A new way to prevent Botnet Attack

  • 1,099 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,099
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
34
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Arbor White Paper Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks Global Insights, Detection Strategies and Mitigation Methods
  • 2. Arbor Networks, Inc. is a leading provider of network security and management solutions for enterprise and service provider networks, including the vast majority of the world’s Internet service providers and many of the largest enterprise networks in use today. Arbor’s proven network security and management solutions help grow and protect customer networks, businesses and brands. Through its unparalleled, privileged relationships with worldwide service providers and global network operators, Arbor provides unequalled insight into and perspective on Internet security and traffic trends via the ATLAS® Active Threat Level Analysis System. Representing a unique collaborative effort with 230+ network operators across the globe, ATLAS enables the sharing of real-time security, traffic and routing information that informs numerous business decisions. About Arbor Networks
  • 3. 1 Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks Victims of these crippling and widespread Internet-based attacks include Internet service providers (ISPs), enterprises and broadband subscribers alike. To make matters worse, Internet service subscribers are often unknowing participants in the proliferation and execution of many such attacks. This occurs when hackers covertly pirate subscribers’ high-speed connections and compromise their PCs—turning them into zombies that form a huge army of malicious botnets. Remotely controlled by hackers, these botnets wreak havoc throughout the Internet by executing all kinds of malware and DDoS attacks. According to a recent study from Arbor Networks entitled “Worldwide Infrastructure Security Report, Volume III” (www.arbornetworks.com/report), botnets and DDoS attacks are the top concerns of today’s Internet services providers. Together with large-scale malware, these threats can severely compromise an ISP’s core equipment, resources and business-critical IP services. Emerging technologies introduce additional vulnerabilities that put today’s networks at even greater risk of security threats. Service providers around the world, eager to obtain the operational and competitive advantages of new technical innovations, are accelerating their deployment of networks built on high-speed fiber optics and IP-based services, such as MPLS, IPTV, VoIP and VPN. Although there clearly is a broad range of benefits available from these new networks and services, there is an equally broad range of security threats that can seriously curtail or even wipe out those benefits. Service providers recognize that if they are to realize the promise of next-generation IP-based services, they must understand the nature and power of their cyber-enemies. Armed with this knowledge, providers can deploy the necessary solutions designed to defend their networks and services from the threats that are out there today—and the ones that surely will emerge in the future. Deliberate attacks on service provider networks are, and will continue to be, a major headache for ISPs and their customers. The U.S. Federal Bureau of Investigation (FBI) estimates that computer crime costs American companies alone a staggering $62 billion a year. For each of the last three years, Arbor Networks has conducted a survey of service providers in North America, Europe and Asia to determine their experiences with security threats. This section provides subjective data from this survey (Worldwide Infrastructure Security Report, Volume III) in conjunction with objective findings from the Arbor Security Engineering and Response Team (ASERT), a world-renowned group of security engineers and researchers dedicated to monitoring Internet threats on a 24/7 basis. ASERT mines and correlates up-to-the-minute global security data, continually analyzing it to detect and qualify developing Internet threats. DDoS Attack and Botnet Trends Distributed denial of service (DDoS) attacks first made the news in February 2000 and have maintained a high media profile ever since—a fact made evident by the following headlines: “Amazon.com, eBay, Yahoo Crippled by DoS Attacks” — February 2000 “Massive DDoS Attack Hits Internet DNS Root Servers” — October 2002 “MyDoom Becomes the Internet’s Fastest Spreading Worm Ever” — January 2004 “Top Threats in 2006: SQL Slammer & Blaster Worm” — October 2006 “Storm Worm Rages Through Internet Over the Weekend” — January 2007 “Cyber Attacks on Estonia” — May 2007
