Security of remote work: How to protect your company against DDoS attacks (27.05.2020)

Rafał Broda, Project Manager, EXATEL S.A.

Marek Makowski, Product Manager, EXATEL S.A.

— Marek Makowski —

The purpose of today’s webinar is to discuss the threats posed by the most popular cyber-attack, the DDoS attack, and to discuss EXATEL’s methods of dealing with this problem. Our company is a communications operator and has been in the market for over 20 years. A large part of our business is to provide professional data and voice transmission services. We provide such services in Poland, but we are also active in the international market, securing i.a. an east-west tie transmission line. Thanks to the upgrade of the network on the Warsaw-Frankfurt route, we are also able to provide transmission with the lowest latency, which is particularly important from the point of view of the financial market.

In addition, we are constantly expanding our network and adding new IP traffic exchange points, including international ones. We have created traffic exchange points in Paris, Prague and we are growing all the time. The growth of our core business is closely linked to four areas: connectivity, cyber security, integrator services and innovation.

06:35

Today’s topic will specifically touch on cyber security and innovation. At EXATEL, we put strong emphasis on participation in innovative projects and development of our own technologies. A good example of this is the recently popular topic of 5G. At our company it came up as early as in 2014. We joined the EU Rapid5G project at that time and several people were asking: Why would an operator focusing on landline services need such a topic? Today EXATEL can say that it is the originator and leader of the #Polskie5G project. We are convinced that participation in this type of innovative and development projects is the right path for us. Some time ago we decided to develop our own anti-DDoS platform. This platform is TAMA. In order to manage our network in an appropriate way, we build our own solutions based on software management. We participate in the SDNbox and SDNcore projects, developing these technologies on our part. An important element of innovation is also cooperation with scientific centres at home and abroad. This cooperation has been very successful and has produced excellent results.

EXATEL was one of the first companies to start implementing cyber security elements in the form of anti-DDoS protection around 2012-2013. Based on the experience we have gained since then, we wanted to create a system that was fully under our control and delivered certain fundamental features. From the operator’s point of view, an important aspect is protection against volumetric attacks – which are a big problem – and the ability to effectively repel them. The scalability and efficiency of the solution is also important. As our network is present in new traffic exchange points and is being expanded, we wanted to be able to control the security level in a smooth and flexible way, i.e. to adjust the solutions to our own requirements as well as the expectations of our cooperating customers. We are not dependent on any solution provider, but we make our own decisions – which functionalities we currently need, which security systems on the side of our clients we want to integrate with, and how we are going to do this. As the entire code is under our control, the delivery time for this type of solution is shorter.

12:00

— Rafał Broda —

To accommodate the features we have just mentioned, certain design assumptions had to be made. Our main goal was to comply with current programming standards while maintaining a reasonable cost. We targeted x86 architecture, non-specialised chips and processors. This is the trend in the global market today. Many solutions, routers, are based on x86 architecture. Apart from the fact that they can be programmed in any way you like, there is another important feature – usability for the customer/end user, through the possibility of integration and a programmable interface. This is the direction the entire market is moving in. Another guiding principle was the obvious trend of increasing traffic volumes. In the current Covid-related situation, the increase in IP traffic is actually enormous (in our case it was a surge of over 20%). This assumption had to be taken into account and it paid off greatly. Today, in retrospect, we can say that scalability is ensured in such a way that at the level of access points / operator interface points, we are able to expand the system by adding more “boxes”. One of the assumptions also introduced a great synergy because we were combining two worlds – the world of very advanced network engineers and the world of programming.

The “networkers” think about IP and developers think about agility, so some added value has been sort of extracted from the project that took into account both geolocation and engineering expertise. As a result, we are able to boast very fast times, both in response and learning of the entire system.

Another aspect that is standard in the operator market is multi-tenancy. It comes down to the fact that as a service provider, we need to ensure that we separate the business needs of different clients while taking into account their characteristics. Each client is different, and the solution must be tailor-made, on the one hand, and scaled in such a way that the computational resources (which are taken into account) are able to handle all customer needs, on the other. Besides, the system had to be quick to identify.

