacks is really how much traffic can be involved in them, the volumetric attacks as I mentioned which are all about causing congestion within networks or within links. Exhaustion attacks can also be fairly large or they can be more crafted they can be more stealthy and harder to detect especially for service providers and then we have the application layer attacks which can be more stealthy still and they can be more difficult to detect proactively for service providers and that has really led us on to the layered protection from the DDOS threat. People need cloud they see DDOS protection in the deal with large volumetric attacks that are actually going on out there but they also need network perimeter based defences to deal proactively with the more stealthy attacks that we going on out there and again that comes back to the whole idea around how people have become more dependent upon the internet for their business continuity they need more proactive defence from these more stealthy complicated and sophisticated threats.
What are the motivations behind these different types of DDOS attacks?
That has really broadened over the past few years. Historically when you ask people about DDOS attacks they would have talked about extortion targeting gaming businesses and things like that and that still does go on. We have all seen the rise of ideological activism over the past few years and we have also seen DDOS bring you a competitive weapon between rival businesses where one organisation will DDOS another using a service that they have paid for on the internet a DDOS service effectively and we have also seen them being used as a part of cyber crime campaigns so for example to distract a security team in banks from fraudulent wire transfers or to distract end user organisations from data theft that is being orchestrated by malware and things like ABT's.
Arbor Networks are part of the Red Sky Alliance. Tell us a bit more about that?
So the Red Sky Alliance is something that we are a founding member of. The Red Sky Alliance is about providing a forum for governments, large organisations and security vendors to share information amongst affectively a secure community about ABT's and about the kinds of ABT's that are going on out there and the kinds of breaches that people are seeing so that we can start to understand what is common between the different things we see and also what is different. So you see it is a way of people talking about what they are seeing really within a secure vetted community so we get as much sharing as possible without potentially disclosing more information than people are comfortable with.
And the partnership you have with other security vendors is interesting as well. Tell us a little bit about how those partnerships come about?
We share a lot of information with other security vendors so that effectively they know what we know and we know what they know. We all have different levels of visibility and what is going on out there and historically a lot of organisations specialise in different areas as Arbor have specialised in DDOS attacks historically because we have a very big deploy base in the service provider community we have a lot of visibility of what is going on right across the internet and Acer team our research organisation and our atlas system give us a fairly unique perspective of what is going on out there. There is a lot of valuable information about what kinds of threats are going on, how they are changing and which IP addresses are involved in those threats and obviously we are sharing some of that information with some other security vendors and we are getting data from them in return.
Since you were here last year what have you seen is the biggest change for you in security over the last 12 months?
I suppose from our perspective we have seen a continued evolution in the threats that are out there and we continue to see the DDOS attacks that are out there and we are protecting our customers from the attacks which are getting more complex and seeing coordinated attacks going on out there such as the US financial attacks that have been happening for the last 6 months or so, so really we have just see a continued evolution in the complexity in the attacks and the sizes of the attacks and the level of coordination and recourses the attackers are willing to invest to achieve their goal.