  • 4. 2 Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks DDoS Attacks Continue to Grow in Size and Frequency According to data received from the survey, there has been a 140 percent increase in the size of the largest detected DDoS attack over the last three years. In 2007, the largest observed sustained attack was 24 Gbps, compared to 17 Gbps in 2006. Thirty-six percent of the surveyed ISPs reported that they had observed attacks of over 1 Gbps in 2007. This is significant because most Internet backbone links are 10 GB and enterprise circuits are multi-gigabit in size. Additionally, Arbor research conducted from September 2006 through August 2007, a period of 321 days, revealed that there were 362,394 DDoS attacks—an average of 1,128 attacks per day. DDoS Attack Protocols When asked in the survey “Which protocols were being used for the largest attacks, considering both packets-per-second (pps) and bits-per-second (bps)?” the responses were: Largest Attacks (bps): Forty-three percent of the attacks were UDP floods (e.g., Smurf attacks or ICMP floods), 19 percent were application attacks (e.g., sending malformed DNS packets or opening excessive HTTP connections) and 18 percent were TCP SYN attacks. Largest Attacks (pps): Forty-one percent of the attacks were UDP floods, 26 percent were TCP SYN attacks and 17 percent were application attacks. Statistical data recently released by ASERT matches some of the survey responses: 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 Gbps 100 90 80 70 60 50 40 30 20 10 0 Figure 1: Largest Bandwitch Attacks Reported Source: Arbor Networks, Inc. Largest Bandwidth Attacks Reported TCP SYN 15.53 IP Fragment 14.41 TCP Reset 6.45 Private IP Space 1.22 IPNULL Protocol .78 TCPNULL Flag .57 DNS .23 Attack Subtype Percent of Total Attacks
  • 5. 3 Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks ASERT continues to see dramatic activity in this realm, with thousands of attacks occurring daily. Below is an excerpt of ASERT’s analysis of the above statistics. • Transmission Control Protocol (TCP) attacks continue to dominate the DDoS landscape, being both powerful and easy to launch. Attackers continue to favor this attack for its efficacy against a wide variety of services and hosts, providing both a bandwidth-exhaustion attack as well as a system attack on the host OS and application. • Although the number of DNS-based attacks (including DNS reflective amplification attacks) has increased, these attacks still have not grown to the level of popularity of common vectors, such as IP NULL protocol attacks. • Despite the relatively low prevalence of DNS-based attacks, there was much concern in the past year about DNS amplification attacks. But aside from a spike in March 2007 when their prevalence matched that of ICMP attacks, DNS attacks have been relatively infrequent. It is hard to say at this time if this is an actual relative prevalence or if this is due to the emerging deployments of sensors capable of classifying and mitigating DNS attacks. Botnets Are a Top Concern for ISPs Botnets, a major problem identified by ISPs, continue to plague the Internet. In fact, botnets are considered a growth sector within the attacker underground, with new code bases, uses and operators frequently appearing. For ISPs and network operators, botnets represent a multi-faceted threat. First, they remain a major source of DDoS attacks. Secondly, they have become a serious source of spam email traffic, which burdens the email processing infrastructure of all providers. Finally, the scanning and attack activity of a large botnet can disrupt normal network operations and cause outages. For all these reasons, most ISPs are concerned with largescale malcode, most commonly embodied in botnets. Not surprising, much of this concern was corroborated by respondents of the survey. When asked “What types of threats are you most concerned with?” botnets and DDoS attacks topped the list. The survey results were: Primary Concerns: Twenty-nine percent of ISPs said botnets and 24 percent said DDoS. Secondary Concerns: Thirty-one percent said botnets and 20 percent said DDoS. ISPs observed that botnets were used for: • DDoS attacks (71 percent) • Sending spam (64 percent) • Parts of phishing systems (37 percent) • Open proxies (34 percent) • Storing ID theft information (16 percent) • Other (6 percent) According to survey respondents, these new botnets exhibited the following characteristics: • They were smaller but more targeted, effective and organized. • They employed protected and deployed encryption, peer-peer and MD05 SHA-1 counter reconnaissance. • They were distributed in nature, making the attacks more com- plicated and the location of the master controller more difficult. Botnet Growth Patterns Recent ASERT research shows that botnet server lifetimes fall into a very specific pattern commonly referred to as a long-tailed distribution. The data from this research clearly indicates that most botnet servers—nearly 65 percent—are found and disabled within the first day of their operation. This suggests that there are very effective networks for gathering information about new botnets and sharing it with the right network or system operators. It is this communication that leads to disabling the host with the botnet IRC server. Overall, if a botnet is able to make it past the first day, it has a fair chance of surviving for several months or more. Research also shows that some botnets remain active for nearly a year. The fact that known botnets can operate for this long should be a call-to-arms for all ISPs. Apart from a few bursts of activity, between 10 and 20 new botnet servers are found every day. Factoring in the number of such servers disabled daily, approximately 1500-1800 botnet servers are currently active—a number that is slowly rising. This trend is likely to continue as the number of IRC botnet servers keeps growing for the foreseeable future.