We always look at system/network security in terms of three dimensions: confidentiality (identity proofing), integrity (data protection) and availability, which is today’s topic. Example: We have an online store, and a database system in it. Everything is ready, goods are on the shelves in the warehouse, but customers cannot get to our store’s website. DDoS attacks are aimed precisely at the impairment of this last feature – availability. We divide DDoS attacks into volumetric attacks (consisting in link saturation), application layer attacks (directed at specific server resources) and – the most frequent – mixed attacks, that is having features of both volumetric and application layer attacks.

Nowadays we are already used to DDoS attacks. We should remember, however, that just countering a DDoS attack does not mean success yet, because very often cybercriminals do their homework, they learn, and it happens that a DDoS attack itself is just a cover for the actual attack. Example: There is a DDoS attack on our company and we get a message from the IT department that we have an hour break and need to step away from our computers. Employees take a break, and when they return, they resume their work with a sense of lost time. Many e-mails may have been received in the last hour and it is very likely that there may have been some phishing in those e-mails. So, let’s remember that a DDoS attack can be a trigger for some deeper action.

19:01

— Marek Makowski —

From our point of view, a DDoS attack means cutting off the infrastructure, and from the attackers’ point of view, this is now a very well-established business. If you search the relevant internet forums, the TOR network, you can come to some very interesting findings. We already know that we can order such an attack as a service. Prices start at a few dollars for short attacks, but these charges are highly dependent on the duration of the attack. If an attacker launches an attack from the IoT infrastructure that is usually poorly secured and can be easily taken over, such an attack tends to be cheaper. However, if the attacker had to work hard to take over some server infrastructure that is already much more secure by its definition, these types of attacks tend to be more expensive. Higher prices are also associated with higher risk to attackers (attacks on government infrastructure). For example, attacks on online stores are among the cheaper ones. It is also possible to purchase a subscription for DDoS attacks. Cybercriminals also create price benchmarks – they know how much someone in a given country is willing to pay for an attack, and one ordered from Poland will be much cheaper than one ordered from the United States. The reasons for carrying out attacks vary. Global statistics show that some cybercriminals like to do some good publicity and brag about their capabilities and effectiveness. We also see the standard extortion and racketeering (“pay up and we’ll stop attacking you”), sheer vandalism, damaging the competitors’ business, and attempts to manipulate financial markets. The area quite active in terms of DDoS attacks is the United States, which is considered to be the cradle of the financial market, therefore introducing small delays in transactions is already connected with very concrete losses.

— Rafał Broda —

We came across the latest statistics from April of this year, which show that the problem is there and still growing. These are global statistics, while focusing on the Polish market the tendency is almost comparable, although the values are lower.

There are two dimensions to an attack: its value and its speed. We define both of these parameters in our service (thresholds which, if exceeded, are regarded as suspicious). A very important thing derived from the statistics is the duration of the attack. Many attacks are short. 90% of attacks (worldwide) last less than an hour. In Poland, attacks lasting over an hour constitute only 1% of all attacks. However, the trend is growing.

— Marek Makowski —

When we come into the office on Monday, that’s when everyone has the most work and e-mails to read. Cybercriminals are well aware of our weekly rhythm and also like to do most of their work on Mondays. When it comes to the types of attacks that occur, a principle that Adam Haertle once mentioned works – our attackers display the subtlety of a jackhammer, or a caveman with a club, because vulnerabilities of already well-established transmission protocols are most often exploited, and despite the fact that these vulnerabilities are well-known, these transmission protocols are still used, so these attacks continue to be successful. 90% of attacks use mechanisms related to the use of TCP protocol and synchronisation flag.

