Podcast | TAMA- we are not slowing down in the development of a proprietary anti-DDoS system
How does the TAMA work? What can ARFA do? What is EGIDA? What is most important when a DDoS attack occurs? What should be done to avoid the threats? It is worth remembering not to underestimate it. If we do not know what to do, we should turn to the experts. ‘An attack is not a question of whether someone will attack us at some point – it’s just the matter of how long they’ve been spying on our network.
Welcome to the 3rd podcast featuring Marek Makowski, EXATEL’s Chief Engineer for Advanced Security Services Development.
October is the European Cyber security Month. Just like every previous year, EXATEL uses this time to popularise the knowledge about the safety in cyber space. Our goal is to not only warn against the potential threats, but also to promote responsible use of the network. As part of my podcast series, I will talk with experts from the cyber security department about trends and threats in the security area and how EXATEL deals with them. Sylwia Buźniak, Senior HR Business Partner EXATEL. Let’s begin.
In today’s episode of the podcast, I’ll speak with Marek Makowski. He is an engineer from the cyber security department responsible for the development of TAMA, our proprietary antiDDoS. Hi Marek.
- Hi, thank you for the invitation.
Marek, I would like to talk to you about TAMA, in its broadest sense and its recent development. The commercial launch was in November 2019, since then, how is TAMA doing?
- It’s nice that you remember such an important moment for us, when we actually launched commercially, November 2019. Well, a lot has changed since then and it continues to change. The very beginnings were, I mean after the transition to the production stage of our solution, it was mainly about the transition of our customers from the commercial solution we used up to that point, to our proprietary one. With this, of course, came meeting the requirements, the requirements of the customers. This took us a while, because if I remember correctly it ended at the end of September 2020.
That’s almost a year.
- Yeah, yeah, it’s kind of like that.
And what scale are we talking about? How many customers were switched during that time?
- I don’t remember exactly. Around a hundred… We had to switch around a hundred services. This difference is that one customer can have more than one service. Therefore, if they have several locations or several points of Internet accesses then each one should be covered by a separate protection against DDoS attacks. This is more or less how it looked like.
Yhm. TAMA is already a service, right? It is a product that we provide… that we sell to the customers. We are now developing TAMA in the ARFA project.
Tell us what these new features are and how to… where do you get the requirements?
- We began the ARFA project, again subsidized by the National Centre for Research and Development. It’s a project where we’re focusing on the development of existing functionality. It’s because TAMA, first and foremost, in its original purpose, was to protect us from mainly volumetric attacks, the kind of attacks that are easiest to fight from a telecom operator’s point of view. As someone who provides this type of service is definitely able to do it more efficiently than the end customer, who usually has some kind of an access link of lesser capacity than the sum of the links owned by a given operator. It’s these functionalities, of course, we wanted to improve, but we also wanted to go further and start to address the problem of application attacks as well. As part of this project we are developing a solution we call EGIDA. This will be the next, another part of this layered protection. Another layer we will introduce, thanks to which we will be able to analysetraffic primarily in-line and apply appropriate rules to that traffic depending on what the requirements are, the customer’s requirements.
I also wanted to know, where do you get the requirements from. That is, how… on what basis do you make your decisions?
- Yes, well the requirements are taken from several sources. The first one, of course, is our experience in mitigating the attacks that we see on a daily basis, because, by the way, TAMA in its current edition, mitigates around a thousand attacks per month. It is definitely a warmed up product and we can say that – that it works. But of course, as you mitigate those thousands of attacks, some lessons can certainly be learned from each of these attacks and there are some things that can certainly still be improved, so we work on such elements non-stop. Learn the lessons and try to, let’s say, translate them into business requirements for our developers, so that it all goes the right way. The other source of inspiration in which direction this should go, are thecustomer’s requirements.