  • 6. Botconomics: The Underground Economy of Botnets There are many reasons for a miscreant to initiate a botnet attack. Some attacks have religious or political motivation behind them. Some are simply ego-driven as professional hackers or script kiddies compete to see who can cause the most damage by infiltrating the biggest and most secure sites. With that said, the most serious attacks usually have financial goals in mind. Extortion, stealing money from compromised online bank accounts, luring innocent users to phishing sites, the illegal use of stolen credit cards—these are common results of botnet attacks. In fact, there is an underground economy emerging to support the building, selling and buying of botnet attack tools, an economy that Arbor Networks has coined “Botconomics.™” Botconomics is fueling the rapid growth of the botnet world. The simple motivation behind the rise in botnets is money. Years ago, hackers had to be technically savvy and know how to write code to initiate an attack or create a botnet. Today, they can buy and sell that code in online markets, which are likened to traditional underground markets. In fact, there are such online communities available to anyone who earns their trust—usually demonstrated by getting a certain quantity of stolen credit cards, bandwidth or email addresses to build street credibility. ASERT has uncovered numerous sites which boldly market their botnets and booty. Here are some examples of common advertisements and related costs: Often these disreputable sites advertise their botnets via discreet email campaigns. A recently discovered email touted botnet servers that provided: • Excellent ping and uptime • Rotating IP addresses • Different ISPs • Intuitive user interface • Online technical support • SLAs: 100 percent uptime guarantee! Botnets and attack code continue to evolve as the cat-and- mouse game between hackers and security vendors reaches new levels. Today’s hackers are even writing code to evade current AV databases, disable auto-update functions and evaluate botnet connectivity speed and availability. 4 Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks .net Domain Names $0.05 nasa.gov Domain Names $0.05 Proxies $0.50 – $3 Credit Cards $0.50 – $5 Email Passwords $1 – $350 Email Addresses $2/MB – $4/MB Compromised UNIX Shells $2 – $10 Social Security Numbers $5 – $7 Mailers $8 – $10 Scams $10/week Full Identity $10 – $150 Bank Accounts $30 – $400 Item Range of Prices
  • 7. 5 Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks Why is the number, frequency and intensity of infrastructure threats rising? Over the last three or four years, the hacker/miscreant community has recognized that it is sometimes far more effective to go after the infrastructure than the end systems. So the attacker targets a particular Web site based on his personal or financial motive. Maybe it’s a gambling or porn site, an online bank or some other cyber community that hasn’t bent to his wishes or paid his [extortion] demand. By actually attacking the infrastructure, whether it be upstream routers, upstream interfaces or even things like the routing protocols, the attacker can be very effective in taking that institution off the network. In fact, that is sometimes easier than trying to attack an individual PC or workstation. Managed security services is clearly a growth market. Yet some enterprises may be reluctant to outsource their security. Generally speaking, who is best positioned to protect enterprise networks—the service provider or the enterprise itself? Or is the ideal protection an approach based on mutual cooperation between the two? We are seeing a lot of interest in the latter. If the service provider is your internal network, then it makes sense for the service provider to offer internal security. In fact, there are some things only the provider can do. For example, large bandwidth attacks need to be blocked within the provider’s network. So it does make sense for many of these services to be offered in the cloud, where they can be scalable and provided more effectively. Are service providers and their customers to be relegated forever to the reactive mode? Or will they at some point be able to take the offense and go after would-be attackers before they attack? Just like in banking, security is crucial to service providers and their customers. But I don’t walk into my local bank and worry about whether there’ll be some type of event while I’m there. I don’t worry about my money being safe in the bank. It’s not that bank robberies don’t happen, it’s just that there’s enough infrastructure in place that it’s not a daily concern. And I pay for that as a consumer—for the doors, the vaults and all the additional security. It just becomes part of daily life. It’s often said about security that it’s always a trade-off with usability. The Internet is