28:37

— Rafał Broda —

Criminals are constantly on the prowl for newer and newer attack vectors are emerging, and COVID-19 in some ways amplifies this. Many of us work remotely these days. Our daily ritual is to eat breakfast, turn on the computer and connect through the VPN client to the concentrator. What if our VPN concentrator was flooded with so many packets that we couldn’t defend it? This is a nightmare of an IP administrator, from which we want to protect our clients.

We now have many services that have migrated to the broadly understood SaaS. I mean solutions like Office365 or cloud drives. What if there is a successful attack on such resources? It would be a euphemism to say that the providers of these services are unaware of the threat. Of course they are, and they already disperse this infrastructure at the design stage, so a single attack would not be able to put their business down but slow it down at worst. Another dimension is the retail customers, that is, we, the ordinary people. Let’s take an example of an online store. An effective attack causes that if a website of a certain shop doesn’t load, I go to a competitor’s website, and the former loses money in the process. We should remember that a lot happens online without our knowledge. There are such coexisting services that we, “the ordinary people”, are not aware of, while a successful attack on them can cause a very large nuisance in our daily lives. Let’s take the example of DNS servers – translating this into everyday language: how many of us remember the phone numbers to our family members? Our brains are designed to memorise letters rather than strings of numbers, and the same is true of DNS systems. Typing EXATEL.pl, I don’t remember what the IP address of the site is. We live in a “Covid” reality and a sort of cyber warfare between the US and China, and we also might get hit by some shrapnel. Please recall the 2016 hacking attack on public DNS servers in the United States that caused many people to lose access to everyday services.

— Marek Makowski —

Who is really attacking us and who is controlling this situation? According to reports, a large portion of the attacks come from infected botnets located in Brazil (followed by China). In terms of who is controlling the attacks (decides to launch/activate them), the most prominent player is the United States. As for Poland, most of the unwanted traffic comes from our neighbours, Russia and Germany.

— Rafał Broda —

In the past, there were no specialised services that would be able to protect against DDoS attacks, so end users/institutions did the best they could. Statistics show that when asked “How does your institution deal with DDoS attacks?”, we still see that retaliation tools include traditional firewalls, next generation firewalls, IPS technologies. However, there is a growing awareness of the need to use specialised, multi-layer operator-class systems. Multi-layer protection is crucial. We’re not saying that all firewall solutions should be withdrawn, it’s more about the fact that they serve to provide security in other aspects. DDoS as an attack on accessibility, deals with slightly different aspects. Why don’t firewalls and IPSs solve these types of problems? For one simple reason: they are in the very line of attack, they are status-based systems, i.e. they are monitoring every packet that comes into the edge of our network, they are inspecting it, so they themselves at some point can become a sort of a bottleneck for that attack because a large number of packets can just flood them up. Therefore, it is important to be aware that these types of attacks happen, and on the other hand, how you can deal with them.

36:48

We are of course aware that IT Security budgets cannot be stretched infinitely. In most companies, Security continues to be a “cost” item, and this is what our clients tell us as well. Imagine hiring an engineer responsible for anti-DDoS protection. It would be very difficult to justify in terms of budget because these attacks sometimes happen several days in a row, once every two weeks, sometimes on weekends, so it would be hard to fix a budget for such an employee. On the other hand, the market is becoming short of experienced engineers. There are several reasons for this. One of them is that Poland is in a way becoming a back office, not only in terms of services, but also in terms of technology. All it takes is one large global player/corporation entering Poland and “sucking out” from the domestic market engineers tempted by higher salaries, and local companies get into trouble. A good solution to this problem is to turn to the global “as a service” trend, and this is what we want to present to you.

