October is Cyber Security Awareness Month, both in the EU and the United States! ‘Cyber Security’ is a very, very broad topic with many complex sub (and sub sub) categories. Since we focus on Denial of Service as well as application layer attacks, there are several topics we will be writing about over this month. This first post will focus on DDoS protection and how attackers will view your network when you have it in place.
A while ago, I was in a meeting with a potential customer who was using another DDoS mitigation service. They started using the service several years ago after experiencing multiple attacks, but haven’t had any major attacks since. The CIO raised the question ‘Do we need a service like this if we aren’t being attacked?’, which served as an interesting discussion point. I’ll get to the answer in a moment, but it is worthwhile to take a quick look into how DDoS protection can be delivered.
There are three main ways to implement a DDoS mitigation solution. You can install on-prem hardware, buy a solution from your ISP, or use a cloud based service. On-prem solutions are good at detection, but can’t provide much help if the attack goes over your bandwidth, they need to be able to signal upstream (to a cloud service, for example) in the event of a large attack. ISP based solutions are also quite popular, but tend to provide limited information and configurability. Additionally, if you have more than one ISP or assets in the cloud this solution only protects part of your overall exposure. Cloud based solutions provide the ability to protect your entire network by routing your traffic through a ‘scrubbing center’ (Threat Protection Center, in our case). The main thing to know here is that the Internet works by using ‘Border Gateway Protocol’ (BGP). Without going too deep into the nerdy side of things, BGP provides directions on how to get from your computer to a computer on another network. I recommend reading this Beginners Guide to BGP, it’s worth a few minutes of your time.
Because your incoming traffic is routed through the DDoS mitigation network, it is easy to see that your assets are protected by that provider. Take a look at the two examples below.
Taking a look at the ASN name field in the window, (Shout out to DNSLytics and their excellent chrome plugin) you see that this network is protected by Baffin Bay Networks. As another example, let’s check the homepage of Aftonbladet, one of the major Swedish news outlets not using Riverview.
In this case, you can see that they are using a competitor. (NOTE to Aftonbladet: Give us a call sometime, we can have Fika).
Getting back to the CIO’s question, it is quite possible that they weren’t attacked because they had protection. Very much like having visible cameras and a ‘Protected by ACME Alarm Company’ sign on your house, a casual attacker will go on to look for a softer target. This also forces a dedicated adversary to try alternate methods to attack your network, such as exploiting vulnerabilities in your websites and applications. This is precisely why we built our Web Application Protection and Threat Protection modules on top of our DDoS service. While the alarm sign is good, it also helps to have an actual alarm to find out when someone is trying to open the windows.
Here at Baffin Bay Networks, every month is cyber security month. It’s what we are passionate about, what we spend our time talking about, and what we try to help our customers with every day.
By: James Tucker, Director of System Engineering