no different. Today, a large number of folks out there are paying for network security features including DDoS protection, which most major service providers offer. These security features are either built into the basic price or there is a small additional fee. For the most part, it’s mostly a solved problem—at least for the moment. We aren’t seeing major sites like eBay, Yahoo! and Amazon coming under attack today like we did back in 2000. But it’s a cycle, like anything else. We’re entering a period of increased risk now as ISPs deploy advanced new services, next-generation networks, VoIP, convergence and other innovations—giving rise to more sophisticated zombie armies along with increased bot command and control. So the cycle continues. Question & Answer Session Dr. Craig Labovitz
  • 8. 6 Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks Multiple Advantages of In-Cloud Security As a result, it is imperative that ISPs have the proper level of cost-effective, pervasive visibility into all network traffic in order to ensure the optimized delivery of next-generation network services. This visibility must penetrate all portions of an ISP network (including its backbone, peering and transit points, and customer aggregation edges) and cover all layers of the communications stack (extending from the physical layer, to routing and ultimately to the application-layer). But pervasive visibility alone is not enough. ISPs also require intelligent visibility into their networks in order to: • Determine what’s “normal” versus “abnormal” network activity • Conduct BGP route analytics for traffic engineering • Identify the most cost-effective transit/peering relationships • Analyze customer traffic for new service opportunities • Detect and mitigate threats before they impact IP services and customers In this day and age when cyber-crimes and attacks require little expertise, enterprises and ISPs are even more vulnerable to Internet-based threats, such as botnet and DDoS attacks. It also is becoming increasingly obvious that threat detection and mitigation can only be done effectively—both from a cost and performance perspective—from within the service provider’s network. Such “in-cloud” security services can deliver multiple benefits, namely: Enterprise DDoS Protection Enterprise customers continue to rely on their ISPs for business-critical functions such as e-commerce, VoIP, B2B connectivity, telecommuting and even back-end systems like CRM (e.g., Salesforce.com). The disruption of these services can have a major impact on business continuity. Many enterprises are also beginning to realize that the high cost and low effectiveness of some in-house security systems do not make sense—specifically in the case of DDoS attacks. Therefore, some enterprises are now taking a “layered” approach and relying on their ISPs for in-cloud DDoS protection services to detect and mitigate such attacks before they jeopardize business continuity. New Revenue Opportunities for ISPs While some ISPs have looked at DDoS attacks as a curse, others have seized the opportunity to differentiate themselves and generate new revenue streams from managed security services. In fact, according to Arbor Networks’ Worldwide Infrastructure Security Report, Volume III, the number of surveyed ISPs who offer managed security services jumped from six in 2006 to 40 in 2007. Below are some examples of in-cloud DDoS protection services being offered by various service providers around the world today: • Belgacom: Clean Internet Services • British Telecom (BT): Managed DDoS Services • Cable & Wireless: Anti-Distributed Denial of Service and Secure Internet Gateway/DDoS Protection • COLT: IP Guardian • Rackspace: PrevenTier • SAVVIS: Network-Based DDoS Mitigation • TELUS: Managed DDoS Prevention • The Planet: Peakflow® DDoS Detection • Verizon Business: DoS Defense Detection and Mitigation IP Service Assurance for ISPs In-cloud DDoS detection and mitigation capabilities are not only new managed service opportunities for an ISP, but they also serve as network infrastructure protection systems that help maintain the quality of business-critical services, such as BGP routing, DNS and Triple Play. Specifically in the case of Triple Play services, ISPs must maintain a minimum quality of service (QoS) and reliable performance or risk losing their customers to the competition. Botnet and DDoS attacks can dramatically impact the performance and customer-perceived quality of these services. It is imperative, therefore, that ISPs have the means to provide in-cloud security services that can quickly detect and mitigate network-based threats. As botnets and DDoS attacks continue to increase in size, frequency and complexity, they impact not only their target victims, but also the network infrastructure of ISPs that are, unfortunately, the conduit for these attacks.