— Marek Makowski —

On the one hand, it is a service model that results in some savings, and, on the other, it protects against the loss of these costs. We have statistics obtained from large and mid-segment business customers showing the costs associated with a successful cyber-attack. In the chart, we see that the top five are at very similar levels. This is mainly due to remedying the effects of the attack, increase in operating costs, loss of revenue, increase in insurance costs, fluctuation in share prices (in case of joint stock companies). Our proposition is to combine the savings resulting from the “as a service” model with the reduced cost of a successfully executed attack. We believe that it is best to protect yourself already at the operator network level. The operator, due to the very nature of its business, has significantly higher capacities of its network and is able to take on a vastly different volume of traffic, and react in a much more effective way. When an attack reaches this “bottleneck”, which is e.g. a 10 GB access link of a particular client (attacks reaching tens of GB are not unusual nowadays), then allowing such traffic onto the link will effectively put it out of service.

As the operator has much higher capacity its backbone network, it is able to act at the interface points and scrub the traffic appropriately. Our solution collects statistics from edge devices located at IP traffic exchange points, at interface points with other operators, and if appropriate attack signatures are met, mitigation will be triggered and traffic will be redirected to the nearest scrubbing centre, i.e., to a unit responsible for separating abusive traffic from legitimate traffic and sending the latter to the client. What our company proposes is primarily a distributed architecture, that is, we are placing scrubbing units. It is not one scrubbing unit placed in the central point of our network, so we do not have to take all this traffic on ourselves and pass it through the backbone network to send it to the client, but we have these scrubbing units placed as close to the network interconnection points as possible, and this traffic is redirected there. It is an effective way to relieve the load on our network, and besides, it provides us with georedundancy, so even if one unit would be so loaded with this traffic scrubbing that for some reason it would not be able to cope, it is always possible to redirect this traffic to the second scrubbing unit which will support it and we are still able to work effectively and efficiently. As we are growing with our network, we simply add another “box” and provide the same level of security for our network against volumetric attacks all the time.

42:54

— Rafał Broda —

We have several packages that we offer based on our several years of experience. The core is the Anti-DDoS Basic service, which involves blocking all traffic directed to the attacked IP address. The service works all the time, examines the statuses, and blocks traffic from a given address in case an attack is detected and predefined thresholds are exceeded. All other traffic (other addresses and services) works as before, and the thresholds can be changed during the term of the contract, because both you and us are learning all the time, and the characteristics of the networks and services are changing all the time.

The product continues to evolve and is currently available in three basic off-the-shelf variants. The Standard package is a fully automatic service with a small limitation – protection of up to two zones, while the maximum number of items cannot exceed 10. By an “item” we mean a single IP address or a range of addresses. Standard also includes a monthly system report. The Advanced package differs from the Standard one in that you get support of second and third line SOC analysts. The last option is the customised Premium package.

— Marek Makowski —

We try to be flexible in all these packages, so we have entered the number of items, protected zones, that is groups, detection policies, mitigation policies, which are assigned to a given package, but we aspire to be a business partner that delivers what the client needs. If there is a need to protect 12 items in the Standard package, then of course we are open to discuss it. We do not insist on immediately shifting the client to a higher package. In the technical dialogue, we find out what is needed on the client’s part, and then we act accordingly. What is worth mentioning is the cooperation with our Security Operation Centre on the decision-making level – whether to perform mitigation or not (this is of course included in the Advanced package), while the definition of detection and mitigation policies itself is 100% provided by us in the pre-launch consultation. It’s not about turning the system on and forgetting about it, because any system, even the best one, if not properly configured, simply won’t work. We are always available for consultation and we are committed to getting things up and going in such a way that attacks are effectively countered.

In cooperation with NCBR, the development project has already been brought to a happy conclusion. However, we are working on the further development of this product and what we want to do is mapped for a year and a half ahead. If there are any suggestions or requirements from any of our business partners, then we meet, talk and we will certainly be able to find an agreement on what functionalities can still be included.

We are constantly expanding and trying to make the protection fit our needs.

Finally, the legal aspect: according to the current criminal code, the perpetrators of DDoS attacks can be prosecuted. This is done at the request of the victim, but let’s be honest: the effectiveness of such requests is unfortunately low and only makes sense when we have a suspicion as to who is behind the attack (e.g. when we have a hostile competitor), or if some kind of extortion is involved.