- Of course, the customers have their own specifics. We want to provide a protection service, first and foremost. It means that we do not want to provide a managed platform and say: ‘here, decide what you need there’, but to use our joint analysis of what already exists on the customer’s side and sort of selecting the latest resources and means to protect the customer’s infrastructure. Here again, in the course of workshops with the customers, different elements that can be done better emerge. Or ones that can be done in general, because, for example, we haven’t considered something. This is the principle on which we build a whole set of functionalities, which we are working on right now. So this is where we will use this EGIDA, this in-line element of ours. It will implement functionalities that are a kind of subset of our knowledge, customers’ requirements and those elements of design and development. It’s because, obviously, the developers here also definitely have their own ideas of how certain solutions should be implemented, in order to be effective.
Yhm. You’re speaking in plural form, tell me, who do you work with on a day-to-day basis, not on the developers side but on the side of the manufacturers of the cyber security department?
- First of all, with the system administrators, ours, the best ones in the universe and beyond, and with the first line, which is really supposed to respond in the fastest way possible to what has happened in the system, right? When the alarm rings off, those people have to react according to the scenario agreed with the customer. For example, they have to inform them of the start of the mitigation, because they have agreed to automatically mitigate the attack. Another way is to contact the customer in order to make orders, report and to decide if the mitigation is needed or not. This is because it can just be a false positive. It’s up to the team to determine that with the customer. For that, they need the best resources, to go through this process as fast as possible, because it is a system responsible for cyber security, regardless of the way we approach the DDoS attacks. Some people consider them to be less dangerous, however, they are a serious threat, able to disable the whole infrastructure, including the critical infrastructure. So here, our reaction time is very crucial and it’s very important that everyone is comfortable with working on this system and that they are able to work efficiently. Those are the people from the cyber security department but of course, as mentioned before, there are also the customers, the stakeholders because we also may need to consider the requirements of our architecture, which may bring us some development challenges. Have I mentioned the customers?
Sure, thanks. You mentioned that antiDDoS and DDoS can be treated differently but they are important. Which customers should become interested in an antiDDoS service? Regardless of whether it’s TAMA or another product. Only-
- I guess it’s probably everyone who has an Internet connection. In fact, this connection is an essential part of the continuity of the entity’s operations. Because if it’s true and if someone carries out an attack and is able to deactivate an entity’s infrastructure for a shorter or longer period of time, that’s when the problem really starts. The pandemic and well, the events of the 24th February, if I remember correctly, that is, the beginning of the armed conflict just outside our border. Those events have shown that these attacks are definitely happening increasingly. There is a noticeable increase in the number of DDoS campaigns carried out and in fact, anyone can now become a target. Of course, in the case of the pandemic as we all switched to remote working, including learning, since we also somehow support the education sector as a company and we provide services for them, we have seen that educational units are, or are associated with the area where attacks are carried out. The armed conflict in Ukraine has shown that the other actors often can become a target too, so we are operating in different fields.
Sure. You mentioned the past, and what is your forecast for the future? What should we pay attention to, what are your opinions?
- In the case of DDoS attacks?
In the case of DDoS attacks, yes.
- Most importantly, I think we should focus on this security being multi-layered. When it comes to the protection against the volumetric attacks, what is most crucial is the security provided by the Internet’s operator. This is the basis of the basics. The rest is all of those systems that will let us fight the volumetric attacks, ones provided by the operators as well or our own equipment (if the subject is able to afford such security methods.) But I guess that this will be a topic for the next podcasts. What can we do in such cases, if such an entity lacks resources and means in this area? There are many entities that can help then, not only us. However, most importantly, I wouldn’t dare to underestimate the threat, meaning that if we don’t know what to do, we should first and foremost, reach out to somebody who does and who could help us if needed. Because these problems are real, they occur. It’s not a matter of whether someone will attack us one day, it’s a matter of how long have they been spying on our network, right? It’s like-
- We should be addressing this, these kinds of problems. If we don’t have the knowledge, let’s find someone who can support us.
Sure, thanks for the topic for the next podcast. thank you for stopping by. Thanks a lot.
- Thank you very much.