  • 9. 7 Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks With their networks and services under constant attack by an ever-growing rogue’s gallery of spammers, phishers, bot herders and other miscreants, service providers must invest more and more resources to secure their networks, reputations and profits. To better understand and visualize complex networks, advanced security solutions such as Peakflow SP (“Peakflow SP”) use relational modeling to learn about a wide range of relationships on the network. Rather than taking the traditional approach of studying traffic only at a single point in the network, these solutions build an internal model of normal network conversations between/among many different network participants, including customers, departments, partners, peers or even the Internet as a whole. After determining the “normal” state of network operations, these security solutions apply various types of algorithms to detect any anomalies in the network. Built-in anomaly detection capabilities enable solutions such as Peakflow SP to evaluate potential threats against a service provider’s or enterprise’s unique network baseline, virtually eliminating false alarms and making fast, accurate determinations. In addition, because these solutions are constantly learning, they do not require the same levels of tweaking and configuration that characterize many networking and security technologies. With extensive visibility, service providers and large enterprises can make informed decisions about whether they need to increase network capacity—or whether they can delay infrastructure investments and lower costs by recovering bandwidth on the existing network. Having deep visibility into network resources also helps service providers gain the insight needed for performing traffic planning, making peering arrangements, conducting market-to-market analyses and analyzing routing patterns. Multiple Methods of Threat Detection and Mitigation The Peakflow SP platform is a comprehensive threat management solution capable of detecting, mitigating and reporting on many types of network threats. The Peakflow SP solution has the ability to detect attacks based on the following methods: Misuse Peakflow SP can be configured to detect high packet rates for specific types of network traffic, such as DNS, ICMP, IP fragments, IP null packets, TCP NULL, RST and SYN frames. Many DDoS attacks utilize these vectors to saturate or bring down circuits, servers or other IP services. Abnormal Behavior By profiling normal traffic levels, Peakflow SP can detect anomalous traffic shifts in the network. Consequently, service providers can detect availability threats before they impact a customer’s service. Attack Fingerprints The Arbor Security Engineering and Response Team (ASERT) conducts threat analysis on a global basis. One of the by-products of ASERT’s research is attack “fingerprints.” These fingerprints are the specific network behavioral patterns that individual attacks exhibit on the wire. Once these fingerprints are loaded into the Peakflow SP product, they become active security policies and can alert network operations and security personnel to violations. BGP Hijacking Sometimes referred to as “IP hijacking,” BGP hijacking is the illegitimate take-over of groups of IP addresses by corrupting Internet routing tables. BGP hijacking is sometimes used by malicious users to obtain IP addresses for spamming or launching a DDoS attack. Dark IP Space Monitoring Peakflow SP considers any traffic that it sees as destined for unallocated dark space as malicious traffic. This traffic includes IP addresses that might perform host and port scans. A signifi- cant increase in dark IP traffic could indicate new malware, worms or other threats propagating across the network. The Best Defense: Anticipating and Mitigating Attacks
  • 10. 8 Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks Once Peakflow SP detects an attack, the solution offers multiple methods of mitigation, such as: Access Control Lists Peakflow SP can generate an access control list (ACL) for an attack with unique characteristics that can be defined using Layer 3-4 access controls. The ACL can then be manually entered into key routers to mitigate an attack. Black-Hole Routing Peakflow SP can easily be integrated into the BGP routing environment of any network. Peakflow SP can be configured to conduct BGP black-hole routing or off-ramping for an attack that must be dropped at the peering edge of the network. All traffic to the destination host or network is null-routed or sent to a next hop for inspection. BGP Flow Spec BGP flow spec provides a way to populate traffic filters through the BGP control plane. Peakflow SP can leverage routers with flow spec capabilities by transferring records over a BGP session between Peakflow SP and the routing infra- structure. ISPs can use flow spec to create a firewall or access control type functionality to IP-reachable resources within the network. This allows ISPs to surgically and dynamically provide filters to specific routers in the network through well-known control channels. Third-Party Mitigation Peakflow SP can be configured to off-ramp network traffic to a filtering device. Currently, Peakflow SP only supports Cisco Guard. Fingerprint Sharing One of the most unique features in the Peakflow SP solution is something called “fingerprint sharing.” Fingerprints are net- work behavioral patterns of known or emerging threats. These fingerprints are created by ASERT and distributed to Peakflow SP customers via a service called Active Threat Feed (ATF). Since DDoS attacks can traverse multiple service provider networks, Arbor created and helps facilitate an inter-service provider group called the Fingerprint Sharing Alliance (FSA). The FSA allows ISPs to easily share fingerprint information with each other using their Peakflow SP products. The objective is to stop the proliferation of attacks as close to their source as possible. When a peer Autonomous System Number (ASN) shares an attack fingerprint, ISPs can either accept the finger- print or reject it. If ISPs accept the fingerprint, they can monitor any alerts that generate from that fingerprint. This will reveal any matches to the network behavioral traffic patterns seen and reported by Peakflow SP. ISPs can then choose to mitigate that traffic using the various mitigation techniques that Peakflow SP makes available to them. The Triple Threat to Triple-Play Success Although the deepest possible visibility into network resources has always been vital to service providers, it promises to become even more so as ISPs migrate their networks to IP/MPLS-based infrastructures and execute on their triple-play voice/video/data strategies. In fact, service providers face a major threat to their ability to deliver the triple play. The above-mentioned mitigation techniques are quick, cost- effective ways to stop an attack and/or reduce the collateral damage associated with an attack. However, in many cases these techniques also complete the attack by taking the target address(es) offline. The best way to stop an attack is to remove only the attack traffic while allowing the legitimate traffic to continue to flow. This is often referred to as scrubbing or surgical mitigation. The Peakflow SP Threat Management System (Peakflow SP TMS) augments the network-wide situational awareness of the Peakflow SP platform with application-layer attack detection and surgical mitigation.
  • 11. The Peakflow SP TMS device is a critical and fully integrated component of the Peakflow SP solution. Using deep packet inspection (DPI), Peakflow SP TMS provides application-layer insight, alerting and surgical mitigation. It enables service providers to protect their networks from the full spectrum of security threats, including botnets, DNS attacks, DDoS, worms, phishing, spam and spyware-all from a single console. Other key features of the Peakflow SP TMS device include: Advanced Threat Countermeasures Peakflow SP TMS can surgically mitigate threats using the following application-layer countermeasures: • White and Black Lists: Determine if specific hosts are allowed (i.e., white listed) or not allowed to pass through the Peakflow SP TMS device (i.e., put on a black list and scrubbed). • Detailed Filters: Detect and block traffic that matches user-defined details, such as host/destination IP addresses, port numbers, TCP/UDP header flags, etc. • HTTP Object and Rate Limiting: Detect and block traffic coming from hosts that exceed user-defined thresholds for the number of HTTP requests/second and HTTP objects downloaded/second. • Malformed Packets and DNS Authentication: Detect and block traffic that is coming from hosts sending malformed DNS requests, or when DNS authentication does not occur in a specified time period. • Idle Connection Timeouts and TCP SYN Authentication: Detect and block TCP connections that remain idle for too long, or cannot be authenticated by the Peakflow SP TMS device within a specified timeout. • Zombie Detection: Detect and block traffic from hosts that exceeds a user-defined threshold for packets-per-second (pps) or bits-per-second (bps). • Baseline Enforcement: Detect and block traffic per managed object (e.g., network interface) that exceeds the normal packet rate or protocol distribution baseline as automatically determined by the Peakflow SP system. Packet Sampling The Peakflow SP TMS device can conduct on-demand packet capture and provide limited packet decode. Stacking Up to three Peakflow SP TMS 2700 devices can be stacked together, forming a single logical unit that increases the total mitigation capacity to 8 Gbps. By fusing flow-based network intelligence with deep packet processing, the Peakflow SP TMS device enhances the networkwide visibility of the Peakflow SP platform with more granular, application-level visibility, providing ISPs with application-layer mitigation, security and reporting capabilities. 9 Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks
  • 12. 10 Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks One of the current ISP trends is the rise in capital expenditures (CapEx) and the lowering of operation expenses (OpEx). As capital is being spent on infrastructure build-out and delivery of new services, there is a keen eye on the bottom line. Operating expenses and other costs are being kept to a minimum in order to ensure that these products and services are indeed profitable. Investments must solve multiple business problems and align with company strategies. In other words, purchased products must leverage as much of the ISP’s existing infrastructure and human resources as possible. Peakflow SP is just such a strategic investment. As it is being used by network operations and security teams for cost-effective, pervasive network visibility, routing/peering analysis, traffic engineering and infrastructure security (e.g., DDoS detection), it can simultaneously be used by product managers to deliver new revenue-generating services, in particular, DDoS protection services. That’s because Peakflow SP has key features such as virtualization capabilities, templates and APIs that allow service providers to share and customize their services for multiple customers— thereby lowering the total cost of ownership and increasing profits. In fact, many of the previously mentioned managed DDoS protection services utilize Peakflow SP and Peakflow SP TMS products. Managed DDoS Protection Services Peakflow SP Service Provider Enterprise Powered by Welcome to Arbor Networks’ Peakflow SP Please Authenticate Username Password P O W E R E D B Y LOGIN Figure 2: Through a customer-facing, secure Web portal, enterprise customers can access reports and examine traffic patterns inside their service provider’s network. Source: Arbor Networks, Inc. Web Portal
  • 13. 11 Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks With DDoS attacks and other network security threats on the rise, ISPs and large enterprises are more vulnerable than ever before. The Peakflow SP solution provides cost-effective and pervasive visibility into the network. As a complete threat management solution, it enables ISPs to protect their network infrastructures and IP services against the full spectrum of security threats, such as DDoS attacks and botnets. Simultaneously, Peakflow SP can serve as a platform for service providers to offer new in-cloud managed DDoS protection services to their enterprise customers. Links to related products and services: • Peakflow SP Data Sheet • Peakflow SP TMS Data Sheet • ATLAS™ Global Threat Intelligence • Arbor Security Blog Conclusion
  • 14. Arbor White Paper: Protecting IP Services from the Latest Trends in Botnet and DDoS Attacks
  • 15. Corporate Headquarters 76 Blanchard Road Burlington, MA 01803 USA Toll Free USA +1 866 212 7267 T +1 781 362 4300 Europe T +44 207 127 8147 Asia Pacific T +65 6299 0695 www.arbornetworks.com ©2012 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo, Peakflow, ArbOS, How Networks Grow, Pravail, Arbor Optima, Cloud Signaling, ATLAS and Arbor Networks. Smart. Available. Secure. are all trademarks of Arbor Networks, Inc. All other brands may be the trademarks of their respective owners. WP/IPSERVICES/EN/0612